[python-committers] Fwd: Re: Python at HackerOne

[Christian Heimes]

Forwarded mail

-------- Original-Nachricht --------
Betreff: 	Re: Python at HackerOne
Datum: 	Thu, 7 Nov 2013 16:37:30 -0800
Von: 	Alex Rice <arice at hackerone.com>
An: 	Christian Heimes <christian at python.org>
Kopie (CC): 	python-committers at python.org, IBB Panel
<ibb-panel at hackerone.com>



Hi Christian!

Thanks for getting in touch, glad there's interest on your end! Our
initial approach was structured to be as noninvasive as possible. The
simple version: we'll keep an eye out for public security patches and
reactively issue bounties for both the discovery & fix.

This passive approach is optimized for minimizing pain but leaves room
for efficiency gains given how removed we are from the project.
Fortunately, we have a lot of flexibility here and we welcome assistance
devising more effective means of rewarding outstanding security
contributions to the Python community. Here are a few options worth
mentioning:

- Our initial scope only covers the rare, high-severity bugs, because
we're a bottleneck that can't investigate every bug. This scope can be
expanded if you're willing to accept more submissions and provide a
severity assessment for confirmed bugs. For example, you might include
low-severity bugs (i.e., DoS) for ~$500.

- Please shout at us whenever you observe a contribution that you
believe made us all safer. You will undoubtedly have insight into each
vulnerability that we might have overlooked.

- We're happy to make suggested edits to the program's description at
https://hackerone.com/python

In general, you're the boss: feel free to think of this as the "Python
Bug Bounty". You tell us how the budget would be spent most effectively
and we'll work with you to strike a balance. As examples, the guys at
Phabricator decided to exclude bounties for patches (they'd rather fix
every issue themselves) and rewrote most of our scope from scratch.
Django is going through the same exercise right now.

Thanks,
Alex