Hacker News new | ask | show | jobs
by zerebubuth 3141 days ago
Wow! That's really impressive. Seems like a _lot_ of work and ingenuity went into this.

It's great that large, corporate projects like Chrome OS are attracting the sustained attention necessary to find bugs such as this one. But I worry that projects without such deep pockets are crowded out, leaving bugs unreported. Are many people doing security audits of open source projects without bug bounties?
2 comments
delroth 3141 days ago
Google has been doing something close to bug bounties for many "critical" open source projects. Instead of focusing on bugs however, the Patch Rewards focuses on countermeasures: integrating a project into OSSFuzz, adding sandboxing, etc.

https://www.google.com/about/appsecurity/patch-rewards/

link
woodrowbarlow 3141 days ago
one avenue for many smaller projects (especially open source libraries) is to become a dependency of a huge project like chrome. then the larger project redirects some of their auditing efforts toward your project.
link