|
|
|
|
|
|
by gcbw2
3119 days ago
|
|
|
what about this rationale: > The purpose of the procedure is to provide the European institutions with open source software projects or libraries that have been properly screened for potential vulnerabilities; I don't think bug bounty is a substitute for certification. And it benefits the most if is a long-run with accumulating rewards. making it short term with only one payout will only attract people with automated tools for the initial period. Then code will get "certified" and forgotten. It all seems wrong. Hopefully it is just bad wording on the official PR. |
|
|
Neither does the EU: by extending the free software security audit programme (FOSSA)[...]. Meaning: there already is an audit, certification and audit being synonymous for this purpose.
> making it short term
This is a trial run, to be extended later: we are trialing the VLC application on a bug bounty program
> with only one payout
There will be as many payouts as security-relevant bugs are found: Rewards may range from $100 up to $3,000.
> will only attract people with automated tools
This is a private trial, where people with automated tools submitting low-impact bugs will presumably not be invited: We invite hackers and bounty hunters (aka researchers) based on a variety of factors - reputation, previous track record (high quality reports)
> Then code will get "certified" and forgotten.
This is VLC, one of the most-used open source programs. How will code merged into the product be forgotten?
> It all seems wrong.
Indeed...
> Hopefully it is just bad wording on the official PR.
I think the problem is more likely caused by a complete lack of reading skills.