Potential source of funding and bug finding
https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html Announcing rewards for open source projects We believe that user and internet security as a whole can benefit greatly if more open source projects include fuzzing in their development process. To this end, we’d like to encourage more projects to participate and adopt the ideal integration guidelines that we’ve established. Combined with fixing all the issues that are found, this is often a significant amount of work for developers who may be working on an open source project in their spare time. To support these projects, we are expanding our existing Patch Rewards program to include rewards for the integration of fuzz targets into OSS-Fuzz. To qualify for these rewards, a project needs to have a large user base and/or be critical to global IT infrastructure. Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration (the final amount is at our discretion). You have the option of donating these rewards to charity instead, and Google will double the amount.
Re: DDG Tasks Bug Bounty Proposal
On 08/05/17 18:21, Steve Dougherty wrote: > Original Message > Subject: Re: DDG Tasks Bug Bounty Proposal > Local Time: May 8, 2017 1:09 PM > UTC Time: May 8, 2017 5:09 PM > From: free...@nullvoid.me > To: devl@freenetproject.org > > Can you provide the minimum identification requirements to be able to > get a bug bounty from FPI? If you have to report to the IRS does that > mean only citizens of the United States are eligible to work on Freenet > for pay? No, FPI can pay foreign developers, and has done in the past. > As for access to the source code, is it not open source? If you mean > push access to the repo, I thought most of the bug bounties are to fix > bugs and submit code, not review and merge code. There is no security > concern regarding anonymous vs known developers submitting code. At the > end of the day the code should be reviewed line for line, whether it's > by a "trusted" name or not. > > Right - I propose paying someone to write code which is then reviewed and > merged by existing community members with push access. This is the correct approach - if somebody goes to the lengths to craft some subtle vulnerability (Heartbleed!) they are not going to be deterred by needing a name and address. Having said that, review capacity has been a problem in the past. My purge-db4o work was delayed for an entire year, for example. How can we minimise this? signature.asc Description: OpenPGP digital signature
Re: DDG Tasks Bug Bounty Proposal
Original Message Subject: Re: DDG Tasks Bug Bounty Proposal Local Time: May 8, 2017 1:09 PM UTC Time: May 8, 2017 5:09 PM From: free...@nullvoid.me To: devl@freenetproject.org Can you provide the minimum identification requirements to be able to get a bug bounty from FPI? If you have to report to the IRS does that mean only citizens of the United States are eligible to work on Freenet for pay? As for access to the source code, is it not open source? If you mean push access to the repo, I thought most of the bug bounties are to fix bugs and submit code, not review and merge code. There is no security concern regarding anonymous vs known developers submitting code. At the end of the day the code should be reviewed line for line, whether it's by a "trusted" name or not. Right - I propose paying someone to write code which is then reviewed and merged by existing community members with push access.
Re: DDG Tasks Bug Bounty Proposal
Can you provide the minimum identification requirements to be able to get a bug bounty from FPI? If you have to report to the IRS does that mean only citizens of the United States are eligible to work on Freenet for pay? As for access to the source code, is it not open source? If you mean push access to the repo, I thought most of the bug bounties are to fix bugs and submit code, not review and merge code. There is no security concern regarding anonymous vs known developers submitting code. At the end of the day the code should be reviewed line for line, whether it's by a "trusted" name or not. Ian: > I think Matthew is right, it might cause legal issues if we're paying someone > anonymously, we have to report all expenditures to the IRS and they might not > react too well to us paying significant amounts of money to anonymous bitcoin > addresses. It could be considered money-laundering, for example. > There is also a trust issue, since we would probably need to give them access > to > source repos and other things - and it would be irresponsible to do that with > someone we know nothing about. > Ian. > > > > > > On Sun, May 7, 2017 6:26 PM, Steve Dougherty st...@asksteved.com wrote: > Is your understanding consistent with Matthew's that FPI cannot pay a > developer > who remains anonymous to FPI? > > Are you willing to have FPI offer bug bounties? If so, I can put out the call. > Would you rather that we engage individual non-proven developers one at a time > and offer them lump sums for merged code instead? That would make setting a > deadline reasonable, at least, which would be nice. > > > > Original Message > Subject: Re: DDG Tasks Bug Bounty Proposal > Local Time: May 6, 2017 3:46 PM > UTC Time: May 6, 2017 7:46 PM > From: i...