[Esapi-user] [Esapi-dev] 2 ESAPI Bounties created on Bountysource

Fabio Cerullo fcerullo at owasp.org
Mon Jan 26 16:10:55 UTC 2015


I don't see an issue being an owasp leader or not, as long as the bug is
fixed and the project moves forward. Otherwise we are promoting not being a
leader so you could fix bugs which seems counterproductive.

The only clear limitation is for the leaders of the affected project in
order to avoid conflict of interests.

At the end of the day, the project leader has the last word on who should
get the bounty.

Regards
Fabio

On Mon, Jan 26, 2015 at 3:56 PM, Dinis Cruz <dinis.cruz at owasp.org> wrote:

> The key is that it is happening, so hopefully some good code contributions
> will come out of it
> On 26 Jan 2015 15:52, "Jim Manico" <jim.manico at owasp.org> wrote:
>
>> I think your disagreement is a fair point. I'm a bit more focused on the
>> end-goal and do not want to put barriers up, but I don't think your take on
>> this is un-reasonable, Dinis.
>>
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>> On Jan 26, 2015, at 7:42 AM, Dinis Cruz <dinis.cruz at owasp.org> wrote:
>>
>> I'm sure me and Jim have 'agreed to disagree' on this one, so here are my
>> 2 cents:
>>
>> I think that this is a great idea and use of owasp funds (both project
>> specific or globally), but I would put the limitations to participate on
>> 'not being an owasp leader'
>>
>> That is: only non owasp leaders are eligible to receive the bounty (only
>> applying to current owasp leaders)
>>
>> That actually makes it much simpler and transparent in the short, medium
>> and long term
>>  On 26 Jan 2015 15:32, "Jim Manico" <jim.manico at owasp.org> wrote:
>>
>>> Limiting who can work on this makes no sense, a bug is a bug is a
>>> bounty.  I say anyone can chase these. And since we have no staff who are
>>> computer programmers, I don't see an issue there. Let's not put up
>>> unnecessary roadblocks to completion.
>>>
>>> Anyone can chase these bounties...
>>>
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Jan 26, 2015, at 7:12 AM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> wrote:
>>>
>>> Works for me.
>>>
>>> -kevin
>>> Sent from my Droid; please excuse typos.
>>> On Jan 26, 2015 6:03 AM, "Fabio Cerullo" <fcerullo at owasp.org> wrote:
>>>
>>>> Great stuff guys... I would say for the time being, lets keep it simple
>>>> regarding participating rules.
>>>>
>>>> - ESAPI project leaders (You & Chris) cannot claim the bounty.
>>>> - OWASP Global Board members and staff cannot claim the bounty.
>>>> - Everyone else is invited to participate and submit solutions.
>>>>
>>>> Makes sense?
>>>>
>>>> Fabio
>>>>
>>>> On Mon, Jan 26, 2015 at 5:33 AM, Jeff Williams <
>>>> jeff.williams at aspectsecurity.com> wrote:
>>>>
>>>>>  Very cool.  Thanks Kevin and Chris!
>>>>>
>>>>>  --Jeff
>>>>>
>>>>>
>>>>>   From: Kevin Wall
>>>>> Date: Sunday, January 25, 2015 at 11:51 PM
>>>>> To: 'ESAPI-Developers', "Esapi-user at lists.owasp.org", Fabio Cerullo
>>>>> Subject: [Esapi-dev] 2 ESAPI Bounties created on Bountysource
>>>>>
>>>>>     All,
>>>>>
>>>>> ​I just created a $200 bounty on Reference Implementation
>>>>> Extensibility
>>>>> <https://www.bountysource.com/issues/5975294-reference-implementation-extensibility>
>>>>>>>>>> <https://www.bountysource.com/issues/5975294-reference-implementation-extensibility>
>>>>> and
>>>>> a second one for $275 for​
>>>>> ​ Need Major Changes to Configuration Mechanism​
>>>>> <https://www.bountysource.com/issues/5975509-need-major-changes-to-configuration-mechanism>
>>>>> ​.
>>>>> The first one expires in 6 months and the second one expires in 3
>>>>> months
>>>>> (although if significant progress can be shown on either of these, I'd
>>>>> be
>>>>> willing to extend the times).
>>>>>
>>>>> ​If you have questions, on how to handle the bounties themselves,
>>>>> check out the Bountysource​
>>>>>  FAQ <https://www.bountysource.com/faq>
>>>>>>>>>> or contact the Bountysource team via
>>>>>
>>>>>  *​     ​*
>>>>>
>>>>> *support at bountysource.com <support at bountysource.com> (Email) *
>>>>> *​     ​*
>>>>>
>>>>> *#Bountysource (IRC) *
>>>>> *​     ​*
>>>>>
>>>>> *@Bountysource (Twitter) *
>>>>> *​     ​*
>>>>> *Bountysource (Facebook)*
>>>>>
>>>>>  ​If you have questions about the issues themselves either post
>>>>> your questions to the ESAPI Dev list or send them directly
>>>>> to me. (If they are questions about clarification, I'd prefer
>>>>>  an open dialog on the ESAPI Dev mailing list.)
>>>>>
>>>>>  Fabio, do you have anything to add, such as are there any
>>>>> restrictions as to who may participate, etc. (I suggest that
>>>>> at least you, Chris Schmidt, and myself should not be eligible
>>>>> to about any appearance of conflict of interest, but I'm not
>>>>> sure if we should have additional people excluded.)
>>>>>
>>>>>  -kevin​
>>>>>  P.S.- Please help spread the word about this. Thanks.
>>>>>  --
>>>>>  Blog: http://off-the-wall-security.blogspot.com/
>>>>> NSA: All your crypto bit are belong to us.
>>>>>
>>>>
>>>>  _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
>>> _______________________________________________
>>> Esapi-dev mailing list
>>> Esapi-dev at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/esapi-dev
>>>
>>>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20150126/f30b916e/attachment-0001.html>


More information about the Esapi-user mailing list