Security specification and facilitation of bug bounties

[cjdelisle]

Going beyond basic good practices, I think that mandating higher levels of "good practice" are going to get pushback from obviously security-conscious projects which just have their own way of doing things.
However, I do think that documenting what a user can and cannot expect from an application in terms of security would be a good way to provide next level assurance. I think providing a template/form to produce the security specification might help both the developer in thinking it out and researchers in understanding where there are vulnerabilities. Mostly I think writing down the spec helps the developer to think about what APIs they are providing.

Furthermore I think it would be really cool if there was an escrow for bug bounties and a standardized place for researchers to report and collect. Sure this will not stack up to the big offerings that professionals can get on zero-day markets but a small bug bounty escrow system would facilitate relatively small bounties for review of small projects which have possibly never been reviewed and could help CS students get involved in open source.

[david-a-wheeler]

I can certainly imagine a new criterion that is basically "tell people what to expect regarding security" - though wording of it may be tricky.

[david-a-wheeler]

Okay, I think we'll try to add something about documenting security expectations. We'll draft something in doc/other.md, and we can discuss from there. I'm closing this issue, as we can discuss it once it's better-drafted.