The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.
It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.
As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will go. This in turn will allow you to make money on many other programs.
It's not easy to become a top whitehat hacker, but if you do, the rewards are significant.
Here is how HackerOne celebrated the $500,000 milestone for a hacker: https://www.hackerone.com/blog/mlitchfield-Earned-500000-on-HackerOne
(Sorry for first posting this as Anonymous Coward. I had forgotten to sign in.)
This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it to a service like HackerOne, and the market for that vuln is over. Although asymmetry is usually in the favor of the criminal actor, in this case it is in the favor of ethical behavior. One ethical hacker can put an end to the sale of a 0day on the black market.
What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.
Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.
Ha ha. That's a common joke about the security industry. There is some truth to it.
What's great with bug bounty programs is that customers pay for results. You pay for valid and useful vulnerability reports. You don't pay for reports that are not useful. For hackers to make money (and the best ones make a lot of money), they must produce useful and relevant vulnerability reports.
That's a HUGE difference compared to traditional security products and services and it explains why bug bounty programs are becoming so popular. They are much more effective than any other method of finding vulns in live software.
Yep, 70,000 is a lot! The number keeps growing, and we hope to get to a million. To serve all companies and government organizations worldwide who will be needing bug bounty programs, we need a lot of excellent hackers.
It should also be noted that it takes a lot of hacking to find even a simple vulnerability. Of the 70,000 hacker accounts we have, about 1 in 6 have filed an actual vulnerability report. To help them get going, we have an ebook on hacking that we give to new hackers. Once new hackers get the hang of bug hunting they can advance fast, earning more and more reputation points. When you sign up at HackerOne, you start at 100 points. Our most prolific hackers have reached 10,000 points. You can do it, too!
Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.
To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asymptotically move towards that goal, the more you reduce your cybersecurity risk.
It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclosure programs.
Great question. We are seeing a lot of interest among enterprises to have AWS-like functionality in their own datacenters. And we also know that they are eager to use OpenStack. So at Eucalyptus we decided to do something about it. Here is my blog about the topic: https://www.eucalyptus.com/blog/2014/08/11/why-eucalyptus-keynoting-openstack-conference
You bring up an interesting and relevant point about how various APIs are used by the applications. But when I think about how the world of software is evolving, it seems that those management APIs are becoming more important, because a software application of today must know not just how to run, but also how to be deployed.
I believe it is both difficult and important to align with dominant designs. 30 years ago it was a good bet to develop software for the new x86 architecture, 15 years ago it was a good idea to bet on the new world-wide web, 10 years ago on the new LAMP stack. Today, the API layer is where different pieces of software come together and where brilliant software developers congregate. It's about AWS, but it's even more about the new design paradigm that the AWS APIs represent. Of course there will not be just one set of APIs. We know that in addition to AWS, we have OpenStack, Microsoft, VMware and Google are all building theirs. One of them will be dominant. Randy Bias brings forward an important point.
I'd say that forking is an order of magnitude (or perhaps 2) easier than creating the product in the first place. Forking is hard work. But creating a product from scratch is enormously harder.
The creators and owners have the right to decide on the roadmap of their creation. Closed source software can't deal with disagreements, but open source software can. If you don't like the roadmap, you can create your own branch or your own fork. You don't have to make use of that freedom, but it is a freedom nevertheless, available to all.
Thx for the comment. I'd say the right to fork prevents the bad things from happening. If you are ever displeased with what the steward of an open source project is doing with it (be it Eucalyptus or something else), you can take the source code and fork it. Happens all the time (OpenOffice, MySQL, Android, etc.).
We believe in Linux, KVM and Eucalyptus - all production-ready open source software freely available to anyone. Just download and get going. - If you have chosen to use closed source software like VMware's, then as Dishwasha points out there are commercial plug-ins available for Eucalyptus.
This is a great discussion! I am glad to be back on/.
As often with press, I was not quoted verbatim. I stated my observation that in the world of free and open source software (FOSS), you find some people (some very few people, to be precise) who are judgmental about how other people perceive or act on open source. So when you have a certain governance model, business model, or development model, there will typically be some people who will loudly rule it out as wrong or improper or something. But I didn't say that I have anything against that, and I don't.
