An entry fee that is reimbursed if the bug turns out to matter would stop this, real quick.
Then again, I once submitted a bug report to my bank, because the login method could be switched from password+pin to pin only, when not logged in, and they closed it as "works as intended", because they had decided that an optional password was more convenient than a required password. (And that's not even getting into the difference between real two-factor authentication the some-factor one-and-a-half-times they had implemented by adding a PIN to a password login.) I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.
Assuming the host of the bug bounty program is operating in good faith, adding some kind of barrier to entry or punishment for untested entries will weed out submitters acting in bad faith.
Bug bounties often involve a lot of risk for submitters. Often the person reading the report doesn't know that much and misinterprets it. Often rules are unclear about what sort of reports are wanted. A pay to enter would increase that risk.
Honestly bug bounties are kind of miserable for both sides. I've worked on the recieving side of bug bounty programs. You wouldnt believe the shit that is submitted. This was before AI and it was significant work to sort through, i can only imagine what its like now. On the other hand for a submitter, you are essentially working on spec with no garuntee your work is going to be evaluated fairly. Even if it is, you are rolling the dice that your report is not a duplicate of an issue reported 10 years ago that the company just doesn't feel like fixing.
Pay to enter would increase the risk of submitting a bug report.
However, if the submission fees were added to the bounty payable, then the risk reward changes in favour of the submitter of genuine bugs.
You could even have refund the submission fee in the case of a good faith non bug submission.
A little game theory can go a long way in improving the bug bounty system...
They could allow submitters to double down on submissions escalating the bug to more skilled and experienced code reviewers who get a cut of the doubled submission fee for reviews.
Indeed, increasing the incentive for companies to reject ( and then sometimes silently fix anyway ) even the valid reports would only increase further misery for everyone.
Indeed. I've also gotten a lot of "Hey I found a super critical security bug that makes your system ass, but if you pay me first I'll tell you what it is" types of submissions. Sometimes it's a hybrid, like something semi-legitimate but weak that they disclose up front, closing with a "and I've got another one that's juicy but you have to pay me first to hear it".
Oh and then of course there is the flood of people who just scanned our infra with Nessus and screenshotted part of the report (often with important details blacked out so we can't see them unless we pay).
As someone who has been on both sides of it as well, it just feels like everything is terrible
> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.
Sadly, yeah. And will do anything only if they believe they can actually be caught.
An EU-wide bank I used to be customer of until recently, supported login with Qualified Electronic Signatures, but only if your dongle supports... SHA-1. Mine didn't. It's been deprecated at least a decade ago.
A government-certified identity provider made software that supposedly allowed you to have multiple such electronic signatures plugged in, presenting them in a list, but if one of them happened to be a YubiKey... crash. YubiKey conforms to the same standard as the PIV modules they sold, but the developers made some assumptions beyond the standard. I just wanted their software not to crash while my YubiKey is plugged in. I reported it, and they replied that it's not their problem.
> An entry fee that is reimbursed if the bug turns out to matter would stop this, real quick.
That adds an extra layer of complexity to the cURL maintainers, handling other people’s money and whatnot. It was considered.
Daniel (cURL’s lead) has been discussing this for months. Whatever “quick and easy” solution you think of, it’s already been suggested and thought about and rejected for some reason.
A problem with this approach is that one of the key functions of a bug bounty program is to encourage people to report vulnerabilities to the developers, rather than selling them elsewhere.
If I have to pay money to submit a vulnerability to the developers with no guarantee that I'll even get refunded for a high quality and good faith report, let alone any actual payout, there's much less incentive for me to do so compared to selling them to someone else who won't charge me money for the privilege.
In a past life I was deeply involved in the operation of a bug bounty program. Discouraging people from selling on the black market was nowhere on the list of motivations.
We wanted to encourage white hat security researchers to look at our domain rather than other domains so we could collect more data on the kinds of vulns that appeared in our domain to help prioritize efforts that would fix the root causes of recurring bug patterns.
I've also submitted bug bounties and received rewards and I've worked with a bunch of other people who have done this. At no point did I even consider selling on the black market and I suspect that my friends from grad school were the same way.
