On 10/10/13 16:35, chris hofmann wrote: > The one idea that is new here is the idea about paying developers for > fixing vulnerabilities in the code they work on. That could create the > wrong incentives if not managed and tracked properly, setting up the > possibility of writing code that's insecure, then getting paid to patch > or improve that code later on.
I suspect that Google are thinking they will avoid that problem because this program doesn't pay out for fixing individual vulnerabilities, it pays out for security-improving architectural patches. So yes, maybe you could design an entire feature insecurely, persuade your co-developers to let you check it in anyway, and then secure it - but again, the program is at Google's discretion, so I think you'd get busted. Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security