[Adding Kayla back to the thread] Hey Mark,
On Mon, Nov 1, 2021 at 7:21 AM Mark J Cox <m...@apache.org> wrote: > > Hi Kayla. > > Thanks for getting in touch and sharing the details of the program. I've > worked with you recently on another non-ASF project (OpenSSL) so we're > familiar with how things have worked in practice. And that's really > important, as fitting into our existing ASF workflow makes all the difference > when it comes to working with our volunteer communities. > > So, your program should have minimal overhead for us. Reporters will > continue to report things using our process, https://apache.org/security/ and > they don't need to share the details with you or other third parties in > advance. There's no portal or third party in the middle. If a reporter > manages to find a real issue and then contacts you once it's public to > request a bounty, you'll contact us by email to secur...@apache.org in > private to confirm if the issue was reported by the right person in the right > way. The ASF projects you highlight may wish to let reporters know they may > be eligible for a bounty (but also that it is a third party project over > which we have no control or final say). So it may end up we get more reports > of non-issues, or more arguments with reporters if we reject their issues, > but we already get that to some extent. You've described the workflow perfectly. One small note: For repeat submissions by previously verified reporters, an optimization we apply is to skip the verification email to secur...@apache.org when the public advisory acknowledges a reporter we've previously verified with you. We're happy to verify every CVE individually if you'd prefer the extra step. > I note now you also share a percentage of any valid bounty payout with the > project. Someone here more familiar with our fundraising may have a better > suggestion; but for low and infrequent amounts keeping it simple seems the > best to me, perhaps with one-off non-targeted donations to the ASF as per > https://www.apache.org/foundation/contributing.html Sounds good. We'll apply non-targeted donations to the ASF directly by default. If any project would prefer to modify this default, we can do so according to their preferences. > On behalf of the security committee I sent a message out to the PMCs of the > projects you mentioned below. I've had responses so far from the HTTP Server > project and Airflow, so we could start with those two. Thank you Mark! Should I interpret "we could start with those two" as they are ready for inclusion in the IBB, or should we work with the PMCs on remaining details & questions? Optional Step: Our funding began in September, so we've got some flexibility to retroactively capture the past 2 months of CVEs for those projects. We spotted at least 4 CVEs that appear eligible. (1) moderate: null pointer dereference in h2 fuzzing (CVE-2021-41524) (2) moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160) Both credited to LI ZHI XIN from NSFocus Security Team. (3) moderate: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193) James Kettle of PortSwigger (4) critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773) Ash Daulton along with the cPanel Security Team. We note that this appears to be an in-the-wild finding. Our stance is that it is eligible if there is no reason to believe the reporter was involved in an attack (e.g., they discovered it while responding to an incident and then responsibly reported the finding to the ASF. If the HTTP Server team agrees, any of the above reporters can be made aware of the bounty with a short template: "Thank you for this submission. If you are interested, this vulnerability should be eligible for a bounty award through the Internet Bug Bounty. Claim instructions can be found at: https://hackerone.com/ibb"; Thanks, Alex & Kayla (IBB Team) --------------------------------------------------------------------- To unsubscribe, e-mail: security-discuss-unsubscr...@community.apache.org For additional commands, e-mail: security-discuss-h...@community.apache.org
