You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2018/12/31 10:43:31 UTC
EU FOSSA 3 bug bounty program announced
All,
The EU has announced [1] the bug bounty program for Apache Tomcat and it
has been picked up by several media outlets [2],[3].
If you haven't already read it, I highly recommend reading the ASF's
take on FOSSA 1 [4].
There have been some private discussions between the Tomcat PMC and
intigriti (the company that will run the Tomcat bug bounty program for
the EU). Now that this has been announced, my expectation is that
further discussions will be on the dev@ list.
The short version of the discussions so far is:
- intigriti will perform triage and only pass validate issues to the
Tomcat security team
- intigriti will use our standard vulnerability reporting process with
the only difference being that intigriti report the issue rather than
the OP and intigriti handle the communication with the OP
- only issues given a CVE will be eligible for a bounty
- the Tomcat security team determines if a CVE is required
- Vulnerabilities in Tomcat 9.0.x, 8.5.x, 7.0.x, Connectors 1.2.x and
Native 1.2.x will be eligible
- Foundation wide resources used by the project (Bugzilla, svn, etc.)
and external services (POEditor.com, github, etc.) are all out of
scope
I don't see anything on intigriti's site for this yet. I imagine that
now the EU has announced this, that will appear fairly soon.
Mark
[1] https://juliareda.eu/2018/12/eu-fossa-bug-bounties/
[2]
https://www.zdnet.com/article/eu-to-fund-bug-bounty-programs-for-14-open-source-projects-starting-january-2019/
[3]
https://www.forbes.com/sites/federicoguerrini/2018/12/30/eu-to-offer-almost-1m-in-bug-bounties-on-open-source-software
[4] https://blogs.apache.org/foundation/entry/free_and_open_source_security
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org