Bug bounty framework?

[Mason Loring Bliss]

On Mon, Apr 26, 2021 at 02:55:17PM -0500, linimon at portsmon.org linimon at portsmon.org wrote:

> And I can't speak for the Foundation, but in order to remain tax-exempt in
> the US, it cannot be seen as a "pass-through" place for explicit work.  i.e.
> MajorCompanyX can't pay the Foundation to pay someone to do work.

Oh, hrm. I'll write to Foundation folks (if they don't see and respond
here) to see if something like this would be an acceptable structure
legally. I hadn't thought about it from that angle.


On Tue, Apr 27, 2021 at 04:12:40AM +0800, Li-Wen Hsu wrote:

> I feel it's mixing two different things?  IIUC that "bug bounty"
> mostly means that an organization (usually a big company) has a prize
> to reward the people who report security issues,

That was probably not the right terminology for me to use, but it felt
close. Another analogy would be a walkathon, where kids sign people up to
donate to a charity with the donation being some amount per lap or per mile
or however it's measured.

I wouldn't have an opinion on a traditional bug bounty, where individuals
are rewarded monetarily for reporting bugs. This'd be more a feel-good
motivation for folks participating in getting defects fixed - "I helped get
this done, and the Foundation benefitted directly as a result."

A page on the wiki would probably be sufficient to track these things,
since there's no contract involved, if there's interest. I'd be happy to
volunteer time to help curate such a thing. I'd love to hear from the
Foundation, though, so I'll make contact.

-- 
  Mason Loring Bliss         mason at blisses.org        http://blisses.org/  
For more enjoyment and greater efficiency, consumption is being standardized.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20210426/f0797a5a/attachment.sig>