On Thu, Nov 02, 2017 at 10:47:11AM -0400, Martin Owens wrote: > Dear Board, > > Under my role as website administrator I got an unsolicited email from > 'Freddie D. Silva' in which he documented five bugs in the inkscape.org > deployment which would be security issues. > > After fixing the issues and thanking the contributor for their valuable > service, they then asked for a security bounty. > > I've tried a couple of times to explain that Inkscape is a volunteer > project and I've offered to add a credit and link to the website > instead. But they don't seem to understand or be interested. > > I'm bringing this to the board's attention so that I can get some > feedback on how to deal with this kind of contributor-case.
Pretty cut and dried, security bounties haven't been offered. Furthermore, Inkscape is a userspace desktop application, not server software, and while people do run it that way it is a small subset of our userbase. It's not really a use case we have actively pursued as a project. Even if we did, I have worked on open source server-side projects yet have never dealt with bounties for security work. How can we be sure this is not simply some form of a shakedown? If further exploration on this is desired, before tackling anything at the board level, I would recommend bringing in someone with a background in security for open source, such as Kees Cook (a past Inkscape contributor that is a security engineer for Google currently). I also wonder why this request came in through the webmaster alias rather than a more normal channel. Does a lot come through the webmaster alias? If so, perhaps it should be directed to a mailing list or a ticket system. Bryce ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Inkscape-board mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/inkscape-board
