Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aligning Incentives #9

Open
wesleytodd opened this issue Jul 29, 2021 · 0 comments
Open

Aligning Incentives #9

wesleytodd opened this issue Jul 29, 2021 · 0 comments

Comments

@wesleytodd
Copy link
Contributor

wesleytodd commented Jul 29, 2021

One constant in this discussion has been how we align incentives across the process. Today we only seem to align on one goal: "improving security". But at what cost? Today different parts of the ecosystem make decisions without considering the impact those decisions have on other parts. I would like to provide a forum here for folks to discuss what their incentives structures are, so we can better understand where they overlap and where the diverge.

Maybe we can start here with brainstorming with some user story style perspectives, but I would like to make a doc in the repo about this at some point. I will start with my incentives:

  1. As a maintainer of OSS projects, I want to help my users be the most secure they can. This means responding to security issues quickly and efficiently.
  2. As a maintainer of OSS projects, I do not want false positives clogging up my inbox and brain.
  3. As an employee at a technology company, I want security issues surfaced so I can assess them. I want them to come with enough context that I can understand the issue and address it in my companies products.
  4. As a member of a team dedicated to developer productivity, I want solutions which reduce the burden on the developers I support and improves their ability to assess and remediate security issues.
  5. As a human person who donates my free time, I want to have hobbies that are not merging dependabot PRs and talking with security professionals about the applicability of a CVE on my projects.
@mhdawson mhdawson changed the title Aligning Incetives Aligning Incentives Jul 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant