Colin Percival is the Security Officer and a member of the Core team for the FreeBSD Project, and the founder and sole developer of Tarsnap Backup Inc. As an occasional cryptographer, he is probably best known for demonstrating in 2005 that RSA private keys could be stolen via a side channel in Intel's "HyperThreading" CPUs and his publication in 2009 of the "scrypt" key derivation function. Colin is a resident of Vancouver, Canada, and holds a B.Sc. in Mathematics from Simon Fraser University and a D.Phil. in Computing from Oxford University.
Crowdsourcing security: Lessons in open code and bug bounties
Advocates of open source software often claim that the public availability of source code gives them a security advantage: Given enough eyeballs, all bugs are shallow, according to Eric S. Raymond. While it is clear that the world has no shortage of eyeballs, it is far from clear that they are being usefully employed; and the putative security benefits of open source code evaporates if nobody takes advantage of the opportunity to read the source code with which they are provided.
In this talk I will draw upon my experiences with a large open source project (FreeBSD) and running a bug bounty program at a small commercial project (Tarsnap) to offer advice on how to maximize the likelihood that security vulnerabilities are found and reported.
Copyright © 2012 The University of Queensland, authorised by AusCERT Program Committee, maintained by: firstname.lastname@example.org