hello, using a different mail service.. hopefully this will send it in TXT, not html, sorry.
https://www.openbsdfoundation.org/activities.html -> i can see that the money goes to: https://www.openbsd.org/hackathons.html and network/hardware/hosting/etc. But anybody thought about having a security bug bounty for OpenBSD based on the money in the foundation? For responsible reporting. Eg.: 100 000 USD for a RCE on the default install of OpenBSD. With a default OpenBSD install we have (examples where to have RCE): - running SSHD on TCP port 22 - running ntpd which is for clock sync - running dhcpreleased to get IP (shellshock-like issues?) - running slaacd to get IPv6 - running resolvd - root can execute a "pkg_add -u" (can a mitm attacker get in via the update mechanism after a fresh default install?) - root can execute a "fw_update" - root can execute a "syspatch" - root can execute a "sysupgrade" - root can run a "tcpdump" (again mitm to inject payload to the network which tcpdump catches and causes RCE?) - user/root can execute an "ssh x.x.x.x" - user/root can execute a "ping(6) x.x.x.x" - user/root can execute a "dig foo.bar" or "host" cmd - user/root can execute a "nc x.x.x.x" - user/root can execute a "telnet x.x.x.x" - user/root can execute a "showmount -e x.x.x.x" - user/root can execute a "tcpbench x.x.x.x" - user/root can execute an "arp -a" - user/root can "mount" a remote (nfs) share - user/root can search for "ldap" infos - user/root can print to a remote printer - user/root can read mails via the "mail" - root can mount a remove iscsi target - root can start a vpn - root can use bgp/etc. - the running kernel, tcp/ip stack or other protocol, pf, etc. etc. This probably won't have too much findings (since OpenBSD looks secure) so don't have to worry about having 23 RCE reported in the first year imho. But it would still point out that we can trust that OpenBSD is really secure by default (maybe there would be even more donations to the foundation!). ps.: afaik https://www.zerodium.com/program.html doesn't disclose their security bugs, so it will be kept hidden for goverments to use.. ps.2: if the foundation is limited for this kind of bounty task in a legal manner, any other way? Great work! Thanks.
