Fwd: Re: Fwd: Python at HackerOne
Here is another mail from Alex. I asked him about conflict of interest:
-------- Original-Nachricht -------- Betreff: Re: Fwd: Python at HackerOne Datum: Thu, 7 Nov 2013 17:33:52 -0800 Von: Alex Rice arice@hackerone.com An: Christian Heimes christian@python.org
Our "easy fix" to the collusion issue is to request core developers donate the bounty directly to a nonprofit instead of personal gain (the nonprofit could be the PSF).
Attacking the problem directly requires a bit more structure. This would be a start:
- transparent, consistent bounty amounts. This requires removing most subjectiveness from the award process
- volunteer cannot be paid for a bug in code they wrote
- bug must have been *live* for 12+ months
But, to be honest, it's not a problem with one clearcut solution. If there's a desire for a formal code of conduct (probably a worthwhile exercise), we can take a first pass at drafting one and request feedback from the community.
On Nov 7, 2013 8:19 PM, "Christian Heimes"
Am 08.11.2013 01:45, schrieb Alex Rice:
> FYI :)
Hi Alex,
I totally forgot that it's a member's only mailing list. I have forward
your mail. Thanks for the heads-up! We are going to discuss your input
internally and get back to you in a couple of days.
I have one final question / remark for you:
Do you have a recommendation how we should handle conflict of interests
with IBB? After all a high percentage of security-related discoveries,
fixes and improvements are made by Python core committers or PSRT
members. Although we are all unpaid volunteers I (and probably others)
would feel uncomfortable to suggest fellow developers for a bounty. It
would feel like cronyism... Are you working on a code of conduct for
these kinds of problems?
Good night!
Christian
participants (1)
-
Christian Heimes