BSDCan2012 - Slide Update J
BSDCan 2012
The Technical BSD Conference
| Speakers | |
|---|---|
|
Colin Percival |
| Schedule | |
|---|---|
| Day | Talks - 1 - 2012-05-11 |
| Room | MRT 205 |
| Start time | 13:30 |
| Duration | 01:00 |
| Info | |
| ID | 337 |
| Event type | Lecture |
| Track | Security |
| Language used for presentation | English |
Crowdsourcing security
Lessons in open code and bug bounties
Advocates of open source software often claim that the public availability of source code gives them a security advantage: Given enough eyeballs, all bugs are shallow, according to Eric S. Raymond. While it is clear that the world has no shortage of eyeballs, it is far from clear that they are being usefully employed; and the putative security benefits of open source code evaporates if nobody takes advantage of the opportunity to read the source code with which they are provided.
In this talk I will draw upon my experiences with a large open source project (FreeBSD) and running a bug bounty program at a small commercial project (Tarsnap) to offer advice on how to maximize the likelihood that security vulnerabilities are found and reported.
Advocates of open source software often claim that the public availability of source code gives them a security advantage: Given enough eyeballs, all bugs are shallow, according to Eric S. Raymond. While it is clear that the world has no shortage of eyeballs, it is far from clear that they are being usefully employed; and the putative security benefits of open source code evaporates if nobody takes advantage of the opportunity to read the source code with which they are provided.
In this talk I will draw upon my experiences with a large open source project (FreeBSD) and running a bug bounty program at a small commercial project (Tarsnap) to offer advice on how to maximize the likelihood that security vulnerabilities are found and reported.