Snark in the security community? What?
Common Criteria is shit. Fuck Common Criteria. That is all.
As a dev (not a security pro) Iâve had the chance to work with a few outside security consultants or agencies over the years, and read quite a bit. I donât know how accurate my view is, but the security experts seem to be mostly either people who can run an automated tool and email you the report, but donât know much about what itâs saying, or people who could macgyver their way into root access on just about any system with nothing more than a commodore 64, some spare wires, and a tuning fork.
I suspect security experts have the same view of us developers. But I wonder how you view yourselves from the inside. Are most security people actually somewhere on a progression through an average mid-level between the extremes? Or are they as extreme as they appear?
Well, thatâs both rather unflattering, and yet somewhat accurate. The industry is newer, the hobby is older. Can I say you are probably better off with someone who really loves what they do and not some dude-bro that realized over the last 5 years that thereâs actually money in the industry? (I think Iâm speaking as an insider but you may have to verify with some of my peers for accuracy.)
It is all sorts. I get bug reports for our bounty program. For the website ones, it is a bunch of marginally useful idiots running scanners sometimes. Those reports arenât that useful. I also have a contractor who is a contractor because he kept reporting such useful and godawful scary stuff that we wanted him working on things for us reliably.
Iâm actually not much of a coder and am more of a middle manager and program manager. I know the basics of a lot of stuff but I could not likely just sit down and take over someoneâs machine from remote (unless they were a real idiot). At least one guy who works for me has done that for fun though. It takes all types.
[quote=âDaaksyde, post:83, topic:73565â]are they as extreme as they appear?
[/quote]
Yes! When they scan my DNS I find out which kind they are.
Bounty program? Are we talking real money here? I could be marginally useful for real money.
There are a lot of bug bounty programs out there now - FB, Paypal, Google, Square, Mozilla, Apple, Twitter, and many others run them. Depending on the severity of your finding and whoâs running the program the money varies. If you can pop a shell you can make a lot, though you must follow the program guidelines carefully. If youâve got free time and can do better than the average pentester they are worth it, though you shouldnât go into it planning to make anything.
Iâm going to have to run this line by the fuzzing team I manage!
Google âMozilla bug bountyâ as Iâm on my phone and first coffee here so I donât have the links handy.
Under mozilla.org/security/
@enso, @nemomen, thanks for the tips, but frankly thatâs not enough money to be worth the amount of time and effort Iâd be expending, at least at Mozilla.org.
The moneyâs good enough for students and people whoâd want to do it anyway, but personally I have the great good luck to be able to reliably make more dough than that by spending my time in other ways.
In the unlikely event that I get the time to do something nice for Mozilla, I think Iâd rather write code for an outstanding issue, like for example Firefoxâs file URL handling (explanation why Iâd want to fix this is here).
Making $5,000 or more on a bug isnât worth it? Ooookay.
We have reporters that make over $60,000 a year on the program. Of course, theyâre finding critical vulnerabilities as well.
In general security is shit fun I just took the annual security training⌠oh it was painful. I work at an IT company and we have to be told âdonât download strange attachmentsâ apparently.
Your bug is 7 years and 9 months old. Iâm going to make a prediction here: it isnât going to be fixed⌠Heck, the last duplicate bug in your list is from 7 years ago too.
Is it an especially difficult bug?
(I donât understand why it wouldnât get addressed for that long.)
Touching how we deal with URLs could be dicey. Without really digging in, Iâd say it is more likely that no one sees it as terribly important or valuable (and may debate how much of a âbugâ it is versus poor design). Windows specific issue to do with network shares. Traditionally, Mozilla isnât that concerned with enterprise environments on Windows or edge cases. Donât quote me there as I spent a total of 120 seconds looking at this bug.
The bug was closed as âwonât fixâ if you look at the link.
Thanks.
Iâd also wonder if Chrome handles it better. I assume IE or Edge probably does becauseâŚwindows.
Compare that to issues like:
https://bugzilla.mozilla.org/show_bug.cgi?id=1140537
which we paid a bounty on.
and now you know my bugzilla ID if you remember my name.
How could I forget?
Does Mozilla disclose how much the bounties are, or who theyâre paid to?
Payment ranges are disclosed.
https://www.mozilla.org/en-US/security/bug-bounty/
https://www.mozilla.org/en-US/security/client-bug-bounty/
https://www.mozilla.org/en-US/security/web-bug-bounty/
We donât disclose how much weâre paying various individuals as that would be invading their privacy. They can disclose if they want.
We do have Hall of Fame pages as well:
https://www.mozilla.org/en-US/security/bug-bounty/hall-of-fame/
https://www.mozilla.org/en-US/security/bug-bounty/web-hall-of-fame/