Here is another mail from Alex. I asked him about conflict of interest:

-------- Original-Nachricht -------- Betreff: Re: Fwd: Python at HackerOne Datum: Thu, 7 Nov 2013 17:33:52 -0800 Von: Alex Rice arice@hackerone.com An: Christian Heimes christian@python.org

Our "easy fix" to the collusion issue is to request core developers donate the bounty directly to a nonprofit instead of personal gain (the nonprofit could be the PSF).

Attacking the problem directly requires a bit more structure. This would be a start:

• transparent, consistent bounty amounts. This requires removing most subjectiveness from the award process
• volunteer cannot be paid for a bug in code they wrote
• bug must have been *live* for 12+ months

But, to be honest, it's not a problem with one clearcut solution. If there's a desire for a formal code of conduct (probably a worthwhile exercise), we can take a first pass at drafting one and request feedback from the community.

On Nov 7, 2013 8:19 PM, "Christian Heimes" mailto:christian@python.org> wrote:

Am 08.11.2013 01:45, schrieb Alex Rice:
> FYI :)

Hi Alex,

I totally forgot that it's a member's only mailing list. I have forward
your mail. Thanks for the heads-up! We are going to discuss your input
internally and get back to you in a couple of days.

I have one final question / remark for you:

Do you have a recommendation how we should handle conflict of interests
with IBB? After all a high percentage of security-related discoveries,
fixes and improvements are made by Python core committers or PSRT
members. Although we are all unpaid volunteers I (and probably others)
would feel uncomfortable to suggest fellow developers for a bounty. It
would feel like cronyism... Are you working on a code of conduct for
these kinds of problems?

Good night!
Christian