Security bounties on Web bugs

From: Ekaterina Gerasimova <kittykat3756 gmail com>
To: epiphany-list gnome org
Cc: Federico Mena Quintero <federico gnome org>, hub figuiere net, "D.S. 'Spider' Ljungmark" <spider gnome org>
Subject: Security bounties on Web bugs
Date: Sat, 21 Feb 2015 21:16:19 +0000

Hello maintainers, and everyone else too,

Hubert, Federico, Spider and I have been working on finding suitable
issues for the Privacy Campaign[1] funds and we came up with two
issues in Web which fall under the privacy domain.

The first of the two is to have HTTPS-everywhere by default (see the
EFF plugin for Firefox for an idea[2]). Optionally, it could also
refuse mixed-page content (https site loading http content) with an
overwritable warning or similar. We would like to propose a bounty of
USD 500.00 for full implementation and merging of the feature.
So our questions are: is this something which you would be willing to
accept in Web? Do you consider the bounty to be suitable based on the
difficulty of the issue?

The second is the addition of certificate management and TLS issues
(bug 721283). We would like to propose a bounty of USD ~2500 split
into a few parts based on discrete tasks. Some ideas for the breakdown
are:
* Untrusted certificate (self-signed or untrusted issuer: https://ca.modio.se/)
* Certificate changed / authority changed between visits
* Import client certificate
* Certificate overview / details about trust
* Good error messages and dialogues
* Inspect or export certificate
Spider would be happy to be the contact for usefulness assessment of
the dialogs/UI changes as this is an area in which he is very
knowledgeable. As before, the questions to the Web maintainers are
whether this is something that you would accept? And is the suggested
bounty sane given our assessment of the work involved?

The format of the bidding is that we will take care of all the
administrative overheads, while the Web maintainers would need to
review the code until it is complete and in a satisfactory state for
merging/long term maintenance. This will need commitment from the
maintainers to offer patch reviews in a timely manner (or even
implement the features themselves).

I would personally love to see these two issues offered for bounties
as I feel that they are probably the ones which will have the most
impact on users out of all the ones that we have been looking at.

Thanks
Kat

[1] https://www.gnome.org/news/2013/07/gnome-raises-20000-to-enhance-security-and-privacy/
[2] https://www.eff.org/https-everywhere
[3] https://bugzilla.gnome.org/show_bug.cgi?id=721283

Follow-Ups:
- Re: Security bounties on Web bugs
  - From: Michael Catanzaro
- Re: Security bounties on Web bugs
  - From: Michael Catanzaro

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]