Paying to find bugs, but not fix them, nor for other needed maintenance and development, is not good for libre software
(Via HongPong) https://twitter.com/aionescu/status/1080945478059970560 serious political scientist Retweeted Alex Ionescu @aionescu 6h6 hours ago
Continuing the lop-sided inverted economical incentives that reward breaking software instead of building software… totally agree with @duosec here. I see entire countries where kids learn how to hack but not build. At some point this will break CS 2 replies 41 retweets 68 likes
Alex Ionescu @aionescu 6h6 hours ago
I see @k8em0 is credited in there as well so just a shout out for providing some excellent commentary in there.
https://duo.com/decipher/open-source-software-needs-funding-not-bug-bounty-programs
(The article does fail to mention that Drupal, at least, has a well-established system for submitting security bugs to a non-public issue queue, and an excellent volunteer security team to look at them. And generally it completely overblows the differences between “commercial” and “open source” software, making generalizations that may not even be true as generalizations. Proprietary software can also be under-resourced, can have public forums or issue queues and no obvious way to submit a security issue privately, can have multiple projects from one stream— and might be more likely to be using out-of-date versions of… libre software, embedded in their proprietary projects. And i’m pretty sure that they at least checked with the projects they picked that they know where to submit the bugs, and that it’s not public.)