Maybe the $1,000,000 bounties for zero click rce on iphones or whatever exist to discourage selling on the black market, but I'm not even sure that is true. "Well, I'll just find a way to sell this to the russian mob" is not exactly something that is on the radar of the vast majority of security researchers.
The reality is that most people's thoughts on bug bounties are from salacious headlines talking about those $1M vulnerabilities. In reality the average bug bounty submission is a machine translated report for a low severity issue in a web app that may or may not even exist (or be a vulnerability), sprayed at hundreds of companies (or the same company a hundred times) in the hopes of earning $500 to basically do currency manipulation.
There are plenty of places you can sell exploits other than OCGs. At the more legitimate end of that market is people like ZDI who will then collaborate with the vendors (after a time), or companies making exploit kits/tooling for pentesters/red teaming. More questionable ones are companies that make things like forensics tools or spyware who are legal, but perhaps ethically dubious. All completely legal, but not great for the wider community if they're getting the vulns rather than the developers.
If you're trying to protect your own website and servers, those markets won't be a concern for you. If you ship a widely used product that's an attractive target (like web browser, mobile device, network kit, etc) then they definitely are.
You don't sell it to the "Russian mob", you sell it to a highly reputable security company that will buy it for like $10 million or more and sell it to governments and stuff, not the mob.
I mean, seriously.
Why would I ever go find a 0 click rce bug and then just donate it to a trillion dollar company just to get a "thx" when I can just retire right then and there?
> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.
I personally came to that conclusion thanks to the GrapheneOS situation regarding device attestation. Insecure devices get full features from some apps because they are certified, although they cite security, while GrapheneOS get half featured apps because it's "insecure" (read, doesn't have the Google certification, but are actually the most secure devices you can get, worldwide)
It's related, but GP is still right to bring it up - it's the one question that is most important wrt. security, and also conveniently the least often asked: security for who, and from what? "Security" isn't an absolute good.
Play Integrity certifies (and banks/etc approve) that Android 8.0 (oreo) unpatched for several years, full of vulnerabilities for RCE, 0-click, privilege escalation, etc, so full of holes it's trivial to get a root and then hide it (or use leaked cert), is absolutely a-ok, safe to use and secure for user.
> An entry fee that is reimbursed if the bug turns out to matter would stop this, real quick.
I refer to this as the Notion-to-Confluence cost border.
When Notion first came out, it was snappy and easy to use. Creating a page being essentially free of effort, you very quickly had thousands of them, mostly useless.
Confluence, at least in west EU, is offensively slow. The thought of adding a page is sufficiently demoralizing that it's easier to update an existing page and save yourself minutes of request time outs. Consequently, there's some ~20 pages even in large companies.
I'm not saying that sleep(15 * SECOND) is the way to counter, but once something becomes very easy to do at scale, it explodes to the point where the original utility is now lost in a sea of noise.
It’s strange how sensitive humans are to these sort of relative perceived efforts. Having a charged, cordless vacuum cleaner ready to go and take around the house has also changed our vacuuming game. Because carrying a big unwieldy vacuum cleaner and needing to find a power socket at every location just feels like much more effort. Even though it really isn't.
It is. The classical vacuum is heavier, you have to find the socket and plug it in (non-trivial if you have few of them, or have kids and sockets have kid blocks on them), and perhaps most importantly, you need two free hands to operate it (particularly when carrying, plugging in and repositioning). That alone is enough to turn it into a primary activity, i.e. the kind of thing that you explicitly decide to do and becomes your main focus. Meanwhile, a charged cordless cleaner is something you can semi-consciously grab with one hand while passing by, and use on the go to do some cleaning while actually focused on something else. It's an entirely different class of activity, much easier to fit in during the day.
Ironically, the cordless vacuum is even better than vacuum robots in this regard! I was surprised to hear from some friends and acquaintances that they prefer the manual vacuum to robotic one, and find it a better time/effort saver - but I eventually realized they're right, simply because the apps for controling the robotic vacuums are all steaming piles of shit, and their bad UI alone turns activating the robot into primary activity. It may be a brief activity, but it still requires full focus.