It's one of the strengths of the FOSS world. Differences in view are aired publicly, and many times (although not always) a higher level of understanding, or a new thinking will emerge.
We need to keep these discussions going, because as the world moves into the cloud, those same principles of openness that were developed for software code will have to somehow be applied on APIs and on data too.
Nope, not me. I have not railed against Sun or Oracle, nor written open letters to the community. On the contrary. At Sun I was in charge of the MySQL business. When Oracle then acquired Sun, there was nothing wrong in it. I can admit that I personally did not specifically want MySQL to end up with Oracle, but that's just my personal view. Their acquisition of Sun (and of MySQL) was perfectly legitimate. I was invited as an expert witness to the European Commission and I told them the same.
Could be that you are mistaking me for one of the founders of MySQL. I was not a founder. I was the CEO.
Thx for the comments on MySQL as part of Sun. The MySQL business is growing faster now than before (measured in revenues) and we are the fastest growing major DBMS business in the world. So, although someone could claim I am biased, I think it is fair to say that the acquisition made sense from a pure revenue growth perspective.
Additionally, Sun is selling hardware to MySQL users and customers - servers that provide a performance boost over what people use today.
Thirdly there are synergies between MySQL and Sun's various software products - especially Glassfish, NetBeans, ZFS, Identity Manager, etc. A web shop may not need all of those, but large corporations see a benefit in getting many products from the same vendor.
Still there is no denying that Sun has major challenges today. We are hard at work fixing the problems. And that's why I keep following the discussions on/. - there is always some great suggestion from someone that we can make good use of.
Marten Mickos (formerly CEO at MySQL AB, now head of Sun's Database Group)
I think if you ask people who know me, they will say that I stand for transparency and truthfulness.
If the departure had not been amicable, I guess I would not have commented on it at all, or I would have focused my commentary on whatever other positive aspect I could find.
But the best may be to ask David directly. I don't want to publish his email address here, but it is not difficult to guess. Most early employees of MySQL AB, like myself, use firstname at mysql dot com.
Marten
P.S. Generally I am somewhat perplexed by the attention this topic is getting. The beauty of open source is that you can be actively contributing and participating in your favourite project whether you are employed by a certain company or not. So what's the big deal about David choosing not to be employed? He is not abandoning MySQL. With the enormous payout from the acquisition, the founders can now allow themselves to pursue whatever interests and daily routines they like. Good for them, and I think we should all just be happy that open source can provide not just software freedom but also financial freedom. Just my 2c.
Thanks slashdotters for being passionate about all topics FOSS and MySQL!
David's departure is in all ways amicable, and he will continue to be an ambassador for MySQL and for free and open source software in general. For some time already, David was working only part-time for MySQL. After about 25 years of working on MySQL and the projects that preceded MySQL, he very much deserves do whatever he pleases to.
Marten SVP Database Group at Sun (previously CEO of MySQL AB)
Slashdot Mirror
The good news is that all of this is voluntary. If you don't like the program or the rewards, there is no obligation to participate.
It should be noted that the reward from Google is on top of whatever the company in question may pay. Companies that develop Android apps can start their own programs with their own bounties. Google's program comes on top of that.
As a hacker, the more you submit valid vulnerability reports on HackerOne, the more skilled you will become and the higher your reputations score will go. This in turn will allow you to make money on many other programs.
It's not easy to become a top whitehat hacker, but if you do, the rewards are significant.
Here is how HackerOne celebrated the $500,000 milestone for a hacker: https://www.hackerone.com/blog/mlitchfield-Earned-500000-on-HackerOne
(Sorry for first posting this as Anonymous Coward. I had forgotten to sign in.)
This is an interesting question. We don't really know what will happen long term. One possibility, as you point out, is that black markets will always outpay any other market. Another possibility is that the ethical hacker community will become so large and strong that they will find all those same vulnerabilities and deliver them to the system owners before the black market gets to build exploits and use them for nefarious purposes. It takes just one ethical hacker who finds a critical 0day to deliver it to a service like HackerOne, and the market for that vuln is over. Although asymmetry is usually in the favor of the criminal actor, in this case it is in the favor of ethical behavior. One ethical hacker can put an end to the sale of a 0day on the black market.
