-------- Original-Nachricht --------
Betreff: Re: Python at HackerOne
Datum: Thu, 7 Nov 2013 16:37:30 -0800
Von: Alex Rice <arice(a)hackerone.com>
An: Christian Heimes <christian(a)python.org>
Kopie (CC): python-committers(a)python.org, IBB Panel
Thanks for getting in touch, glad there's interest on your end! Our
initial approach was structured to be as noninvasive as possible. The
simple version: we'll keep an eye out for public security patches and
reactively issue bounties for both the discovery & fix.
This passive approach is optimized for minimizing pain but leaves room
for efficiency gains given how removed we are from the project.
Fortunately, we have a lot of flexibility here and we welcome assistance
devising more effective means of rewarding outstanding security
contributions to the Python community. Here are a few options worth
- Our initial scope only covers the rare, high-severity bugs, because
we're a bottleneck that can't investigate every bug. This scope can be
expanded if you're willing to accept more submissions and provide a
severity assessment for confirmed bugs. For example, you might include
low-severity bugs (i.e., DoS) for ~$500.
- Please shout at us whenever you observe a contribution that you
believe made us all safer. You will undoubtedly have insight into each
vulnerability that we might have overlooked.
- We're happy to make suggested edits to the program's description at
In general, you're the boss: feel free to think of this as the "Python
Bug Bounty". You tell us how the budget would be spent most effectively
and we'll work with you to strike a balance. As examples, the guys at
Phabricator decided to exclude bounties for patches (they'd rather fix
every issue themselves) and rewrote most of our scope from scratch.
Django is going through the same exercise right now.
-----BEGIN PGP SIGNED MESSAGE-----
I'm contacting you on behalf of the Python core committers and Python
Security Response Team (PSRT). We were really excited and honored that
Python was selected as one of the twelve first projects for the new
Internet Bug Bounty program. Thanks a lot for including Python!
Is there anything the PSRT or Python Software Foundation can do to
join the effort and assist with your program? I think it's in our
mutable interest to spread the word and handle incoming security
issues properly. We will be glad to help you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Just wanted to briefly say thank you for the vote of confidence in
accepting me into your ranks. I'm looking forward to working with
such a great group of people on such a great project for a long time
What do you think about giving commit access to Zachary Ware? He's
been active on the tracker for a while and has contributed a good bit
of Windows code.
I'm not doing much Windows stuff these days, and unfortunately I
haven't had much time to contribute much lately. The latter will be
changing, but the former probably won't. Anyways, Zach is interested
in picking up some of our Windows slack and I think he could benefit
from commit access.
Although I've been mostly quiet, I have been nosy on most of his
issues and have looked over most of the patches. I volunteer to
continue looking after him as I too get back into contributing.