Have you tried a handheld corded unit? I find most of the perceived effort with the larger unit is due to a combination of the bulk, the weight, and having to maneuver it around anything delicate without inadvertently bumping into it. Meanwhile the corded handheld never dies on me and I think isn't as bad for my hearing. All the cordless units I've tried seem to have an extremely high pitch whine to them.
I keep having to get it from progressively more inconvenient locations to which it has been banished in order to humor my wife’s delusion that the roomba or the handhold do anything.
I can make multiple passes with the handheld to get 80% of the crumbs in a small area, troubleshoot why the robot didn’t run yesterday in order to hope it will get the crumbs tomorrow, or just get the corded vacuum out and actually clean a whole room.
Work involves cables. Any product that promises something different is a lie.
Our cordless, on the highest suction setting, is bordering on unusable. The effort to move it across carpet becomes quite high. Trying to roll it on an area rug tends to cause it to drag the rug around, and if you pick it up while on it will pull the rug up off the floor.
I have done some _very_ scientific testing here, vacuuming a section of carpet on the lowest section (doing lines where each pass half-overlapped the previous so each part of the carpet got touched once in each direction), emptying the vacuum, then going back over doing the same on high. Didn't see anything else come up. Shop vac didn't pull anything else out either that I could see.
I used to be in a similar boat of "these are a stupid class of product", but end of the day even if it takes eight passes my wife was going to use it anyway. The effort for her to set the time aside to drag around the heavier corded vacuum which is a substantial effort for her, etc, would be more than doing eight passes with a cordless. So got a good one and I'm sold on it now--it is quite convenient, and it does work.
Only thing I will say is the battery definitely can't do an entire carpeted house on a charge. We don't have that much carpet, so don't have any problem cleaning all the floors and a couple area and entry-way rugs on a charge.
This is an interesting discussion to me - I have a cordless vacuum that works well and a roborock combo vac/mop that works well. Actually, I'm lying, I have two cordless vacuums because the GGP's observation rings true to me and I got a second one for free and held on to it. :-)
Dyson cordless vac, older (v8 ultimate). Have had to replace battery once and broken trigger. Continues to be a workhorse.
Roborock s5v: I have it run 2x / day on weekdays, once in the morning after breakfast when we're taking the kids to school (vac kitchen only), and once after bedtime (vac + mop entire area). It does a great job of generally keeping things clean. Not perfect, but the overall dirt level stays low.
The cordless manual vac is really useful for "oh bleep, 8yo just spilled MORE stuff on the ground". I keep it next to the dining and kitchen area. It's not super aesthetic having it hanging on the wall in a visible location but I have engineer-itis and I value the convenience over the illusion that we don't own a vacuum. :) I approximately never use the robovac as an on-demand vacuum unless it's to run an extra pass when we're leaving home on a weekend and have left crumbs from a meal.
For us, substantially upping the frequency of vacuuming, even if it's not quite as deep, has made a big difference, and it's basically no extra burden to have the robovac run frequently after programming it.
Well... I have a (1000 dollar!!!) Dyson cordless vacuum, arguable the laser + the histogram for "removed particles of size X", make me clean more thoroughly. The things is pretty heavy and applies a pretty good vacuum, imho.
Bro the vacuum community is audiophile-level picky. I have a Dyson stick vacuum of some sort and I haven’t had any issue with picking up crumbs. I would rather manually bend over and pick up something it doesn’t grab than move around the heavy corded vacuum and plug it in 10 times.
The term I know / used for this is "trivial inconveniences", via an old article of Scott Alexander[0].
The quote from example from early in the article stuck with me for years:
Think about this for a second. The human longing for freedom of information is a terrible and wonderful thing. It delineates a pivotal difference between mental emancipation and slavery. It has launched protests, rebellions, and revolutions. Thousands have devoted their lives to it, thousands of others have even died for it. And it can be stopped dead in its tracks by requiring people to search for "how to set up proxy" before viewing their anti-government website.
(Now this is more poetic, but I suppose the much more insightful example that also stuck with me is given later - companies enticing you to buy by offering free money, knowing well that most customers can't be arsed to fill out a form to actually get that money.)
I suspect that applies specifically to their cloud rewrite which was apparently a bloat of JS libs and hundreds of requests even by Atlassian standards. The on-prem self-host Confluence I've used is still pretty snappy and pleasant to use and without throwing an absurd amount of resources at it. We do have quite a lot of actually-useful documentation in it.
