Newsletter Archives

• EU is going to fund a bug bounty program for 7-Zip, KeePass, Notepad++, VLC Media Player and more

  Posted on December 30, 2018 at 08:23 CST by woody • Comment in the Forums

  Bug bounty programs — where software bug catchers get rewarded for identifying security holes and disclosing them to the manufacturer — have proven popular and worthwhile, although they do have some downsides.

  Bug bounty programs are usually carried out by software manufacturers, who pay to have a chance to fix their mistakes before the bad guys have a chance to clobber their products.

  Folks who make open source software don’t have the same presumably-deep pockets as their commercial counterparts. When it comes to bug bounty programs, there’s no bounty to tap.

  Enter the European Union. As part of the Free and Open Source Software Audit project, EU will offer bug bounty programs for several Windows products I use all the time — 7-Zip, KeePass, Notepad++, VLC Media Player — and a bunch of products that I may use indirectly, including Apache Kafka, Apache Tomcat, Digital Signature Services (DSS), Drupal, Filezilla, FLUX TL, the GNU C Library (glibc), midPoint, PuTTY, the Symfony PHP framework, and WSO2.

  As Catalin Cimpanu explains on ZDNet:

  Starting with January, security researchers and security companies can hunt vulnerabilities in these open source projects and report them to the bug bounty programs… in the hopes of a monetary reward, if the bug report is approved and results in a patch.

  Other bug bounty, EU, open source

• Open source slammed in US government sponsored meeting

  Posted on August 27, 2011 at 09:04 CDT by woody • Comment in the Forums

  Last year, the US govt sponsored a meeting with Thai govt agency heads in Chiang Mai. In the meeting, the Microsoft rep “expressed concern over the [Thai government’s] Creative Economy policy of promoting the “open source” software model over the “commercial source” model as a means to curb piracy.”

  In the same meeting, the Business Software Alliance rep “urged the [Thai government] not to favor open source over commercial source. He argued that (1) the open source model has been shown to have an insignificant impact on reducing software piracy; and (2) by focusing on an open source policy, the [Thai government] signals the market to stunt the development of commercial source software, which in turn undermines Thailand’s ability to fully service market needs.”

  Our tax dollars at work, eh?

  Wikileaks cable. See paragraphs 9 and 10.

  Microsoft News open source, WikiLeaks

• Microsoft fesses up to stealing code

  Posted on November 16, 2009 at 05:51 CST by woody • Comment in the Forums

  Remember the incident I told you about last week, where Microsoft got caught stealing open source code, and using it in one of their own products? The company has finally fessed up.

  ‘Softie Peter Galli writes:

  After looking at the code in question, we are now able to confirm this was indeed the case, although it was not intentional on our part. While we had contracted with a third party to create the tool, we share responsibility as we did not catch it as part of our code review process.

  I’m not sure what Peter means when he says “although it was not intentional on our part.” Of course it was intentional. Not in the sense that some high level Microsoft committee made a deliberate decision to steal source code. But definitely in the sense that the culture at Microsoft still – after all these years – still emphasizes exigency over fair play.

  As compensation, MS has agreed to release the program as an open source program. Well, OK, but then what?

  Look at it this way. If, oh, Apple had stolen Microsoft source code – lifted it, copied it wholesale – and stuck it in an Apple product, what do you think would happen?

  The fact that Microsoft stole from some poor programmer (or small group of programmers) who can’t afford an army of lawyers makes all the difference, eh?

  Other Microsoft steals open source code, open source