The Drupal project has just announced a bug bounty program where they’re offering sums between $50-1000 USD for anyone who finds and reports a security issue with Drupal 8:
Drupal 8 is nearing release, and with all the big architectural changes it brings, we want to ensure D8 upholds the same level of security as our previous releases. That’s where you come in!
The security team is using monies from the D8 Accelerate fund to pay for valid security issues found in Drupal 8, from now until August 31, 2015 (open to extension). This program is open for participation by anyone.
One thing to note, they’re only looking for Drupal 8 issues here, not problems in past editions (I’m sure they’d still appreciate them being reported though). There’s some stipulations they list where the vulnerability doesn’t count including someone with Administer level access and several other very specific kinds of issues. I’m assuming they’ve already run some pretty extensive testing on those, though, otherwise they would’ve been included in the list of allowed vulnerabilities.
A mention of the bug bounty was posted over on the /r/php subreddit earlier and there’s already some good feedback about it. There’s two points that I want to touch on as to why Drupal announcing this bounty is a major and important thing for the entire PHP community, not just Drupal.
First off, it sends a message to the wider world of developers that it’s time to take (PHP) security seriously. PHP’s had a less than stellar reputation when it comes to security. Fortunately it seems like things are getting better and more developers are working towards building secure applications. Security is a hot topic everywhere, not just in development communities and it’s starting to rub off on PHP devs. This bold move from the Drupal organization takes that up to the next level. It’s essentially telling everyone that uses Drupal or has any kind of contact with it, that they’re taking the security of their systems seriously and are “putting their money where their mouth is” to encourage as much participation as possible.
Bold moves like this are what get people’s attention too, even people not in the PHP community. Bug bounties have become a pretty common place thing in the security world, for software and hardware alike. By posting this bounty Drupal has shown that they (and vicariously PHP) are ready to move up and join with the security community as a whole to make their software more secure. Not only does this look good for Drupal but it looks good for PHP too, elevating the status of the language back to a “major contender” in the security circles.
Second, it helps pave the way for other projects to do the same. Most PHP projects tend to be smaller, not only in size but in complexity. There’s only a handful that most PHP developers can immediately list that are larger and have really stood the test of time. Keep in mind, I’m not talking about corporate applications or services here. I’m talking about PHP-based applications like Drupal, WordPress or Joomla that can be used as a platform to build other things. For the most part, their PHP brethren trend more towards the smaller side. Some of the most popular packages on Packagist are smaller libraries and frameworks, not applications as a whole.
There are some larger projects, though. Frameworks like the Zend Framework and Symfony have put their own emphasis on security, having internal groups or just contributors handling the vulnerability discovery and disclosure. Drupal has done things similarly in the past, but with the posting of this bounty, they’ve set a precedent for other projects to follow. It’s an unfortunate fact but in the Real World, time spent on a project (that’s not for work) falls into two categories:
- You do it for passion, either because the project is “yours” and you want to see it thrive or
- You do it because you’ll get something back out of it, either financial or in terms of much needed features
Bug bounties, pretty obviously, fall into that second category. Being able to pay out that financial compensation for work done bug hunting could be enough to tip people over from the “eh, I could” mentality to the “that’s worth my time” world. Don’t get me wrong, I’m not saying that developers are only interested in the money…far from it. I’m only saying that bounties like this gather more attention and show that the project believes in itself enough to have people commit time, either free or for work, to hunting down bugs.
I do want to touch on a third (bonus!) point too, while I have you here. While bounties like this are good for projects that have a budget, it sort of rules it out for those smaller projects where it’s just a one person team (or just a few people). In general these kinds of projects have little to no budget associated with them and don’t have spare cash on hand to pay out for bugs found or fixed. Unfortunately, there’s not too much in the way of options on this one. I’ve seen differing opinions on the payout amounts too. Some people think that the payout should relate to the severity of the bug, but the project just may not be able to afford that. People could feel slighted by the low compensation for their time which could in turn reflect poorly on the project overall. It’s a tough line…
There is one option out there that might be a good fit for your smaller project, though. The Bountysource.com site has integrated an interesting concept of a “fundraiser” for open source projects. The idea is that a project could raise the finds in a Kickstarter-like fashion and use it to pay out bounties (or really however they might see fit). While it’s a good idea in theory, smaller projects that don’t have much exposure are still going to have a hard time raising any funds to make the bounties a realistic thing.
I don’t have a good answer here, unfortunately. I think with so much of the PHP world turing to smaller packages, it’s a tough problem to figure out. I’m all ears if you can think of any other options or even services that might help. I’d love to help make bug bounties a more wide-spread thing in the PHP world. I feel like, done correctly, they can only help to make the PHP ecosystem a better, more secure place.
A fourth benefit is Drupal 8 comprises many other php libraries, so these are getting some eyeballs too, of note the symfony CMF routing, which is used in several php frameworks
An excellent point 🙂 I didn’t even think of that….it’s a nice side benefit.
Please update the email address for the Drupal Security Team, it’s email@example.com. You have the text “them being reported” linking to firstname.lastname@example.org which will bounce.
Oops! Thanks – it’s updated.
Re: Drupal — Totally agreement here.
Re: Bug Bounties — crowdsourcing is half of the equation, motivating people to contribute is the other half. I think vulnerability disclosures can be leveraged for this purpose, if handled carefully. Look what HeartBleed did for OpenSSL. For smaller projects with no funding source, there is no easy and ethical way to get free labor from the exceptionally talented security folks.
The best you can do is to become an expert yourself. (That’s why Paragon Initiative has that application security reading list on Github. We need more security experts.)
Nice move from Drupal! There are other popular PHP Enterprise applications that offer a bug bounty program, for example Piwik who was one of the first: http://piwik.org/security/