Proposal to remove the reward/gift aspect for vulnerabilities

[Wadeck]

Context

• In more than one year, I didn't send any gift for reported vulnerabilities. No reporters asked for that despite the "If we forget, feel free to remind us by posting a comment to the security issue you reported." message in https://www.jenkins.io/security/gift/#process.
• The reward I sent for a previously reported issue took me a huge amount of time (especially administrative)
• We often receive(d) out of scope reports (automatic script/scan) with payment request (like asking 100$ for a false positive)

Opinion

• The credit aspect, to have a CVE with your name in the credits, is more important for researchers, especially when finding stuff in the open source
• The budget (~40$) is not enough to be an effective incentive. But the presence of a bug bounty program create wrong expectations
• The time spent "managing" this part does not seem to have a good return on investment

@daniel-beck WDYT?

@jenkins-infra/board Do you want to discuss the topic more broadly?

[NotMyFault]

jenkins-infra/board Do you want to discuss the topic more broadly?

Fine with me to keep this conversation here on the PR, the impact is surveyable.

+1 for removing the gift policy, if there's no demand for it.

[oleg-nenashev]

I also see no special need in such policy. As an alternative that would be more beneficial to the community, we can register a "Jenkins security contributor" OpenBadge with the Linux Foundation and give it to the reporters of valid issues that we include into the advisories. I can help you with having it set up. Believe that such a badge could be more interesting than monetary reward, especially thanks to open badge in service integrations with LinkedIn and Co. It would also help with the project visibility

…

On Fri, 20 Jan 2023, 13:44 Alexander Brandes, ***@***.***> wrote: ***@***.**** approved this pull request. jenkins-infra/board Do you want to discuss the topic more broadly? Fine with me to keep this conversation here on the PR, the impact is surveyable. +1 for removing the gift policy, if there's no demand for it. — Reply to this email directly, view it on GitHub <#5940 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAW4RIDN7K742WITAM2SVYTWTKCBVANCNFSM6AAAAAAUBLSD5E> . You are receiving this because you are on a team that was mentioned.Message ID: ***@***.***>

[MarkEWaite]

I like the change. Thanks very much!

[kmartens27]

@daniel-beck with 3 board members approving, this will be merged to remove the gift text

[daniel-beck]

Time to figure out how to purge the site?

https://www.jenkins.io/security/gift/

Even the search still indexes it…

[lemeurherve]

I've ran curl -X PURGE https://www.jenkins.io/security/gift and a complete purge on Fastly but the page is still present 🤷

[lemeurherve]

It seems the page is still in the bucket:

curl -v -H "Host: www.jenkins.io"  https://www.origin.jenkins.io/security/gift/

I'll open an helpdesk issue to figure this out.

[daniel-beck]

Yep, we only add, never delete.

[lemeurherve]

Issue opened: jenkins-infra/helpdesk#3360

[lemeurherve]

Yep, we only add, never delete.

Do you happen to know the reason for that?

[daniel-beck]

My guess (!) is that we just upload using the Azure CLI and never delete what's there.