The and-httpd server has a $2,000 "security guarantee" (and.org) 23 points by andrewthornton 13y ago ↗ HN
[–] steve19 13y ago ↗ That page was last modified in 2006. It must have held up well against attacks or he would be broke by now! [–] autotravis 13y ago ↗ "The $2,000 is only available to the first person who provides a working attack"
[–] autotravis 13y ago ↗ "The $2,000 is only available to the first person who provides a working attack"
[–] dkhenry 13y ago ↗ I would look to find the last time the code was worked on, but there isn't even a code repository listed.
[–] andrewthornton 13y ago ↗ Here is the latest source for anyone with too much time on their hands: http://www.and.org/and-httpd/0.99.11/Last update from changelog is 2006-09-10 [–] naww 13y ago ↗ Files missing.
[–] dpkendal 13y ago ↗ This sort of thing is not new. I think the first one was qmail: http://cr.yp.to/qmail/guarantee.html followed shortly by djbdns: http://cr.yp.to/djbdns/guarantee.html (which was awarded in 2009: http://article.gmane.org/gmane.network.djbdns/13864)Dovecot also has a similar guarantee: http://dovecot.org/security.htmlAs does Mozilla: http://www.mozilla.org/security/bug-bounty.htmlEven Facebook is in on the game: http://www.facebook.com/whitehat/bounty/Bug bountying in general of course started with Donald Knuth: http://en.wikipedia.org/wiki/Knuth_reward_check and has recently become moderately popular as a strategy for increasing open-source code quality: http://www.daemonology.net/blog/2011-09-05-lessons-learned-f... [–] tete 13y ago ↗ And Chromium: http://www.chromium.org/Home/chromium-security/vulnerability...
[–] dkroy 13y ago ↗ How did this get to the front page when the last update to the source was 6 years ago? [–] mitchi 13y ago ↗ +1
[–] duked 13y ago ↗ I wanted to give it a try, had to look for the source (found it on sourceforge) tried to ./configure it requires a Vstr from the same website now need to look for the source ...It's not like they want you to try it :D
[–] josephlord 13y ago ↗ That isn't a guarantee it's a bounty. A guarantee would pay out to all affected customers. Affected probably would mean compromised by an attacker.
12 comments
[ 4.3 ms ] story [ 51.7 ms ] threadLast update from changelog is 2006-09-10
Dovecot also has a similar guarantee: http://dovecot.org/security.html
As does Mozilla: http://www.mozilla.org/security/bug-bounty.html
Even Facebook is in on the game: http://www.facebook.com/whitehat/bounty/
Bug bountying in general of course started with Donald Knuth: http://en.wikipedia.org/wiki/Knuth_reward_check and has recently become moderately popular as a strategy for increasing open-source code quality: http://www.daemonology.net/blog/2011-09-05-lessons-learned-f...
It's not like they want you to try it :D