From owner-freebsd-hackers@freebsd.org Mon Apr 26 20:36:16 2021 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 34A185EFDD9 for ; Mon, 26 Apr 2021 20:36:16 +0000 (UTC) (envelope-from mason@blisses.org) Received: from yangtze.blisses.org (yangtze.blisses.org [144.202.50.44]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FTc9p74yLz4YXK; Mon, 26 Apr 2021 20:36:14 +0000 (UTC) (envelope-from mason@blisses.org) Received: from cocytus.blisses.org (cocytus.blisses.org [64.223.129.151]) by yangtze.blisses.org (Postfix) with ESMTP id E4C7917B288; Mon, 26 Apr 2021 16:36:06 -0400 (EDT) Date: Mon, 26 Apr 2021 16:36:05 -0400 From: Mason Loring Bliss To: "linimon@portsmon.org linimon@portsmon.org" , Li-Wen Hsu Cc: freebsd-hackers@freebsd.org Subject: Re: Bug bounty framework? Message-ID: <20210426203604.GU18217@blisses.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uX7BrQs69PbBafpd" Content-Disposition: inline In-Reply-To: <1219846208.215399.1619466917981@privateemail.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Rspamd-Queue-Id: 4FTc9p74yLz4YXK X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mason@blisses.org designates 144.202.50.44 as permitted sender) smtp.mailfrom=mason@blisses.org X-Spamd-Result: default: False [-4.40 / 15.00]; RCVD_TLS_LAST(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[blisses.org]; RBL_DBL_DONT_QUERY_IPS(0.00)[144.202.50.44:from]; SPAMHAUS_ZRD(0.00)[144.202.50.44:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:20473, ipnet:144.202.48.0/20, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-hackers]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Technical discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Apr 2021 20:36:16 -0000 --uX7BrQs69PbBafpd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 26, 2021 at 02:55:17PM -0500, linimon@portsmon.org linimon@port= smon.org wrote: > And I can't speak for the Foundation, but in order to remain tax-exempt in > the US, it cannot be seen as a "pass-through" place for explicit work. i= =2Ee. > MajorCompanyX can't pay the Foundation to pay someone to do work. Oh, hrm. I'll write to Foundation folks (if they don't see and respond here) to see if something like this would be an acceptable structure legally. I hadn't thought about it from that angle. On Tue, Apr 27, 2021 at 04:12:40AM +0800, Li-Wen Hsu wrote: > I feel it's mixing two different things? IIUC that "bug bounty" > mostly means that an organization (usually a big company) has a prize > to reward the people who report security issues, That was probably not the right terminology for me to use, but it felt close. Another analogy would be a walkathon, where kids sign people up to donate to a charity with the donation being some amount per lap or per mile or however it's measured. I wouldn't have an opinion on a traditional bug bounty, where individuals are rewarded monetarily for reporting bugs. This'd be more a feel-good motivation for folks participating in getting defects fixed - "I helped get this done, and the Foundation benefitted directly as a result." A page on the wiki would probably be sufficient to track these things, since there's no contract involved, if there's interest. I'd be happy to volunteer time to help curate such a thing. I'd love to hear from the Foundation, though, so I'll make contact. --=20 Mason Loring Bliss mason@blisses.org http://blisses.org/ = =20 For more enjoyment and greater efficiency, consumption is being standardize= d. --uX7BrQs69PbBafpd Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEEXtBZz1axB5rEDCEnrJXcHbvJVUFAmCHJDIACgkQnrJXcHbv JVUwRxAAiWy9LTIMKvOCft5C/XapKAYUb6495qjuU8KARp2JHNfAmbarMzagICRY RCc5hecjjhu95O8c6B3Oi3Iqyyv/yngDaj2GavFoX3hjEssT1q0YXdWyzq12bzUi HS1eHdOJ+tK/NXB46ENg0S7IQZpnMkZAn4o0xGJvMVQnff0kElCPaqGNaiL2mjJk 87WG7nA/8UusIzHWmE/zbSXxlwAk2QcHK8Zmi6nTowV/nLtRiKz+Ds1FwzgFGoRl gtDlmawdsL0UD1RzDDSx4GicrguHWFG8wlf0wP8ANdIAJQ/vcG+3Pc7QienC3BqO oapj1Cb2hp1vK2EzcEyDr1jtjhKW1oDdbWfxqEexpIeP1zHnqA1f5cxJdRcsCE1n Kid93el39OHuLelpBmHnifUZc0zb7bARmX1whJLl8wM4sjDuN05x5PRKcb4QWep8 8gWky71mwJbsXUais3BkROep4ReQhFvsaaa/ziyMvyxVuEp8CV9c/O8YiN+4L/LU UsbKC84WoAQG1CkvHbeqkvSy88uYbq57Z0+XCaMx6Fj21GykjxMc/UIV2K+6p+/z s230K66oVVkQkBrEpAgQ9SA7DDmBERnSJeJk7obvfMbstBSsQmiIIYCTvg7nAME3 KgVsxQZ9Jwm+PnCJDa9rzrCXd2G34CPtxEm8cdOe6l4Ajhyg5Us= =vDk1 -----END PGP SIGNATURE----- --uX7BrQs69PbBafpd--