Gifts for Reporters

We want to show our appreciation to users privately reporting security issues in Jenkins by sending them a small gift. Other projects have "bug bounty" programs with (sometimes significant) rewards for people reporting security issues, but the Jenkins project finances don’t allow us to offer the same.

The Jenkins store is hosted at Cafepress, and we’re offering to send you a 40 USD gift card (or, while that’s not possible, any selection of up to 40 USD in value).

For you to be sent a gift, you will need to be an eligible reporter, and have reported an eligible issue.

Eligible Reporters

Almost everyone is eligible to receive security gifts, with the following exceptions:

  • No maintainers: We of course appreciate if you tell us about issues in a plugin you maintain, but we’re not going to send you stuff. This only includes maintainers of the same component, if you maintain one plugin but report issues in other plugins, you’re still eligible!

  • No regular contributors: Members of the Jenkins board, officers, team members, and others with an official or semi-official role (e.g. press contacts, SIG leaders) in the Jenkins project are not eligible.

  • No previous recipients: If you’ve received a gift for reporting a security issue in the past, we’re not going to send you another one. Sorry!

Logistical issues may prevent us from delivering, in this case we’ll need to work something out (e.g. handing over the gift at an event).

Country Eligibility: As of February 2018, Cafepress only ships to the following countries: AUSTRALIA, AUSTRIA, BELGIUM, CANADA, DENMARK, FINLAND, FRANCE, GERMANY, GREECE, GUERNSEY, IRELAND, ISLE OF MAN, ISRAEL, ITALY, JAPAN, JERSEY, LUXEMBOURG, MONACO, NETHERLANDS, NEW ZEALAND, NORWAY, PORTUGAL, PUERTO RICO, SINGAPORE, SPAIN, SWEDEN, SWITZERLAND, UNITED KINGDOM, UNITED STATES

Eligible Issues

  • Private reports only: Issues need to be reported privately and cannot have been published elsewhere before an advisory was released.

  • Hosted by the Jenkins project: The affected component must primarily be hosted in the jenkinsci GitHub organization and be distributed (directly or bundled with other components) by the Jenkins project.

  • Vulnerabilities only: Sometimes we get reports of issues that turn into improvements, hardening, or are rejected. Issues need to be accepted as vulnerabilities by the Jenkins project.

  • Previously unknown: Only issues the Jenkins security team or maintainers of affected components were previously unaware of are eligible.

  • Fixed and announced: Issues need to have been fixed by a security update and announced in a security advisory.

We also reserve the right to refuse sending a gift for any reason – not something we’re likely to do, but just a catch-all rule to prevent someone from gaming the rules.

Process

Once the security issue is resolved and a fix (and advisory) has been published, the reporter of the security issue is eligible for this reward. We’ll generally contact the reporter then to tell them we’d like to send them a gift and, if no gift card is possible, ask about their selection and delivery address. If we forget, feel free to remind us by posting a comment to the security issue you reported.

History

This program has been established in April 2015 and applies to issues reported from that point on (first discussion, second discussion). When this was established, we expected that we could send gift cards/codes for Cafepress, but learned afterwards that this is currently not possible.