What I find interesting is that a regular newspaper will write about this despite it being a highly technical topic. The readers of New York Post are regular citizens. This shows that software security and the hunt for bugs are becoming important enough to be presented to the broader public.
Given the ease of submission and speed of payment, a bug bounty can be very well worth it. On HackerOne, there is a hacker who made over $600,000 in two years with most of the individual bounties well under $10k.
Ha ha. That's a common joke about the security industry. There is some truth to it.
What's great with bug bounty programs is that customers pay for results. You pay for valid and useful vulnerability reports. You don't pay for reports that are not useful. For hackers to make money (and the best ones make a lot of money), they must produce useful and relevant vulnerability reports.
That's a HUGE difference compared to traditional security products and services and it explains why bug bounty programs are becoming so popular. They are much more effective than any other method of finding vulns in live software.
Yep, 70,000 is a lot! The number keeps growing, and we hope to get to a million. To serve all companies and government organizations worldwide who will be needing bug bounty programs, we need a lot of excellent hackers.
It should also be noted that it takes a lot of hacking to find even a simple vulnerability. Of the 70,000 hacker accounts we have, about 1 in 6 have filed an actual vulnerability report. To help them get going, we have an ebook on hacking that we give to new hackers. Once new hackers get the hang of bug hunting they can advance fast, earning more and more reputation points. When you sign up at HackerOne, you start at 100 points. Our most prolific hackers have reached 10,000 points. You can do it, too!
Yep this is true. It is also a common situation that humanity has dealt with successfully many times. To keep a ship afloat, you must find and fix every hole. Even one hole might sink it. To keep an aircraft safely flying, similarly every safety aspect must be in shape. Shipping and airlines have great safety track record these days.
To keep software secure, you must attempt to fix all serious vulnerabilities. You may never get to 100% vuln-free software, but the closer you get and the faster you can asymptotically move towards that goal, the more you reduce your cybersecurity risk.
Ooops sorry slashdotters - three zeros missing. Above it should say "HackerOne has already paid out over $10,000,000 to hackers".
:-)
Sometimes we need to repeat old insights to make sure that the broader society is aware.
It has taken decades for the industry to get used to bug bounties. The first one was in 1981. Now it is starting to be very real. HackerOne has already paid out over $10,000 to hackers and researchers around the world. One hacker has made over half a million dollars. Another recently bought an apartment for his mother with the bounty money he had made. Still lots of work and education to do, but it is very much moving in the right direction. An example: the US DoD now committing $7m to vulnerability disclosure programs.
- Marten (HackerOne CEO)
Great question. We are seeing a lot of interest among enterprises to have AWS-like functionality in their own datacenters. And we also know that they are eager to use OpenStack. So at Eucalyptus we decided to do something about it. Here is my blog about the topic: https://www.eucalyptus.com/blog/2014/08/11/why-eucalyptus-keynoting-openstack-conference
Thanks for the suggestion. That’s funny! I will do my best on all fronts at HP.
You bring up an interesting and relevant point about how various APIs are used by the applications. But when I think about how the world of software is evolving, it seems that those management APIs are becoming more important, because a software application of today must know not just how to run, but also how to be deployed.
I believe it is both difficult and important to align with dominant designs. 30 years ago it was a good bet to develop software for the new x86 architecture, 15 years ago it was a good idea to bet on the new world-wide web, 10 years ago on the new LAMP stack. Today, the API layer is where different pieces of software come together and where brilliant software developers congregate. It's about AWS, but it's even more about the new design paradigm that the AWS APIs represent. Of course there will not be just one set of APIs. We know that in addition to AWS, we have OpenStack, Microsoft, VMware and Google are all building theirs. One of them will be dominant. Randy Bias brings forward an important point.
I'd say that forking is an order of magnitude (or perhaps 2) easier than creating the product in the first place. Forking is hard work. But creating a product from scratch is enormously harder.
The creators and owners have the right to decide on the roadmap of their creation. Closed source software can't deal with disagreements, but open source software can. If you don't like the roadmap, you can create your own branch or your own fork. You don't have to make use of that freedom, but it is a freedom nevertheless, available to all.
