Pentagon Is Far Too Tight With Its Security Bug Bounties

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection. The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that. "The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register. "For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."

Read more of this story at Slashdot.

Tumblr Is Never Going Back To Porn

An anonymous reader quotes a report from The Verge: Automattic CEO Matt Mullenweg would like you to please stop asking Tumblr to bring back porn because it isn't going to happen. After widespread and inaccurate speculation that Tumblr would lift its ban on adult content, Mullenweg posted a long explanation yesterday of why Tumblr will never go back to the old days. Or, in his words: "the casually porn-friendly era of the early internet is currently impossible." That doesn't mean Tumblr's policies will stay the same. Mullenweg has said before that Automattic (which bought Tumblr in 2019) wants to loosen the rules its old owner Verizon implemented in 2018, and he reiterated that here, echoing comments he made earlier this week. Verizon's ban "took out not only porn but also a ton of art and artists," Mullenweg wrote in his post. "This policy is currently still in place, though the Tumblr and Automattic teams are working to make it more open and common-sense." Tumblr is supposed to implement those policies soon, putting the site more in line with Automattic's WordPress.com blogging platform. "That said, no modern internet service in 2022 can have the rules that Tumblr did in 2007," Mullenweg wrote, quoting Tumblr's old liberal policy slogan. (If you're wondering, it was "go nuts, show nuts.") "I agree with 'go nuts, show nuts' in principle, but the casually porn-friendly era of the early internet is currently impossible." On Tumblr, that era helped produce a lot of unique, often queer, blogs with sexual content. The 2018 ban changed the tenor of the site for good -- and this week, many users were enthusiastically but prematurely celebrating its end. Why is returning to that era impossible? For now, it's largely because of intermediaries that play a massive role in how people access the web. Payment processors have long been leery of adult content, and they've stepped up enforcement in recent years, in part because of concerns about child abuse and nonconsensual pornography. Apple's iOS App Store has been staunchly opposed to it since launch. And without those two pieces of infrastructure, running a for-profit site is incredibly difficult. "If Apple permanently banned Tumblr from the App Store, we'd probably have to shut the service down," Mullenweg noted. Some nonprofit sites that do allow things like explicit artwork -- primarily the Archive of Our Own fanworks site -- have remained persistently web-only despite years of requests for apps. [...] If you reached this article through Twitter or Reddit, you might have a fairly obvious question right now, and Mullenweg raises it: why can both those platforms, fairly unusually for modern social networks, allow a lot of porn? "Ask Apple, because I don't know," says Mullenweg. He speculates that Tumblr and Reddit are both too big to ban -- although Apple has forced moderation changes even for giant services like Facebook. The overall upshot, to Mullenweg, is this: "If you wanted to start an adult social network in 2022, you'd need to be web-only on iOS and side-load on Android, take payment in crypto, have a way to convert crypto to fiat for business operations without being blocked, do a ton of work in age and identity verification and compliance so you don't go to jail, protect all of that identity information so you don't dox your users, and make a ton of money. I do hope that a dedicated service or company is started that will replace what people used to get from porn on Tumblr. It may already exist and I don't know about it. They'll have an uphill battle under current regimes, and if you think that's a bad thing please try to change the regimes. Don't attack companies following legal and business realities as they exist."

Read more of this story at Slashdot.