Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's interesting, but isn't 10BTC($2500) prize too low to tell us anything about how secure is this ?


Sadly, we're not so flush with cash that we can significantly up the prize, which was itself a donation from the user community. It was quite amusing when some kind users donated Bitcoins into the piñata though :-)

We really like the idea of continuing the self-service security bounties, irrespective of their size. One of the nice things about unikernels is that it makes it easy to link in logic like this -- in a conventional OS, it would mean faffing around with kernel modules in order to safely seal the Bitcoins away, whereas here it's just normal high-level language code.

Incidentally, we're working on exposing a C interface to the OCaml TLS stack so that it can be used as a normal shared library as well. The approach is to use the OCaml Ctypes library (which is normally used to bind to C libraries from OCaml), but deploy it in inverted mode. This means that we expose a C ABI from OCaml code instead.

See https://github.com/yallop/ocaml-ctypes-inverted-stubs-exampl... for an example that exposes a C parsing interface to the OCaml XMLM library. The TLS stack isn't much more complex, but is pending us looking into libtls that are easier to expose than OpenSSL's. The s2n release here is thus nice and timely...


Self service security bounties seems like a very smart idea.

Would self-service security bounties enable a distributed bounty ? where each site developer puts a relatively small bounty in his site and his bounty offers him a certain qualification in the eyes of customers , but from the hacker standpoint , if you hacked one , you hacked them all and hence you can collect multiple bounties ?


Isn't that pretty much what we have already with things like openSSL? Find an exploit and suddenly you've exposed everyone. I don't think public bounties would change any of the dynamics around this situation.


With the current system, if you're using an exploit(especially for gain), you're a criminal.Not so when using pinata.

Also , pinata exposes all hacks in public, unlike today.


My point is that I don't believe any of the dynamics would actually change. White hats would still report issues (they're not necessarily doing it for the money) and nefarious types will still trade/sell exploits.


Agreed. I think they offered the bounty with that expectation. A quote form their blog:

"[...] security bounties can be a very effective way to show the presence of vulnerabilities, but they are hopelessly inadequate for showing their absence."


I don't know the answer to that question, but that's about 2/3rds the price of a single billable day for cryptographic pentesting.


> It's interesting, but isn't 10BTC($2500) prize too low to tell us anything about how secure is this ?

No amount of prize money can ever really tell you how secure something is. We knew this before we announced it (see background at [1]).

[1] http://amirchaudhry.com/bitcoin-pinata/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: