On Wed, Jun 25, 2014 at 4:28 PM, Tyler Romeo <tylerro...@gmail.com> wrote: > > Therefore, I thought it may be beneficial to take that over to Wikipedia > and start our own > bug bounty program. Most likely, it would be strictly a hall of fame like > structure where > people would be recognized for submitting bug reports (maybe we could even > use the > OpenBadges extension *wink* *wink*). It would help by increasing the > number of bugs > (both security and non-security) that are found and reported to us. > > Any thoughts?
Some time ago I ran a number of public exercises testing various aspects of Wikipedia. I ran into a number of issues: 1) It takes a lot of preparation and time spent to do well. 2) Essentially 100% of bugs reported by naive reporters are DUPLICATE, WONTFIX, or are in the backlog of some feature already. 3) Reporting bugs directly in bugzilla creates a lot of noise and annoys people who monitor traffic there. (Mozilla runs things like this from time to time, from them I learned to have people report in a separate system e.g. etherpad or email, and have someone triage and sort the reports before creating Bugzilla tickets, see point 1) above.) Google, who spends a lot of money doing stuff like this for security exploits, narrows the circumstances radically: http://www.chromium.org/Home/chromium-security/pwnium-4 . _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
