-------- Original-Nachricht -------- Betreff: Re: Python at HackerOne Datum: Thu, 7 Nov 2013 16:37:30 -0800 Von: Alex Rice email@example.com An: Christian Heimes firstname.lastname@example.org Kopie (CC): email@example.com, IBB Panel firstname.lastname@example.org
Thanks for getting in touch, glad there's interest on your end! Our initial approach was structured to be as noninvasive as possible. The simple version: we'll keep an eye out for public security patches and reactively issue bounties for both the discovery & fix.
This passive approach is optimized for minimizing pain but leaves room for efficiency gains given how removed we are from the project. Fortunately, we have a lot of flexibility here and we welcome assistance devising more effective means of rewarding outstanding security contributions to the Python community. Here are a few options worth mentioning:
we're a bottleneck that can't investigate every bug. This scope can be expanded if you're willing to accept more submissions and provide a severity assessment for confirmed bugs. For example, you might include low-severity bugs (i.e., DoS) for ~$500.
believe made us all safer. You will undoubtedly have insight into each vulnerability that we might have overlooked.
In general, you're the boss: feel free to think of this as the "Python Bug Bounty". You tell us how the budget would be spent most effectively and we'll work with you to strike a balance. As examples, the guys at Phabricator decided to exclude bounties for patches (they'd rather fix every issue themselves) and rewrote most of our scope from scratch. Django is going through the same exercise right now.