Here is another mail from Alex. I asked him about conflict of interest:
-------- Original-Nachricht --------
Betreff: Re: Fwd: Python at HackerOne
Datum: Thu, 7 Nov 2013 17:33:52 -0800
Von: Alex Rice <arice(a)hackerone.com>
An: Christian Heimes <christian(a)python.org>
Our "easy fix" to the collusion issue is to request core developers
donate the bounty directly to a nonprofit instead of personal gain (the
nonprofit could be the PSF).
Attacking the problem directly requires a bit more structure. This would
be a start:
- transparent, consistent bounty amounts. This requires removing most
subjectiveness from the award process
- volunteer cannot be paid for a bug in code they wrote
- bug must have been *live* for 12+ months
But, to be honest, it's not a problem with one clearcut solution. If
there's a desire for a formal code of conduct (probably a worthwhile
exercise), we can take a first pass at drafting one and request feedback
from the community.
On Nov 7, 2013 8:19 PM, "Christian Heimes" <christian(a)python.org
<mailto:christian@python.org>> wrote:
Am 08.11.2013 01:45, schrieb Alex Rice:
> FYI :)
Hi Alex,
I totally forgot that it's a member's only mailing list. I have forward
your mail. Thanks for the heads-up! We are going to discuss your input
internally and get back to you in a couple of days.
I have one final question / remark for you:
Do you have a recommendation how we should handle conflict of interests
with IBB? After all a high percentage of security-related discoveries,
fixes and improvements are made by Python core committers or PSRT
members. Although we are all unpaid volunteers I (and probably others)
would feel uncomfortable to suggest fellow developers for a bounty. It
would feel like cronyism... Are you working on a code of conduct for
these kinds of problems?
Good night!
Christian