We want to show our appreciation to users privately reporting security issues in Jenkins by sending them a small gift. Other projects have "bug bounty" programs with (sometimes significant) rewards for people reporting security issues, but the Jenkins project finances don't allow us to offer the same (we'd love to!).
The Jenkins store is hosted at Cafepress, and we're offering to send you a 40 USD gift card (or, while that's not possible, any selection of up to 40 USD in value).
In general, everyone but contributors to Jenkins (core, infra, …) and contributors to the affected plugin is eligible. This means that maintainers of and contributors to other, unrelated plugins are still eligible!
Please note that if you've received a gift for reporting a security issue in the past, we're not going to send you another one. Sorry!
Logistical issues may prevent us from delivering, in this case we'll need to work something out (e.g. handing over the gift at an event).
As of February 2018, Cafepress only ships to the following countries: AUSTRALIA, AUSTRIA, BELGIUM, CANADA, DENMARK, FINLAND, FRANCE, GERMANY, GREECE, GUERNSEY, IRELAND, ISLE OF MAN, ISRAEL, ITALY, JAPAN, JERSEY, LUXEMBOURG, MONACO, NETHERLANDS, NEW ZEALAND, NORWAY, PORTUGAL, PUERTO RICO, SINGAPORE, SPAIN, SWEDEN, SWITZERLAND, UNITED KINGDOM, UNITED STATES
- The security issue must be reported to us on our private tracker (Jira project SECURITY), and not be published elsewhere before a fix (and advisory, if applicable) has been released.
- Plugin only: The affected plugin repository must be hosted by the Jenkins project, i.e. jenkinsci GitHub organization or svn.jenkins-ci.org.
- Plugin only: The affected plugin is actually distributed from the Jenkins update site at the time the issue was reported, and not excluded from distribution for any reason.
- The security issue is accepted as a vulnerability, and neither rejected nor considered hardening.
- The security issue is not yet known to the team or plugin maintainers.
- The security issue has been fixed and the fix has been released.
We also reserve the right to refuse sending a gift for any reason – not something we're likely to do, but just a catch-all rule to prevent someone from gaming the rules.
Once the security issue is resolved and a fix (and possibly advisory) has been published, the reporter of the security issue is eligible for this reward. We'll generally contact the reporter then to tell them we'd like to send them a gift and, if no gift card is possible, ask about their selection and delivery address. If we forget, feel free to remind us by posting a comment to the security issue you reported.
This program has been established in April 2015 and applies to issues reported from that point on (one, two). When this was established, we assumed that we could send gift cards/codes for Cafepress, but learned afterwards that this is currently not possible.