Crowd-sourced bug bounty haven Bugcrowd has launched an initiative dubbed the Crowdtilt campaign to raise enough funds to support a thorough code audit of OpenSSL in the wake of the Heartbleed vulnerability disclosure.
“The Heartbleed vulnerability affected all of us, and the question that still remains is what other bugs still exist in OpenSSL that we don’t know about?” the campaign website states. “This is your opportunity as an Internet citizen or business to be a part of funding a focused crowdsourced security assessment to find the next Heartbleed.”
The ubiquitous OpenSSL runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers (SMTP, POP and IMAP protocols), chat services (XMPP protocol), virtual private networks (SSL VPNs) and other software that use the OpenSSL code library.
“We need to work together to ensure that the very systems we rely on for protection are not exposing us to danger,” wrote Bugcrowd’s Casey Johnellis in an open letter.
“While there has been an inspiring response to Heartbleed, with the Internet community educating and helping each other, the fact remains that this vulnerability was around for 2 years before it was discovered and fixed… That’s 2 full years of exposure to this issue, for you, for me, and for everyone.”
OpenSSL is a free, open source offering available for use by anyone, and is employed by organizations from the Fortune 500 down to small businesses, but the code itself was developed by volunteers, and the organization does not have the funds to conduct thorough code reviews and testing for vulnerabilities.
After Heartbleed was disclosed, the President of the OpenSSL Software Foundation Steve Marquess said “we simply don’t have the funding for [a formal security review]. The funding we have is to support food and rent for people doing the most work on OpenSSL.”
That’s where this fundraising effort comes into play.
“We believe it is the responsibility of Internet users that rely on this service to address this. That’s pretty much everyone that uses the Internet, and definitely those that do business on it,” Johnellis continued.
“If we all decide to tackle this together, we can make a real difference and help protect ourselves for the future.”
Read More Here…