From owner-freebsd-hackers@freebsd.org  Mon Apr 26 20:36:16 2021
Return-Path: <owner-freebsd-hackers@freebsd.org>
Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 34A185EFDD9
 for <freebsd-hackers@mailman.nyi.freebsd.org>;
 Mon, 26 Apr 2021 20:36:16 +0000 (UTC)
 (envelope-from mason@blisses.org)
Received: from yangtze.blisses.org (yangtze.blisses.org [144.202.50.44])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FTc9p74yLz4YXK;
 Mon, 26 Apr 2021 20:36:14 +0000 (UTC)
 (envelope-from mason@blisses.org)
Received: from cocytus.blisses.org (cocytus.blisses.org [64.223.129.151])
 by yangtze.blisses.org (Postfix) with ESMTP id E4C7917B288;
 Mon, 26 Apr 2021 16:36:06 -0400 (EDT)
Date: Mon, 26 Apr 2021 16:36:05 -0400
From: Mason Loring Bliss <mason@blisses.org>
To: "linimon@portsmon.org linimon@portsmon.org" <linimon@portsmon.org>,
 Li-Wen Hsu <lwhsu@freebsd.org>
Cc: freebsd-hackers@freebsd.org
Subject: Re: Bug bounty framework?
Message-ID: <20210426203604.GU18217@blisses.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature"; boundary="uX7BrQs69PbBafpd"
Content-Disposition: inline
In-Reply-To: <CAKBkRUx+aT7HZmbPO=4nb3y37i86Gi8nWYZGvEShzWij8C4BJQ@mail.gmail.com>
 <1219846208.215399.1619466917981@privateemail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Rspamd-Queue-Id: 4FTc9p74yLz4YXK
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none;
 spf=pass (mx1.freebsd.org: domain of mason@blisses.org designates
 144.202.50.44 as permitted sender) smtp.mailfrom=mason@blisses.org
X-Spamd-Result: default: False [-4.40 / 15.00]; RCVD_TLS_LAST(0.00)[];
 ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[];
 FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 DMARC_NA(0.00)[blisses.org];
 RBL_DBL_DONT_QUERY_IPS(0.00)[144.202.50.44:from];
 SPAMHAUS_ZRD(0.00)[144.202.50.44:from:127.0.2.255];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000];
 NEURAL_HAM_SHORT(-1.00)[-1.000];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000]; SIGNED_PGP(-2.00)[];
 FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+,1:+,2:~];
 ASN(0.00)[asn:20473, ipnet:144.202.48.0/20, country:US];
 SUBJECT_ENDS_QUESTION(1.00)[];
 MAILMAN_DEST(0.00)[freebsd-hackers]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Technical discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers/>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Apr 2021 20:36:16 -0000


--uX7BrQs69PbBafpd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Apr 26, 2021 at 02:55:17PM -0500, linimon@portsmon.org linimon@port=
smon.org wrote:

> And I can't speak for the Foundation, but in order to remain tax-exempt in
> the US, it cannot be seen as a "pass-through" place for explicit work.  i=
=2Ee.
> MajorCompanyX can't pay the Foundation to pay someone to do work.

Oh, hrm. I'll write to Foundation folks (if they don't see and respond
here) to see if something like this would be an acceptable structure
legally. I hadn't thought about it from that angle.


On Tue, Apr 27, 2021 at 04:12:40AM +0800, Li-Wen Hsu wrote:

> I feel it's mixing two different things?  IIUC that "bug bounty"
> mostly means that an organization (usually a big company) has a prize
> to reward the people who report security issues,

That was probably not the right terminology for me to use, but it felt
close. Another analogy would be a walkathon, where kids sign people up to
donate to a charity with the donation being some amount per lap or per mile
or however it's measured.

I wouldn't have an opinion on a traditional bug bounty, where individuals
are rewarded monetarily for reporting bugs. This'd be more a feel-good
motivation for folks participating in getting defects fixed - "I helped get
this done, and the Foundation benefitted directly as a result."

A page on the wiki would probably be sufficient to track these things,
since there's no contract involved, if there's interest. I'd be happy to
volunteer time to help curate such a thing. I'd love to hear from the
Foundation, though, so I'll make contact.

--=20
  Mason Loring Bliss         mason@blisses.org        http://blisses.org/ =
=20
For more enjoyment and greater efficiency, consumption is being standardize=
d.

--uX7BrQs69PbBafpd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEEXtBZz1axB5rEDCEnrJXcHbvJVUFAmCHJDIACgkQnrJXcHbv
JVUwRxAAiWy9LTIMKvOCft5C/XapKAYUb6495qjuU8KARp2JHNfAmbarMzagICRY
RCc5hecjjhu95O8c6B3Oi3Iqyyv/yngDaj2GavFoX3hjEssT1q0YXdWyzq12bzUi
HS1eHdOJ+tK/NXB46ENg0S7IQZpnMkZAn4o0xGJvMVQnff0kElCPaqGNaiL2mjJk
87WG7nA/8UusIzHWmE/zbSXxlwAk2QcHK8Zmi6nTowV/nLtRiKz+Ds1FwzgFGoRl
gtDlmawdsL0UD1RzDDSx4GicrguHWFG8wlf0wP8ANdIAJQ/vcG+3Pc7QienC3BqO
oapj1Cb2hp1vK2EzcEyDr1jtjhKW1oDdbWfxqEexpIeP1zHnqA1f5cxJdRcsCE1n
Kid93el39OHuLelpBmHnifUZc0zb7bARmX1whJLl8wM4sjDuN05x5PRKcb4QWep8
8gWky71mwJbsXUais3BkROep4ReQhFvsaaa/ziyMvyxVuEp8CV9c/O8YiN+4L/LU
UsbKC84WoAQG1CkvHbeqkvSy88uYbq57Z0+XCaMx6Fj21GykjxMc/UIV2K+6p+/z
s230K66oVVkQkBrEpAgQ9SA7DDmBERnSJeJk7obvfMbstBSsQmiIIYCTvg7nAME3
KgVsxQZ9Jwm+PnCJDa9rzrCXd2G34CPtxEm8cdOe6l4Ajhyg5Us=
=vDk1
-----END PGP SIGNATURE-----

--uX7BrQs69PbBafpd--