Forwarded mail

-------- Original-Nachricht -------- Betreff: Re: Python at HackerOne Datum: Thu, 7 Nov 2013 16:37:30 -0800 Von: Alex Rice arice@hackerone.com An: Christian Heimes christian@python.org Kopie (CC): python-committers@python.org, IBB Panel ibb-panel@hackerone.com

Hi Christian!

Thanks for getting in touch, glad there's interest on your end! Our initial approach was structured to be as noninvasive as possible. The simple version: we'll keep an eye out for public security patches and reactively issue bounties for both the discovery & fix.

This passive approach is optimized for minimizing pain but leaves room for efficiency gains given how removed we are from the project. Fortunately, we have a lot of flexibility here and we welcome assistance devising more effective means of rewarding outstanding security contributions to the Python community. Here are a few options worth mentioning:

• Our initial scope only covers the rare, high-severity bugs, because we're a bottleneck that can't investigate every bug. This scope can be expanded if you're willing to accept more submissions and provide a severity assessment for confirmed bugs. For example, you might include low-severity bugs (i.e., DoS) for ~$500.

• Please shout at us whenever you observe a contribution that you believe made us all safer. You will undoubtedly have insight into each vulnerability that we might have overlooked.

• We're happy to make suggested edits to the program's description at https://hackerone.com/python

In general, you're the boss: feel free to think of this as the "Python Bug Bounty". You tell us how the budget would be spent most effectively and we'll work with you to strike a balance. As examples, the guys at Phabricator decided to exclude bounties for patches (they'd rather fix every issue themselves) and rewrote most of our scope from scratch. Django is going through the same exercise right now.

Thanks, Alex