That said, Atlassian is busy relentlessly raising the price for self-host to push people into their cloud roach motel, so we'll probably be on some alternative (either FOSS or commercial, but self-host) soon too.
I find this to be a very amusing critique. In my experience, Notion (when I stopped using it 3 years ago) was slow as molasses. Slow to load, slow to update. In comparison, at work, I almost exclusively favor Confluence Cloud. It's very responsive for me.
We have tons of Confluence wikis, updated frequently.
I think it might be the same issue as with WordPress and Jira - terrible plugins. Each company uses own special mix, and encounters issues often occurring in that one specific configuration. And it is the base platform that takes the blame.
In particular a place I used to work had a plugin for threaded comments in Jira. The specific one we were using slowed things down noticeably with the DB on the same server, but not too much to be an improvement in overall usefulness.
Then we decided trying to make our Jira more reliable by splitting the DB out into a separate clustered DB system in the same data center. The latency difference going through a couple of switches and to another system really added up with those extra 1600 or so DB calls per page load.
We ended up doing an emergency reversion to an on-host DB. Later, we figured out what was causing that many queries.
You're referring to the on-prem Jira. That might suck, sure. My experience has been purely using Jira Cloud and Confluence Cloud, both of which I've found to be snappy and responsive.
My last company switched several teams to Jira Cloud. My current company started with Cloud when we moved over from other tools.
Cloud does not give you the flexibility of your own plugins, your own redundancy design, or your own server upgrades. On top of that, the performance is pretty variable and is far worse than a self-hosted Jira on fast hardware.
It’s interesting to me that your lack of experience to make a comparison qualifies you in some way to criticize the experience I actually have.
Amusingly, exactly opposite experience here. That said, our on-prem is jira and confluence integrated with db on same machine, and apache in front doing additional caching. I imagine like so many things it is how you set it up...
If you read my previous comment, I said it was largely the specific poor plugin that caused most of the performance issue with the database queries. I never complained about the overall speed of on-prem Jira. That was the assertion of the person who’s only ever used the cloud version.
And the end of their self hosting offerings (Server, Data Center), which is currently driving a lot of people towards XWiki, for other reasons than money. XWiki SAS being mainly in Europe makes it attractive to EU users too.
> do you have any migration tips?
I don't have specific migration tips. I hope the docs are complete enough!
The Confluence Migration Toolkit is based on the Confluence XML module you found, but it adds a nice and convenient UI, converts some more macros that XWiki SAS sells, there's support, and there's consulting for larger migration projects or projects with special requirements.
(note: despite some paying features, everything is open source)
(disclaimer in case it was not obvious, I work for XWiki SAS)
I found that banks are one of the worst organizations when it comes to authentication. They are regulated but the requirements are completely outdated and irrelevant in a risk context.
And then you have banks such as Boursobank (a French online bank) that has weak traditional authentication (and a faulty app, but they do not care) and out of the blue also provides passkeys. Making it at the same time horribly bad and wonderfully good.
The worst part is that they hide behind regulations when in fact there are only few of them.
Other instiytutions such as SWIFT are as bad and equally arrogant.
For weak bank logins, my guess is that reimbursing all account takeovers is cheaper than having a complex login process that would scare away non-technical customers. Or, well, I could see myself making that decision if I were more versed in finance than in computer science and I had a reasonable risk assessment in front of me to tell me how many account takeovers happen.
Banks aren't even liable for losses from account takeovers, at least if their system is compliant, regardless of whether that makes it secure. Their biggest incentive is customer satisfaction, which fraud does hurt.
It's credit cards that have to reimburse for fraud, but they charge the merchant for it, plus fees, so they have absolutely no incentive to prevent fraud, if not an incentive to outright encourage fraud. That would explain why their implementation of the already compromised EMV was further nerfed by a lack of a PIN in the US.
> Their biggest incentive is customer satisfaction
At a bank? No way. They are some of the most customer-hostile organizations I've interacted with. Dealing with payment accounts is a necessary evil for them, and they are very much aware of the effort required to switch to a different bank, and of the massive regulatory moat preventing consumer-friendly competition from popping up.
