Bugcrowd has kicked off a crowdfunding initiative to raise money for a sprint bounty for OpenSSL. The thinking is that OpenSSL is hugely resource constrained and hasn't been able to engage professional security testers. Internet users and businesses that rely on OpenSSL should help solve this problem. Many won't have the time or skills to start security testing OpenSSL themselves, but they could potentially contribute to a fund that would then be used to run a sprint bounty, encouraging security researchers and testers from around the world to dedicate their time to the endeavor. The goal is to make the internet a safer place, and I agree that's a pretty decent goal, so we're supporting the initiative and sharing Bugcrowd's letter to the internet below.
If you use the internet (ahem), you might also want to consider getting involved. Please do consider sharing the letter and making a contribution to the fund.
Dear Internet Users,
OpenSSL is the software that you rely on to keep you secure on the Internet. It’s everywhere, from banking websites to the router in your home, and it’s quite likely on the computer you’re sitting at right now.
In April 2014, a vulnerability was disclosed in OpenSSL that affects hundreds of millions of systems, devices, and users. The “Heartbleed” bug is unprecedented in the scope of its impact, with the vast majority of businesses and individuals exposed to the effects of this vulnerability.
We need to work together to ensure that the very systems we rely on for protection are not exposing us to danger.
While there has been an inspiring response to Heartbleed, with the Internet community educating and helping each other, the fact remains that this vulnerability was around for 2 years before it was discovered and fixed… That’s 2 full years of exposure to this issue, for you, for me, and for everyone.
This begs the question… What other bugs still exist in OpenSSL that we don’t know about?
The challenge is that OpenSSL is a free, open source offering. It relies on a small team of dedicated developers that make sacrifices to maintain it in the belief that they are providing a necessary and valuable service to the global online community. While a majority of businesses around the world rely on it every day to secure the services they run internally and externally, resources are highly constrained and extensive testing has not been possible.
Following the Heartbleed disclosure, Steve Marquess, the President of the OpenSSL Software Foundation, explained “We simply don’t have the funding for that [a formal security review],” Marquess said. “The funding we have is to support food and rent for people doing the most work on OpenSSL.” 
We believe it is the responsibility of Internet users that rely on this service to address this. That’s pretty much everyone that uses the Internet, and definitely those that do business on it. If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future.
Through a Crowdtilt crowdfunding campaign, we will raise money that will encourage crowdsourced security testing, so we can root out any other vulnerabilities in OpenSSL. Not every Internet user can contribute code or security testing skills to OpenSSL, but with a very minor donation to the fund, everyone can play a part in making the Internet safer.
We believe everyone should have the opportunity to participate, so there’s no minimum contribution, and no maximum either. Those who contribute will be credited according to the level of their contribution, and acknowledged as being a part of this historic effort. 100% of what is raised will be offered to the security research community.
Think of it this way… if every individual puts in the money they save on transport just one time of banking online, that would be a fantastic start. If every bank also put in the money they save through their customers banking online, then we could really do something amazing. All donors will be credited as Defenders of the Internet, and sponsorships over $5,000 will be specially called out.
Security crowdsourcing company Bugcrowd will organize a “sprint bounty;” coordinating and incentivising the security research community to thoroughly test OpenSSL for potential security concerns. Bugcrowd will cover all its own expenses, leaving the full funds raised for the bounty. The program will be open to any security researcher who wants to participate, as well as those who may already be aware of vulnerabilities in OpenSSL.
Sprint bounties are similar to the bounty programs that Google, Facebook and Microsoft run with a few key
Sprint bounties have a set disclosure period, instead of running as an ongoing project that researchers can participate in whenever they choose,
- Sprint bounties have a set disclosure period, instead of running as an ongoing project that researchers can participate in whenever they choose,
- Sprint bounties have a predictable pattern of rewards, rather than an open and somewhat unpredictable reward scheme, and
- Sprint bounties work within a capped budget. 100% of what is raised in the Crowdtilt campaign will be offered to the security researcher community. Any funds not paid out in bounty rewards will be provided to the OpenSSL Software Foundation.
How can you help?
- By sharing this letter with everyone you know who is concerned by the impact of Heartbleed on their business, themselves personally, or their families,
- By sponsoring the crowdfunded bounty via the Crowdtilt page we have set up,
- By encouraging the companies you interact with online to donate to the bounty, and
- By sharing the news of this initiative on social media, your blog, friends in the press… Any way you think will get the word out.
- If you’re a security researcher who wants to participate, head to https://bugcrowd.com and create an account. We will let you know in advance before the bounty starts.
We appreciate your support in advance. Together let’s make the Internet a safer place.
The Bugcrowd team and Internet users around the world.
For more information, please tweet at @bugcrowd