On Thu, Nov 02, 2017 at 10:47:11AM -0400, Martin Owens wrote:

Dear Board,

Under my role as website administrator I got an unsolicited email from 'Freddie D. Silva' in which he documented five bugs in the inkscape.org deployment which would be security issues.

After fixing the issues and thanking the contributor for their valuable service, they then asked for a security bounty.

I've tried a couple of times to explain that Inkscape is a volunteer project and I've offered to add a credit and link to the website instead. But they don't seem to understand or be interested.

I'm bringing this to the board's attention so that I can get some feedback on how to deal with this kind of contributor-case.

Pretty cut and dried, security bounties haven't been offered.

Furthermore, Inkscape is a userspace desktop application, not server software, and while people do run it that way it is a small subset of our userbase. It's not really a use case we have actively pursued as a project.

Even if we did, I have worked on open source server-side projects yet have never dealt with bounties for security work. How can we be sure this is not simply some form of a shakedown?

If further exploration on this is desired, before tackling anything at the board level, I would recommend bringing in someone with a background in security for open source, such as Kees Cook (a past Inkscape contributor that is a security engineer for Google currently).

I also wonder why this request came in through the webmaster alias rather than a more normal channel. Does a lot come through the webmaster alias? If so, perhaps it should be directed to a mailing list or a ticket system.

Bryce