A bank doesn't care about screwing over a handful of customers. As long as it's not common enough to draw the attention of the press and/or a regulatory agency, they are not going to spend any money on improving.
Case in point: Wells Fargo foreclosure fraud.
Case in point: Wells Fargo opening new accounts in customer names without direction from, approval by, or notification to said customers.
The primary incentive of a bank is to make money rather than customer satisfaction, security, or most other things. Sometimes other priorities suffer in the race to profit, sometimes including regulatory compliance and legality.
That anecdote is hilarious and scary in equal measures. Optional passwords are certainly more convenient than required ones, but so are optional PINs. The most convenient UX would be never needing to log in at all! Unless you find it inconvenient for others to have access to your bank account of course
That's what eBay does to me. You get to choose, at the time of login, between entering a password and getting an email verification, or just getting an email verification. At least with the bug report I had submitted to my bank, the password requirement had to be disabled from inside a settings menu, instead of being a clear option in the login prompt, but it that case it wasn't even a 2nd factor.
Long long ago the google toolbar queries could be reverse engineered to do an i feel lucky search on gmail. I created a login that (if @gmail.com) forwarded to the specific mail.
Unlikely to happen but it seems fun to extend email [clients] with uri's. It is just a document browser, who cares how they are delivered.
I hate this as well, especially since I have greylisting enabled on some email addresses, so by the time the email login is delivered, the login session has already timed out and of course the sender uses different mail servers everytime. So in some cases, it's nearly impossible to login and takes minutes...
It's the same on the sender side. Most people of course just outsource it to some SaaS like Sendgrid, and of course have some fancy microservice event bus architecture to get it there. That 'your login email has been sent' actually means 'your email has entered the very first queue, and we're hoping it makes it through all the layers soon'.
There have been plenty of instances where I tried to log in somewhere, and the first attempt to contact my mail server was twenty minutes later. And of course they then deliver all five retries at once.
cURL would operate such a program in good faith, and quickly earn the trust of the people who submit the kind of bug reports cURL values.
Your bank would not. Nor would mine, or most retail banks.
If the upfront cost would genuinely put off potential submitters, a cottage industry would spring up of hackers who would front you the money in return for a cut if your bug looked good. If that seems gross, it's really not - they end up doing bug triage for the project, which is something any software company would be happy to pay people for.
There's also the issue of what happens to my money as a researcher. Is it paid to the company, or is someone holding it in escrow? What if it takes the developer months to respond, or they never do? Do they just get to keep my money indefinitely? What if the vendor pulls out of the scheme? What if I do a chargeback on the payment I made? Etc, etc
I wonder if a better model would be to make the platform pay to entry, but not the specific bugs? So you have to pay a fee to gain access to a platform like HackerOne, and if your signal:noise ratio gets too bad then your account gets revoked? That would make it feel like less of a gamble than having to pay for every individual bug - but still has the same problem that it's putting a big barrier in front of legitimate good-faith researchers.
I've been active in the bug bounty community for almost 7 years now. The problem is that the majority of companies don't act in good faith.
Even when you have something fully exploitable and valid, they will many times find some way to not pay you or lower the severity to pay you very little.
The catch-all excuse is something along the lines: "although this is vulnerable, it doesn't impact the business".
I've gotten this excuse, even when I could prove it was a production server with customer information that I could access.
Sites like Hackerone can help, but in the end, it comes down to the company running the bug bounty program.
Agreed, although the reimbursement should be based on whether a reasonable person could consider that to be a vulnerability. Often it’s tricky for outsiders to tell whether a behaviour is expected or a vulnerability
Are bug reports a 100% sure black and white thing?
Could people who think they found a bug but not sure be turned off by the up front cost / risk of finding out they are wrong or not technically finding a bug?
> An entry fee that is reimbursed if the bug turns out to matter would stop this, real quick.
It would also stop a lot of genuine submissions unfortunately, as some literally can't pay not just won't pay (for both technical or financial reasons), and adds complexity¹. Each project working this way will need to process a bunch of payments and refunds on top of the actual bounty payments, which is not admin free nor potential financially cost free.
