I was recently thinking about how several soundness violations have been found during the run-up to the 1.0 release, both in the language and in the standard library. How many more will turn up after? How could we have more confidence that there are unlikely to be further holes lurking?
One way to do so, of course, would be to prove soundness, as e.g. the Patina effort has begun to do. But doing this for the whole language and all of the
unsafe code in
std is likely to be a considerably large and lengthy undertaking (especially as both continue to grow and evolve).
The violations found so far have tended to turn up in a seemingly haphazard and accidental way: in at least one case (but I think there were more), example code mentioned in an RFC discussion thread which surprisingly compiled turned out to be due to a soundness hole in the language.
One way that we could gain confidence would be if we knew that people were constantly and actively looking for holes, and not finding any. One potential way to accomplish that would be by posting bounties for any holes that people do manage to find, either in the language itself or in
unsafe code in
std. This would be not-dissimilar to the bounties which some other projects post for finding security holes in their software.
(Perhaps the bounty could be in some approximate proportion to the seriousness of the hole, e.g. larger for language than for library issues, larger in proportion to the amount of time the functionality has been stable, …?)
Anyone else think something like this might be worthwhile?