[midPoint] Blog: MidPoint Went Through EU FOSSA2 Bug Bounty

[Radovan Semancik]

Dear MidPoint community,

MidPoint was a part of EU-Free and Open Source Software Auditing 
(EU-FOSSA2) bug bounty program. This was an unique experience in many 
ways. There were many surprises along the way and it was far from being 
easy. But we have gone through that and in the end it was extremely 
useful. It has made midPoint stronger and more secure.

The very first surprise was that midPoint was included in the bug bounty 
program at all. That was quite unexpected and I would like to thank all 
the people that have decided to make midPoint part of this program. Here 
it was, an unexpected opportunity to improve midPoint security. That is 
not something that we would turn down. Therefore we have agreed to 
participate although we had no idea what to expect. And almost 
immediately there was another surprise: from the very beginning the 
program was conducted in a very professional way. We were briefed about 
the program before any work started. There was a restricted lead-in 
period to get used to the program. And even though this was our first 
bug bounty program and it took some time for us to get used to it, the 
HackerOne <https://www.hackerone.com/> staff was always supportive and 
willing to help, tolerating all the confusion that we might have caused.

I have to admit that at first I was quite skeptic about the results of 
the program. MidPoint is a substantial and complex piece of software and 
it takes a lot of time to understand the mechanisms. I thought that 
hackers and triage engineers have a very slim chances to get used to 
midPoint in the few months that were available for the program. But 
there was another surprise. They did it. Majority of the reports were 
good, useful and valid. Some of those reports came from people that 
already knew midPoint. Which was quite expected. But there was a 
surprising number of reports that came from first-time midPoint users.

Each of the report went through a triage before the report got to 
midPoint development team. The triage team did a great job of validating 
the reports. The communication was always respectful and professional. 
The quality of the triage certainly exceeded my expectations. Even 
though we sometimes got lost in the reports and states and processes, 
the HackerOne staff kept patiently and politely reminding us – even 
after the official end of the program.The program took a lot of time and 
effort to go through, but at the end it was a very pleasant and useful 
experience.

There was (and perhaps still is) some controversy regarding the bug 
bounty program. The program rewards the hackers that discover a problem, 
but it does not reward the developers that fix it. This is certainly an 
issues that should be addressed and I would love to see a program that 
could reward both the hacker and the developer. But as such program is 
not available I happily take what is offered. I strongly believe that 
security issues always have to be fixed – regardless of the 
circumstances that lead to their discovery. We offer commercial 
subscription and support services for midPoint. But we have always fixed 
security issues reported by subscribers and non-subscribers alike. And 
we will always do that. Software project that is not able to fix 
security issues is as good as dead.

On the other hand, there are always attempts to misuse good will of open 
source developers. The important thing is to distinguish a security 
issue from improvement or feature request. The boundary may be quite 
fuzzy when it comes to a security-related system such as an IDM system. 
And in fact we had to refuse a couple of reports on the grounds that 
they are feature requests rather than security bug reports. However, 
overall the experience of the bug bounty program was a very good one. A 
lot of useful work was done and midPoint is now more secure than ever. 
And that is the most important thing that matters for the whole community.

(Reposted from Evolveum blog 
<https://evolveum.com/midpoint-went-through-eu-fossa2-bug-bounty/>)

-- 

Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20191120/1f461aa3/attachment.htm>