All, The EU has announced [1] the bug bounty program for Apache Tomcat and it has been picked up by several media outlets [2],[3].
If you haven't already read it, I highly recommend reading the ASF's take on FOSSA 1 [4]. There have been some private discussions between the Tomcat PMC and intigriti (the company that will run the Tomcat bug bounty program for the EU). Now that this has been announced, my expectation is that further discussions will be on the dev@ list. The short version of the discussions so far is: - intigriti will perform triage and only pass validate issues to the Tomcat security team - intigriti will use our standard vulnerability reporting process with the only difference being that intigriti report the issue rather than the OP and intigriti handle the communication with the OP - only issues given a CVE will be eligible for a bounty - the Tomcat security team determines if a CVE is required - Vulnerabilities in Tomcat 9.0.x, 8.5.x, 7.0.x, Connectors 1.2.x and Native 1.2.x will be eligible - Foundation wide resources used by the project (Bugzilla, svn, etc.) and external services (POEditor.com, github, etc.) are all out of scope I don't see anything on intigriti's site for this yet. I imagine that now the EU has announced this, that will appear fairly soon. Mark [1] https://juliareda.eu/2018/12/eu-fossa-bug-bounties/ [2] https://www.zdnet.com/article/eu-to-fund-bug-bounty-programs-for-14-open-source-projects-starting-january-2019/ [3] https://www.forbes.com/sites/federicoguerrini/2018/12/30/eu-to-offer-almost-1m-in-bug-bounties-on-open-source-software [4] https://blogs.apache.org/foundation/entry/free_and_open_source_security --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org