MidPoint was a part of EU-Free and Open Source Software Auditing (EU-FOSSA2) bug bounty program. This was an unique experience in many ways. There were many surprises along the way and it was far from being easy. But we have gone through that and in the end it was extremely useful. It has made midPoint stronger and more secure.
The very first surprise was that midPoint was included in the bug bounty program at all. That was quite unexpected and I would like to thank all the people that have decided to make midPoint part of this program. Here it was, an unexpected opportunity to improve midPoint security. That is not something that we would turn down. Therefore we have agreed to participate although we had no idea what to expect. And almost immediately there was another surprise: from the very beginning the program was conducted in a very professional way. We were briefed about the program before any work started. There was a restricted lead-in period to get used to the program. And even though this was our first bug bounty program and it took some time for us to get used to it, the HackerOne staff was always supportive and willing to help, tolerating all the confusion that we might have caused.
I have to admit that at first I was quite skeptic about the results of the program. MidPoint is a substantial and complex piece of software and it takes a lot of time to understand the mechanisms. I thought that hackers and triage engineers have a very slim chances to get used to midPoint in the few months that were available for the program. But there was another surprise. They did it. Majority of the reports were good, useful and valid. Some of those reports came from people that already knew midPoint. Which was quite expected. But there was a surprising number of reports that came from first-time midPoint users.
Each of the report went through a triage before the report got to midPoint development team. The triage team did a great job of validating the reports. The communication was always respectful and professional. The quality of the triage certainly exceeded my expectations. Even though we sometimes got lost in the reports and states and processes, the HackerOne staff kept patiently and politely reminding us – even after the official end of the program.The program took a lot of time and effort to go through, but at the end it was a very pleasant and useful experience.
There was (and perhaps still is) some controversy regarding the bug bounty program. The program rewards the hackers that discover a problem, but it does not reward the developers that fix it. This is certainly an issues that should be addressed and I would love to see a program that could reward both the hacker and the developer. But as such program is not available I happily take what is offered. I strongly believe that security issues always have to be fixed – regardless of the circumstances that lead to their discovery. We offer commercial subscription and support services for midPoint. But we have always fixed security issues reported by subscribers and non-subscribers alike. And we will always do that. Software project that is not able to fix security issues is as good as dead.
On the other hand, there are always attempts to misuse good will of open source developers. The important thing is to distinguish a security issue from improvement or feature request. The boundary may be quite fuzzy when it comes to a security-related system such as an IDM system. And in fact we had to refuse a couple of reports on the grounds that they are feature requests rather than security bug reports. However, overall the experience of the bug bounty program was a very good one. A lot of useful work was done and midPoint is now more secure than ever. And that is the most important thing that matters for the whole community.