Hacker News new | ask | show | jobs
by MarkMc 4572 days ago
Tarsnap has a bug-bounty program [1] which has uncovered numerous bugs, including a critical security bug [2]

It seems to me that offering a bug bounty can significantly improve the security of a system, even when the prize-money is relatively small.

[1] http://www.tarsnap.com/bugbounty.html

[2] http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-...
2 comments
cperciva 4572 days ago
The nonce-increment bug wasn't found as part of the bug bounty program; it was retroactively included when I set up the bug bounty program a few months later.
link
jaredly 4572 days ago
the difference here is that there's no "fake-world" contest. Tarsnap is asking for a real-world hack of their system.

Telegram, on the other hand, is trying to prove that their algorithm is unbreakable. AES is pretty good too. As is noted in other comments, it's generally the system, not the algorithm, that gets broken.

link