Sign up to save your podcasts
Or
Share MRuby and Language Security with Daniel Bovensiepen
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
MRuby and Language Security with Daniel Bovensiepen
Shopify is a company that helps customers build custom online storefronts. Shopify has built upon the same Ruby on Rails application since the founding of their business 12 years ago starting with Rails 0.5 and moving all the way to Rails 5.
MRuby is a lightweight implementation of the Ruby language. Shopify made the decision to use mruby to allow customers to create custom scripts that are run every time a customer adds items to their cart. However, since mruby was a language implementation that was not widely used, Shopify opted to post a Bug Bounty to the HackerOne bug bounty platform to find security vulnerabilities in their use of mruby. What followed was a payout of over $500,000 as report after report flooded in of security vulnerabilities inside mruby itself. There was so many reports that Shopify made the decision to sandbox the mruby execution into separate processes and decreased the bounty awards by 90%.
In this episode, Jeremy Jung interviews Daniel Bovensiepen (BOH-ven-see-pen) about mruby and the Shopify bug bounty.
Show Notes
Mruby: http://mruby.org/
The $500,000 release: http://mruby.sh/201703270126.html
HackerOne bounty page: https://hackerone.com/shopify-scripts
American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/
The post MRuby and Language Security with Daniel Bovensiepen appeared first on Software Engineering Daily.
View all episodes
By Security Archives - Software Engineering Daily
4.5
44 ratings
Shopify is a company that helps customers build custom online storefronts. Shopify has built upon the same Ruby on Rails application since the founding of their business 12 years ago starting with Rails 0.5 and moving all the way to Rails 5.
MRuby is a lightweight implementation of the Ruby language. Shopify made the decision to use mruby to allow customers to create custom scripts that are run every time a customer adds items to their cart. However, since mruby was a language implementation that was not widely used, Shopify opted to post a Bug Bounty to the HackerOne bug bounty platform to find security vulnerabilities in their use of mruby. What followed was a payout of over $500,000 as report after report flooded in of security vulnerabilities inside mruby itself. There was so many reports that Shopify made the decision to sandbox the mruby execution into separate processes and decreased the bounty awards by 90%.
In this episode, Jeremy Jung interviews Daniel Bovensiepen (BOH-ven-see-pen) about mruby and the Shopify bug bounty.
Show Notes
Mruby: http://mruby.org/
The $500,000 release: http://mruby.sh/201703270126.html
HackerOne bounty page: https://hackerone.com/shopify-scripts
American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/
The post MRuby and Language Security with Daniel Bovensiepen appeared first on Software Engineering Daily.