Calling All Security Researchers: Help Make Our Digital Infrastructure Safer
By Tara Tarakiyee
We're calling on security researchers to help enhance the resilience of open digital infrastructure. Participate in the bug & fix bounties of seven critical software projects.
Given enough eyeballs, all bugs are shallow.
The openness of open digital infrastructure is not something to be taken for granted. The more critical a software project is, the more challenging proper vulnerability management becomes. However, as the software development adage above suggests, combining openness with increased collaboration and scrutiny simplifies the task. This principle is a cornerstone of the Bug Resilience Program’s (BRP) approach to enhancing the resilience of open digital infrastructure. It applies to reducing technical debt and improving contribution guidelines via our direct contributions service, as well as to the code audit service.
This principle is most apparent in our bug & fix bounty program on the YesWeHack platform. Here, we aim to bring as many experts as possible to examine the code that underpins our digital lives and improve its resilience and security. Security researchers, bug hunters, and hackers work tirelessly, often at great personal risk, to find and fix vulnerabilities before malicious actors can exploit them. By applying their knowledge and expertise to uncover vulnerabilities in currently deployed technology infrastructure, they help provide an active defense against undiscovered vulnerabilities.
At BRP, we emphasize responsible disclosure, as we provide services to software projects used and relied upon by millions. Responsible disclosure ensures that discovered vulnerabilities are reported in a manner where they can be remediated and announced in a way that minimizes any potential abuse or damage occurring to the users of affected software.
What kind of software would researchers be looking at?
We are thrilled to announce five new bug bounty programs in addition to the two already available. More bug bounty programs will be added throughout the year. If you’re responsible for an open digital infrastructure software project, learn more about how to apply for support.
Existing Bug Bounty Programs
- systemd is a suite of basic building blocks for a Linux system. It provides a system and service manager that runs as PID 1 and starts the rest of the system.
More on the systemd bug bounty - Sequoia PGP provides several secure communication and authentication solutions in the OpenPGP space, including a low-level PGP implementation written in Rust.
More on the Sequoia PGP bug bounty
New Bug Bounty Programs
- OpenPGP.js: A JavaScript library that implements the OpenPGP standard for message encryption and signing.
More on the OpenPGP.js bug bounty - ntpd-rs: An open-source implementation of the Network Time Protocol written in Rust.
More on the ntpd-rs bug bounty - Apache Log4j: A versatile, industrial-grade Java logging framework.
More on the Apache Log4j bug bounty - CycloneDX Rust: A project to read, write and generate CycloneDX SBOMs for use in Cargo based Rust projects.
More on the CycloneDX Rust bug bounty - Glib: A low-level core library, developed mainly by GNOME, providing data structure handling for C, portability wrappers, and interfaces for such runtime functionality as an event loop, threads, dynamic loading, and an object system.
More on the Glib bug bounty
How to Get Involved
- Get rewarded for discovering a qualifying vulnerability! Select a software project that aligns with your interest and expertise, read the scope carefully, do your research, and submit your reports through the YesWeHack platform!
- Share the program with your communities. We strongly believe in leveraging collective knowledge and fostering a culture of collaboration and security in open digital infrastructure, and we can’t do that without your help.
Your skills, dedication, and expertise can make a profound difference. Together, we can further ensure the resilience and safety of our critical open digital infrastructure.
