Here is another mail from Alex. I asked him about conflict of interest:
-------- Original-Nachricht -------- Betreff: Re: Fwd: Python at HackerOne Datum: Thu, 7 Nov 2013 17:33:52 -0800 Von: Alex Rice <ar...@hackerone.com> An: Christian Heimes <christ...@python.org> Our "easy fix" to the collusion issue is to request core developers donate the bounty directly to a nonprofit instead of personal gain (the nonprofit could be the PSF). Attacking the problem directly requires a bit more structure. This would be a start: - transparent, consistent bounty amounts. This requires removing most subjectiveness from the award process - volunteer cannot be paid for a bug in code they wrote - bug must have been *live* for 12+ months But, to be honest, it's not a problem with one clearcut solution. If there's a desire for a formal code of conduct (probably a worthwhile exercise), we can take a first pass at drafting one and request feedback from the community. On Nov 7, 2013 8:19 PM, "Christian Heimes" <christ...@python.org <mailto:christ...@python.org>> wrote: Am 08.11.2013 01:45, schrieb Alex Rice: > FYI :) Hi Alex, I totally forgot that it's a member's only mailing list. I have forward your mail. Thanks for the heads-up! We are going to discuss your input internally and get back to you in a couple of days. I have one final question / remark for you: Do you have a recommendation how we should handle conflict of interests with IBB? After all a high percentage of security-related discoveries, fixes and improvements are made by Python core committers or PSRT members. Although we are all unpaid volunteers I (and probably others) would feel uncomfortable to suggest fellow developers for a bounty. It would feel like cronyism... Are you working on a code of conduct for these kinds of problems? Good night! Christian _______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
