Tarsnap bug bounties

When Taylor R Campbell wrote to me three months ago to point out a critical security bug in Tarsnap, he also convinced me to do something I had been considering for a long time: Instituting a bug bounty. While I awarded him the first Tarsnap bug bounty — $500 — it took me a while to iron out the details of how the program would work; but I'm happy now to officially announce the availability of Tarsnap bug bounties ranging from $1 to $2000.

Most developers are aware of bug bounties like those offered by Mozilla and Google: Prizes for finding security flaws. That works well for Firefox and Chromium, but Tarsnap is a much smaller project — and I think it has fewer bugs, too. To quote one wag, "any reviewer who wanted to get paid would not start with Colin's code as an easy place to find bugs" — and since the point here is to get people to look at the Tarsnap source code, I need to do more to encourage people. For that reason, I'm not only offering bounties for security bugs: All bugs in Tarsnap are eligible for bounties of varying sizes, ranging all the way down to typographical errors in source code comments (worth $1 each).

Is a typo fix in a comment worth $1? Personally I think it is: My experience as FreeBSD Security Officer has taught me that code readability matters a lot, and simple things like typographical errors in comments or inconsistent code indentation can allow bugs to lurk undetected for years as everybody glances past the "ugly" section of code. But this isn't why I'm offering $1 for cosmetic errors. I want people to read through the Tarsnap code in case anything jumps out at them and makes them think "gee, that doesn't look right", and finding cosmetic errors is a form of proof-of-work.

The Tarsnap bug bounties are unusual in another way: Their value depends on when a bug is reported. My standard practice with Tarsnap releases is to pre-announce a release via the tarsnap-alphatest mailing list a week before announcing it on the Tarsnap website and via the tarsnap-announce mailing list, in order to give time for people running interesting (aka. creatively broken) platforms to alert me to any build breakage. To encourage people to build, test, and inspect this pre-release code, any bugs which are reported before they make their way into an officially announced release will elicit double the normal bounty.

There are lots of reasons to read the Tarsnap source code. If you're a developer, you might learn something by reading what I (entirely immodestly) consider to be very high quality C code. If you're interested in cryptography, you might be curious to see how all of the cryptographic bits in Tarsnap fit together. If you're looking for good online backups and don't want to use a service which will hand over your data to third parties, you might like to verify for yourself that Tarsnap's client-side encryption works the way I claim it does — something you can't do with any other online backup service. And now there's another reason: You might win a bug bounty.

So what are you waiting for? Download, extract, and read.

Posted at 2011-04-21 06:15 | Permanent link | Comments
blog comments powered by Disqus

Recent posts

Monthly Archives

Yearly Archives