How a startup wants to help secure the open source ecosystem with huntr, a bug bounty board
This article is a guest post from 418sec co-founders Adam Nygate, Jake Mimoni, and Jamie Slome.
Dependency on open source code has grown over the years, and as new open source technologies are introduced, so are more vulnerabilities. Review by “many eyes” helps secure open source software, and depends on exposing the code to as many developers as possible. The idea is that the many eyes reviewing code will help catch and prevent security problems before they can affect organizations that use the code and build on top of it.
Still, the many eyes concentrate on a small subset of open source code and those with direct corporate sponsorship, leaving the majority of the open source ecosystem potentially less secure. One way we may help improve open source software security is by incentivizing open source software developers to look at packages across the ecosystem, which is part of the mission of 418sec.
Our team has experience with a variety of organizations, from start-ups to governments. We’ve searched for better security solutions and realized that current attempts to solve open source software security problems fall short.
Generally speaking, people try to address open source software security issues in three ways:
- Open source feature request platforms: These allow companies to pay developers to build new features for specific open source projects.
- Open source “antivirus” solutions: These are complex CI/CD tools that scan for known vulnerabilities, but don’t always provide solutions.
- Open source sponsorship programs: These are monthly subscriptions that support specific pieces of open source code, but they aren’t tied to deliverables. Thus, many organizations are left hoping that the open source community will provide support when needed.
We felt these solutions were not enough, so we decided to build upon the shoulders of giants and come up with alternatives.
What is huntr?
Launched in early 2020, huntr is a bug bounty board for securing open source code, and a way to help members of the open source community disclose and fix software security issues—and to get paid to do it. We collaborate with organizations that let us know which open source programs they depend on, then the vulnerabilities are turned into bounties and we begin actively engaging with the open source community to resolve the security issues.
Developers are able to download the code, develop a security fix, and after the fix is approved by us, they will receive the reward. Currently the cash reward is $25, but we are experimenting with bounty pricing. You can read about the experience from a developer’s perspective in this recent participant blog post, “Bug bounties from the other end.”
In addition to receiving a bounty, developers are recognized by us through our social media channels and in GitHub, and at the end of each month we will choose our top huntr to feature in a blog post. The best of the bug hunters will have a chance to become a sheriff, which means that they can get paid to review other developers’ bug fixes.
Since huntr launched, more than 60% of issues have been fixed, fixes are being adopted by the wider open source community, and the huntr community is growing.
How AWS credits help
Amazon Web Services (AWS) has helped by providing us with promotional credits through AWS Activate, a free program specifically designed for startups and early stage entrepreneurs. The credits and AWS Activate have helped free up our limited capital to give back to the community and provided a platform of tools and services that have been instrumental in helping us on our mission.
Huntr is a Nuxt.js-based single page application that sits nicely upon Amazon Simple Storage Service (Amazon S3) and is served to our users via Amazon CloudFront. It talks to our GraphQL API (powered by AWS AppSync), which enables transactions to our data services and to a fleet of AWS Lambda functions that help us interact with third-party services.
We use Amazon Aurora Serverless and Amazon DynamoDB for all of our data needs, providing us with a responsive website and fast reads required for another of our tools that helps organizations scan their code base for open source issues.
This whole environment is iterated upon daily, based on user feedback and our tech roadmap, and is orchestrated by AWS Amplify, which controls our CI and ensures that each deployment runs smoothly. Thanks to all of these services, we were able to deliver our initial iteration of huntr in just two weeks.
How to get involved
In addition to support from AWS, we are looking for more organizations to sponsor or get involved with huntr, not only to help secure the open source ecosystem, but also to ensure that heavily relied on open source packages are being secured. To learn more, reach out to us at firstname.lastname@example.org, follow 418sec on Twitter, and find 418sec on GitHub.
To learn more about how to get paid to secure open source code, visit https://huntr.dev.
Readers might also like
It’s always day zero: Working on open source and security
During re:Invent, Colm MacCárthaigh presented “It’s always day zero: Working on open source and security,” in which he covered the techniques, tools, and protocols developed for auditing open source software for security risks, how to mitigate those risks, and how to manage the tricky balance between openness and collaboration and handling embargoed security issues and critical fixes.
The content and opinions in this post are those of the third-party author and AWS is not responsible for the content or accuracy of this post.
Feature image via Pixabay.