On 08/05/17 18:21, Steve Dougherty wrote: > -------- Original Message -------- > Subject: Re: DDG Tasks Bug Bounty Proposal > Local Time: May 8, 2017 1:09 PM > UTC Time: May 8, 2017 5:09 PM > From: [email protected] > To: [email protected] > > Can you provide the minimum identification requirements to be able to > get a bug bounty from FPI? If you have to report to the IRS does that > mean only citizens of the United States are eligible to work on Freenet > for pay?
No, FPI can pay foreign developers, and has done in the past. > As for access to the source code, is it not open source? If you mean > push access to the repo, I thought most of the bug bounties are to fix > bugs and submit code, not review and merge code. There is no security > concern regarding anonymous vs known developers submitting code. At the > end of the day the code should be reviewed line for line, whether it's > by a "trusted" name or not. > > Right - I propose paying someone to write code which is then reviewed and > merged by existing community members with push access. This is the correct approach - if somebody goes to the lengths to craft some subtle vulnerability (Heartbleed!) they are not going to be deterred by needing a name and address. Having said that, review capacity has been a problem in the past. My purge-db4o work was delayed for an entire year, for example. How can we minimise this?
signature.asc
Description: OpenPGP digital signature