@locut.us > To: devl@freenetproject.org > > Interesting idea, but isn't there a danger of duplicated effort with this > approach? > > It would be annoying to put a bunch of work into something only to be beaten > to > the finish line by someone else. From a developer's perspective that would > add > to the risk and may be a disincentive to try. > > On Sat, May 6, 2017, 4:53 AM Steve Dougherty wrote: > Hi everyone, > > To my understanding, at least currently xor does not want FPI to pay him for > his > work. Some developers on FMS have proposed bug bounties - say, $1000 - for > completing a task like "fix Windows tray / installer to work with 64-bit > Java." > This would be in a "first to get reviewed and merged gets paid" fashion, the > idea being we can pay people not yet familiar with the project to familiarize > themselves and not have to commit to paying an unknown developer hourly. At > least one developer has asked that payment be available in crypto currency; > this > seems reasonable to me. > > Thoughts? > > - Steve >
Re: DDG Tasks Bug Bounty Proposal
I think Matthew is right, it might cause legal issues if we're paying someone anonymously, we have to report all expenditures to the IRS and they might not react too well to us paying significant amounts of money to anonymous bitcoin addresses. It could be considered money-laundering, for example. There is also a trust issue, since we would probably need to give them access to source repos and other things - and it would be irresponsible to do that with someone we know nothing about. Ian. On Sun, May 7, 2017 6:26 PM, Steve Dougherty st...@asksteved.com wrote: Is your understanding consistent with Matthew's that FPI cannot pay a developer who remains anonymous to FPI? Are you willing to have FPI offer bug bounties? If so, I can put out the call. Would you rather that we engage individual non-proven developers one at a time and offer them lump sums for merged code instead? That would make setting a deadline reasonable, at least, which would be nice. Original Message Subject: Re: DDG Tasks Bug Bounty Proposal Local Time: May 6, 2017 3:46 PM UTC Time: May 6, 2017 7:46 PM From: i...@locut.us To: devl@freenetproject.org Interesting idea, but isn't there a danger of duplicated effort with this approach? It would be annoying to put a bunch of work into something only to be beaten to the finish line by someone else. From a developer's perspective that would add to the risk and may be a disincentive to try. On Sat, May 6, 2017, 4:53 AM Steve Dougherty wrote: Hi everyone, To my understanding, at least currently xor does not want FPI to pay him for his work. Some developers on FMS have proposed bug bounties - say, $1000 - for completing a task like "fix Windows tray / installer to work with 64-bit Java." This would be in a "first to get reviewed and merged gets paid" fashion, the idea being we can pay people not yet familiar with the project to familiarize themselves and not have to commit to paying an unknown developer hourly. At least one developer has asked that payment be available in crypto currency; this seems reasonable to me. Thoughts? - Steve -- Stacks http://trystacks.com/ - Our AI will save you money
Re: DDG Tasks Bug Bounty Proposal
On Saturday, May 06, 2017 05:53:31 AM Steve Dougherty wrote: > To my understanding, at least currently xor does not want FPI to pay him for > his work. Yes, I'm only temporarily not available for hire as I've decided to instead work for free for some months, see [1]. Once this is finished I will possibly be available for hire again if our work atmosphere continues to improve as it already has :) I've been pushing code for my chosen task almost every day for some months and the more complex half of it is close to being finished. I'd say it may take ~2 more months for the rest - though please be aware that I'm bad at time estimates. So if FPI doesn't hire someone with a permanent contract but instead merely offers temporary bounty-like tasks the advantage may be that after I'm finished with my volunteering FPI could hire me again to reap the benefit of my lengthy experience with Freenet. If I'm not hired again I will nevertheless continue to volunteer, just with less hours than as an employee, so feel as free as possible in your decision :) Greetings, xor [1] During the poll I had decided to revoke my votes for the WoT task I had considered the most important and to instead implement it for free as a volunteer. I did this to disprove suspicions about whether my primary interest with my votes and suggestion to cancel the poll was money. The chosen piece of work is: > Web of Trust: Finish first iteration of most critical speed fixes (1 > bugtracker entry: https://bugs.freenetproject.org/view.php?id=3816). Was > subject of previous 2 years of paid work. Ensures this work is not left > unfinished. Needed for Sone / Freetalk / filesharing / ... signature.asc Description: This is a digitally signed message part.