Thx for the comment. I'd say the right to fork prevents the bad things from happening. If you are ever displeased with what the steward of an open source project is doing with it (be it Eucalyptus or something else), you can take the source code and fork it. Happens all the time (OpenOffice, MySQL, Android, etc.).
We believe in Linux, KVM and Eucalyptus - all production-ready open source software freely available to anyone. Just download and get going. - If you have chosen to use closed source software like VMware's, then as Dishwasha points out there are commercial plug-ins available for Eucalyptus.
Marten Mickos
CEO, Eucalyptus Systems
All,
This is a great discussion! I am glad to be back on /.
As often with press, I was not quoted verbatim. I stated my observation that in the world of free and open source software (FOSS), you find some people (some very few people, to be precise) who are judgmental about how other people perceive or act on open source. So when you have a certain governance model, business model, or development model, there will typically be some people who will loudly rule it out as wrong or improper or something. But I didn't say that I have anything against that, and I don't.
It's one of the strengths of the FOSS world. Differences in view are aired publicly, and many times (although not always) a higher level of understanding, or a new thinking will emerge.
We need to keep these discussions going, because as the world moves into the cloud, those same principles of openness that were developed for software code will have to somehow be applied on APIs and on data too.
Marten
Nope, not me. I have not railed against Sun or Oracle, nor written open letters to the community. On the contrary. At Sun I was in charge of the MySQL business. When Oracle then acquired Sun, there was nothing wrong in it. I can admit that I personally did not specifically want MySQL to end up with Oracle, but that's just my personal view. Their acquisition of Sun (and of MySQL) was perfectly legitimate. I was invited as an expert witness to the European Commission and I told them the same.
Could be that you are mistaking me for one of the founders of MySQL. I was not a founder. I was the CEO.
Marten Mickos
yep, including the Eucalyptus open source cloud platform
Thx for the comments on MySQL as part of Sun. The MySQL business is growing faster now than before (measured in revenues) and we are the fastest growing major DBMS business in the world. So, although someone could claim I am biased, I think it is fair to say that the acquisition made sense from a pure revenue growth perspective.
Additionally, Sun is selling hardware to MySQL users and customers - servers that provide a performance boost over what people use today.
Thirdly there are synergies between MySQL and Sun's various software products - especially Glassfish, NetBeans, ZFS, Identity Manager, etc. A web shop may not need all of those, but large corporations see a benefit in getting many products from the same vendor.
Still there is no denying that Sun has major challenges today. We are hard at work fixing the problems. And that's why I keep following the discussions on /. - there is always some great suggestion from someone that we can make good use of.
Marten Mickos
(formerly CEO at MySQL AB, now head of Sun's Database Group)
And so he did. See elsewhere on this thread the posting with subject "David Axmark" and ID (#25309745).
Marten
I think if you ask people who know me, they will say that I stand for transparency and truthfulness.
If the departure had not been amicable, I guess I would not have commented on it at all, or I would have focused my commentary on whatever other positive aspect I could find.
But the best may be to ask David directly. I don't want to publish his email address here, but it is not difficult to guess. Most early employees of MySQL AB, like myself, use firstname at mysql dot com.
Marten
P.S. Generally I am somewhat perplexed by the attention this topic is getting. The beauty of open source is that you can be actively contributing and participating in your favourite project whether you are employed by a certain company or not. So what's the big deal about David choosing not to be employed? He is not abandoning MySQL. With the enormous payout from the acquisition, the founders can now allow themselves to pursue whatever interests and daily routines they like. Good for them, and I think we should all just be happy that open source can provide not just software freedom but also financial freedom. Just my 2c.
Thanks slashdotters for being passionate about all topics FOSS and MySQL!
David's departure is in all ways amicable, and he will continue to be an ambassador for MySQL and for free and open source software in general. For some time already, David was working only part-time for MySQL. After about 25 years of working on MySQL and the projects that preceded MySQL, he very much deserves do whatever he pleases to.
Marten
SVP Database Group at Sun
(previously CEO of MySQL AB)
MySQL is grateful for all code contributions we get, and we will leave all contributions we receive under the GPL as GPL.
The idea is that when you contribute code, you get a better product in return, and everyone gets to see the code that you produced.
forge.mysql.com is a great starting place for contributors.
Marten