I can't think of an easy answer that would work for more than a very short amount of time. As soon as there is money involved and an easy way to use tooling rather than actual effort/understanding to be involved, many will try to game the system ruining it for those genuine participants. Heck, even if the reward is just credit² rather than money, that will happen. Many individual people are honest and useful, people as a whole are a bunch of untrustworthy arseholes who will innocence you and the rest of the world for a penny or just for shits & giggles.
> Assuming the host of the bug bounty program is operating in good faith
This is a significant assumption. One that is it harder to not be paranoid about when you are putting money down.
> they closed it as "works as intended", because they had decided that an optional password was more convenient than a required password
This does not surprise me. My primary bank (FirstDirect, UK) switched the way I authenticate from “between 5 and 9 alphanumeric characters”³ to a 5-digit pin, and all their messages about it assured me (like hell!) that this was “just as secure as before”…⁴
--------
[1] Needing a payment processing option that is compatible with both the reporter and reportee, at the point of submission. At the moment that can be arranged after the bounty is awarded rather than something a project like curl needs to have internationally setup and supported before accepting submissions.
[2] ref: people submitting several simple documentation fixes, one misplaced comma or 'postrophe per pull request, to game some “pull requests accepted” metric somewhere.
[3] which wasn't ideal to start with
[4] I would accept the description “no less secure than before” if they admitted that the previous auth requirements were also lax.
> An entry fee that is reimbursed if the bug turns out to matter would stop this, real quick.
The problem is that bug bounty slop works. A lot of companies with second-tier bug bounties outsource triage to contractors (there's an entire industry built around that). If a report looks plausible, the contractor files a bug. The engineers who receive the report are often not qualified to debate exploitability, so they just make the suggested fix and move on. The reporter gets credit or a token payout. Everyone is happy.
Unless you have a top-notch security team with a lot of time on their hands, pushing back is not in your interest. If you keep getting into fights with reporters, you'll eventually get it wrong and you're gonna get derided on HN and get headlines about how you don't take security seriously.
In this model, it doesn't matter if you require a deposit, because on average, bogus reports still pay off. You also create an interesting problem that a sketchy vendor can hold the reporter's money hostage if the reporter doesn't agree to unreasonable terms.
I don’t think it works for curl though. You would guess that sloperators would figure out that their reports aren’t going through with curl specifically (because, well, people are actually looking into them and can call bullshit), and move on.
For some reason they either didn’t notice (e.g. there’s just too many people trying to get in on it), or did notice, but decided they don’t care. Deposit should help here: companies probably will not do it, so when you see a project requires a deposit, you’ll probably stop and think about it.
Triage gets outsourced because the quality of reports is low.
If filing a bad report costs money, low quality reports go down. Meanwhile anyone still doing it is funding your top notch security team because then they can thoroughly investigate the report and if it turns out to be nothing then the reporter ends up paying them for their time.
My point is that on average, filing bad but plausibly-sounding reports makes the reporter money. Curl is the odd exception with naming-and-shaming, not the rule. Spamming H1 with AI-generated reports is lucrative. A modest deposit is unlikely to change that. A big deposit (thousands of dollars) would, but it would also discourage a lot of legitimate reports.
Github can use youtube strikes like system. PRs are tied to people. Someone reported for submitting slop should get a badge or something similar.
If a PR is submitted by someone who is then known to submit slops, they can be easily ignored by the maintainers.
EDIT: Or may be something like SponsorBlock for youtube. There could be a browser extension that will collectively tag sloppers the sameway and can help identify sloppers.
> I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.
This is the key insight. Nobody cares at all about actual security. It is all about checklists and compliance.
Then again, I once submitted a bug report to my bank, because the login method could be switched from password+pin to pin only, when not logged in, and they closed it as "works as intended", because they had decided that an optional password was more convenient than a required password. (And that's not even getting into the difference between real two-factor authentication the some-factor one-and-a-half-times they had implemented by adding a PIN to a password login.) I've since learned that anything heavily regulated like hospitals and banks will have security procedures catering to compliance, not actual security.
Assuming the host of the bug bounty program is operating in good faith, adding some kind of barrier to entry or punishment for untested entries will weed out submitters acting in bad faith.