[Brainstorming] Security funding ideas and priorities #113
Description
Trying to understand how security group could benefit from potential funding, during the meeting today we discussed some ideas on how we could improve Jupyter security and reduce backlog of unresolved vulnerability reports. The four areas that we bounced off were:
- tools which increase productivity of security managers e.g.
- snyk (I will let others elaborate)
- sandboxes with various OSes for remediation developers (e.g. to test patches for issues specific to Windows or Mac)
- bug bounty or other way to encourage submissions, especially if submissions come already with mitigation/patch proposal
- we discussed that bug bounty programmes are expensive and generate a lot of work (triage/coordination/remediation) so might be more suitable to pursue in future years
- we noted that some platforms allow to contribute a small amount of money to existing bug bounty wrapper programmes
- we noted that some high profile organisations and corporations do not offer monetary rewards at all, and instead encourage submissions by publicising the contribution (social media, entry on a public, branded website as a badge of honour - on top of standard GitHub credits); this could be well suited for Jupyter and require mostly time of a coordinator (rather than a developer) who would take care of it
- security retreat/working meeting
- dispersing some funds for remediation of existing vulnerability reports (as previously discussed in around never realised plan to use funds from Tidelift to do that) - with its all benefits and potential drawbacks as discussed previously
I'm opening the issue for transparency, to highlight that I am looking into what proposals could be submitted for consideration (whether for Jupyter Foundation or for Tidelift fund - if that ever comes to fruition), and to gather more ideas.