Xen project Mailing List

Bug Bounty program

To: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Juergen Gross <jgross@xxxxxxxx>

Date: Tue, 2 Nov 2021 17:10:16 +0100

Cc: "Xen.org security team" <security@xxxxxxx>

Delivery-date: Tue, 02 Nov 2021 16:10:30 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Recently we (the Xen security team) have been invited by HackerOne to join the Internet Bug Bounty https://hackerone.com/ibb (citing the original mail): > The Internet Bug Bounty <https://hackerone.com/ibb> was created with > the goal of helping to secure critical open source infrastructure. > After almost $1M paid out for vulnerabilities in open source, we are > expanding the program's scope with more OSS Projects, and I’m reaching > out to you today because Xen Hypervisor was specifically requested by > multiple partners. > > - Partners contribute funds to a shared pool, and nominate projects > for inclusion > - Projects opt-in for inclusion in the program > - Vulnerabilities are reported directly to project maintainers by your > preferred process > - After a public advisory is released, the Finder submits a bounty > claim to the IBB > - Bounty is split 80% for finder and 20% to the project This is something we as the security team don't want to decide without discussing it in the open. We've brought that topic up in today's (Nov 2nd) community call. As maybe not everyone wanting to bring something up was in that call, I volunteered to write this mail to xen-devel. There are a few things we already discussed: - As a large quantity of security bugs is actually detected by the security team while looking at other security bugs, we feel that the members of the security team should not be claiming bug bounties for issues they find in the code. - We are aware of the possibility that someone (being a contributor or a maintainer) might try to sneak in a patch introducing a security bug, in order to claim a bounty for it later. OTOH setting up rules for a (hopefully) never occurring case feels like overkill, and we don't want to drive away potential new contributors or maintainers by excluding them at least partially from the bounty program. So right now we are inclined to not setup further exclusion rules for claiming any bounties. - General consensus seems to be to let the bug bounty program only cover our coding. Any vulnerabilities reported against the Xen project's infrastructure (web sites, ...) should not qualify for claiming a bug bounty. Are there any further topics we need to discuss, or is there any concern with above statements? Juergen, on behalf of the Xen security team

Attachment: OpenPGP_0xB0DE9DD628BF132F.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Follow-Ups:

Re: Bug Bounty program
- From: Juergen Gross

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.