Node.js - Internet Bug Bounty 2.0 Invite

[mhdawson]

A number of those involved in the Node.js participation in the existing Bug Bounty program received this yesterday:

Hi, Node.js team!

I'm Kayla, Senior Security Technologist at HackerOne, and I’m taking over from
Reed as the HackerOne lead for Internet Bug Bounty (IBB) moving forward. I'm
here to support you in anything related to the program as your primary point of
contact.

As you know, the Internet Bug Bounty was created with the goal of helping to
secure the critical open source infrastructure. Over the past 5 years, we hope
we've had a modest impact here, but we've also learned a lot and there's a lot
more work to be done. I am reaching out today to provide an overview of the
upcoming refresh of the IBB (codenamed IBB 2.0), and ultimately to invite
Node.js to take part!

We have two key goals for this refresh:

First, we want to create a more sustainable operating model. That specifically
means a more inclusive approach to sponsorship and a more efficient workflow for
projects and the program.

Second, we want to start providing monetary support to the maintainers that do
the heavy-lifting of vulnerability triage & remediation.

I’ve attached an overview with additional details and would love to hear your
feedback. And to wrap it back around to my initial invite, are you interested in
participating in the IBB 2.0 pilot program?

Thank you for your time and commitment. I look forward to receiving your input!
--

Respectfully,

Kayla Underkoffler
HackerOne
Senior Security Technologist

We'll need to discuss and come up with an answer in terms of participating in the IBB 2.0 pilot.

Internet Bug Bounty 2.0 - Project and Partner.pdf

[mcollina]

I'm in favor of enrolling into this pilot. We would need to determine who will receive the funds for the project.

[Trott]

I'm in favor of enrolling into this pilot. We would need to determine who will receive the funds for the project.

I guess the obvious place is to have it go to the foundation, but I'm open to more creative ideas. I imagine we'd want to run whatever we want by the CPC.

[DerekNonGeneric]

Second, we want to start providing monetary support to the maintainers that do
the heavy-lifting of vulnerability triage & remediation.

How are the maintainers going to get paid if the funds go to the foundation?

I imagine we'd want to run whatever we want by the CPC.

I don't see what the CPC has to with this.

[Trott]

How are the maintainers going to get paid if the funds go to the foundation?

They're not and that's perhaps an argument for not enrolling in this pilot (although I'm not opposed to enrolling anyway). Paying maintainers directly (when there's a decent-sized group involved) encounters a lot of intractable-seeming problems. Read, for example, @boneskull's experience trying to spend the $12,000/year MochaJS was pulling in at one point (starting at 00:28:04.03 in the transcript). That's just one example, but he mentions other projects too and it's a recurring theme if you peruse the resources Nadia Eghbal has gathered in https://github.com/nayafia/awesome-maintainers/.

Most of the people that can reasonably be tapped to work on security fixes and triage in the HackerOne Node.js program are paid by their employers to work on Node.js. Paying them additional funds for work they are already being paid to do by their employers seems problematic, and introduces ethical and possibly legal questions. And we haven't even gotten into the perverse incentives.

What might work though is giving the money to the foundation to defray the cost that the foundation is paying for the Trail of Bits folks to work on security stuff. Although I guess if the Foundation is the primary funder of the bug bounty program (are they?) then that would mean the foundation is effectively paying itself which doesn't make a whole lot of sense. ¯\(ツ)/¯ Also, whether that kind of thing fits with or undermines the purpose of the HackerOne initiative is something HackerOne would have to say.

I don't see what the CPC has to with this.

I don't think the TSC generally handles money without getting legal and other consultation from the foundation, and our liaison to the foundation is the CPC (as I understand it, at least).

[Trott]

If the OpenJS Foundation doesn't make sense, we could do this (from the PDF Michael shared):

What if our project does not have a way, or does not wish to receive donations?

The funds will be provided to The Open Source Security Foundation in support of their work towards vulnerability disclosures.

I'm neutral on doing this pilot. I like the intent and I think experimenting is generally worthwhile. On the other hand, I don't think it's going to make much of a difference for us (but might be a better fit for other proejcts) and so maybe we're better off focusing our energies on other things.

TL;DR: I can't tell if this program is free-as-in-beer or free-as-in-puppy.

[rice]

(hope y'all don't mind me chiming in here!)

Appreciate the thoughtful discussion on this point -- how to effectively support projects is the most critical point for us to receive feedback on. We respect that there are complicated and potentially toxic consequences to thoughtlessly throwing dollars into the mix. We ultimately decided to experiment with it as a component in this pilot as it became clear that it was necessary for some projects. We hope it can play a small part in helping, but may very well be wrong.

Some themes we've heard from across other projects so far are earmarking toward a general fund (indirect support), toward security tooling (paying fuzzing infra costs in particular), and personal sponsorship of volunteer maintainers (only observed in small 1 & 2 maintainer projects so far).

[mhdawson]

I personally think the ecosystem need ways where there is support for fixing problems in addition to just finding/reporting them. For that reason I was happy to see $ for maintainers as part of this pilot.

As a project we might be able to be creative with respect to how to use the $ to support our efforts. For example maybe we can award it to reporters who come with a solution instead of just a problem report, contributors who don't have a conflict, and for external support (along the lines of what we are getting from the OSSF as a pilot), or if none of that works back to the foundation to support future infrastructure etc.

[Trott]

@rice Is there a date by which we should determine whether or not we wish to participate in the pilot?

[rice]

@Trott - Within the next several weeks would be ideal. Project is targeting an end of September launch.

[danbev]

Most (perhaps all?) of the people that can reasonably be tapped to work on security fixes and triage in the HackerOne Node.js program are paid by their employers to work on Node.js. I don't see how paying them additional funds for work they are already being paid to do by their employers gets us anywhere,

I can't speak for everyone but in my case while I do get paid to work on Node.js security it is not that I'm allowed to spend any amount of time on it. The problem I have is that I see new issues come in and I would like to take a look at them but that might not be a priority at work at that point in time. Instead I have to catch up with this later on when a release has to go out. I'd much rather spend the time initially and be on top of things instead working this way. If my employer (Red Hat/IBM in my case) got a discount on their foundation membership/sponsorship with the motivation that this is for allowing employees to dedicate more time to security work, I think that would make it more visible internally and motivate the time being spent and perhaps allow for more dedicated time.

[Trott]

If my employer (Red Hat/IBM in my case) got a discount on their foundation membership/sponsorship with the motivation that this is for allowing employees to dedicate more time to security work, I think that would make it more visible internally and motivate the time being spent and perhaps allow for more dedicated time.

I'm not sure there aren't practical/legal obstacles to that, but if we can make that happen, I'd support it.

[mhdawson]

In terms of getting an answer to Kayla I'm in favor of enrolling as well. We will have to figure out how what/we do with funds that are available for maintainers but I think it's a good problem to have. It also will preserve our ability to pay bounties to reporters which I believe the project has appreciated being able to do under the previous program.

I think I see 3 TSC members including myself so far expressing support and one that is neutral. @nodejs/tsc is there anybody who objects to enrolling? If so please comment. If on the other hand you support enrolling but have not chimed in please do that as well.

[mhdawson]

@rice we confirmed today in the TSC meeting that we have consensus for a "Yes we'd like to participate" answer. I'll also reply to Kayla's email.