Skip to content
This repository has been archived by the owner on Nov 16, 2022. It is now read-only.

onboard @EdOverflow #952

Closed
EdOverflow opened this issue Dec 22, 2016 · 33 comments
Closed

onboard @EdOverflow #952

EdOverflow opened this issue Dec 22, 2016 · 33 comments

Comments

@EdOverflow
Copy link
Contributor

Hi Gratipay team,

My name is Ed and I am a web developer and a security researcher.

I hope by joining the blue team that I will be able to:

  • Help protect Gratipay's customers from security vulnerabilities.
  • Investigate, diagnose and fix security issues on your HackerOne program.
@chadwhitacre
Copy link
Contributor

Huzzah! So ... you're off and running making PRs. May I add you to our GitHub org so you can make them on branches in the main repo here?

@EdOverflow
Copy link
Contributor Author

OK, sure. 😃

@chadwhitacre
Copy link
Contributor

Yay! Invited! 💃

@EdOverflow
Copy link
Contributor Author

Thanks. :)

@chadwhitacre
Copy link
Contributor

May I also add you to our weekly money distribution? :-)

@EdOverflow
Copy link
Contributor Author

I'll need to get that set up and will let you know when I am ready.

@chadwhitacre
Copy link
Contributor

@EdOverflow May I add you as a "coordinator" in Transifex for French and German? That will enable you to self-review your own translations and review the translations of others. Do to limitations of Transifex, all translations must be marked as reviewed before we can deploy them.

@EdOverflow
Copy link
Contributor Author

OK, great!

@chadwhitacre
Copy link
Contributor

Done!

@chadwhitacre
Copy link
Contributor

@EdOverflow Got your @gratipay/security team request and approved it. 👍

@EdOverflow
Copy link
Contributor Author

EdOverflow commented Dec 22, 2016

Thank you. Would it be possible to add me to your HackerOne program?

On top of that, could you please allow issue submissions on @gratipay/security?

@chadwhitacre
Copy link
Contributor

Would it be possible to add me to your HackerOne program?

Invite sent!

could you please allow issue submissions on @gratipay/security?

I think you mean on the https://github.com/gratipay/security repo, ya? Why do you want to use that instead of HackerOne (for private things) or the inside.gratipay.com repo (for public things)?

@EdOverflow
Copy link
Contributor Author

Never mind I just realised that Gratipay members report vulnerabilities on HackerOne too.

@EdOverflow
Copy link
Contributor Author

Hi @whit537,

I have set up my Gratipay account: https://gratipay.com/~EdOverflow/. Feel free to add me to your weekly money distribution when you find time.

@chadwhitacre
Copy link
Contributor

@EdOverflow We're close! The last thing we need is a national identity on file for you. We ask for this so that we can handle taxes appropriately. Are you willing to share that info with us? I invite you to review our security practices around storing your PII, as well as our audit of the symmetric encryption library we're using.

@chadwhitacre
Copy link
Contributor

Also, do you ever use Slack? I invite you to join us there for real-time chat if you're interested. :)

@chadwhitacre
Copy link
Contributor

e.g. ;-)

@chadwhitacre
Copy link
Contributor

Following up from gratipay/gratipay.com#4263 and gratipay/gratipay.com#4262 ... have you used GitHub projects at all? We're finding those to be helpful for organizing larger-scale projects that transcend a single ticket or repo. There are "✈️ Flight Deck ✈️" labels in gratipay.com and inside.gratipay.com that you can apply to tickets such as the ones you created, which can provide a place to coordinate work happening across all of the tickets in a given project.

We are also finding GitHub projects helpful for keeping track of what each of us is personally paying attention to. Those are what the "Radar" and "Queue" projects are for. I invite you to create a radar/queue project for yourself where you can publish for the rest of us what you are working on.

P.S. In general, please use organization-scope projects instead of repo-specific projects, so that the rest of us only have one place to look to discover projects.

@chadwhitacre
Copy link
Contributor

We use LastPass to manage some passwords, now including report-uri.io. Would you like access to our report-uri.io account? What email address should I use to invite you to LastPass? (You can tell me privately on [email protected] if you're not comfortable sharing here.)

@chadwhitacre
Copy link
Contributor

@EdOverflow I received your email and sent invites for both Slack and LastPass.

@EdOverflow
Copy link
Contributor Author

Thanks @whit537! You are always on the ball.

@chadwhitacre
Copy link
Contributor

Except when I'm not! ☺️ 🏀

@chadwhitacre
Copy link
Contributor

@EdOverflow I am seeing a lot of ambition from you:

That's great! It's also a lot to bite off and chew. :-)

Can I help you think through your priorities and how to pace yourself and what your expectations are and how you plan to get all of these ambitious projects done? I don't want to see you get swamped and frustrated because progress is too slow. How do you see these three projects relating to one another?

@EdOverflow
Copy link
Contributor Author

EdOverflow commented Dec 31, 2016

These are my goals for 2017. I have a clear plan with everything in order of priority. Obviously there is no way I can do all of this on my own, but I hope by communicating with the team, we can organise this together and get everything done.

Project Name Priority Score Description Notes
Full Security Report 10 Set clear guidelines for developers and ensure there is a clear security process at Gratipay. On top of that, I believe Gratipay needs to have a threat model. I will make this my biggest priority and will work on this publicly in small steps. I might need input from fellow Gratipay members.
Full Performance Report 7 Set clear guidelines for developers when coding, in order to improve Gratipay's performance. This is the easiest of all my goals, since I have already done a lot of testing.
Complete Redesign 4 Redesign Gratipay's website. Create a landing page and a style guide. Although this is linked to the performance report, this aim is actually a little more complex. I hope to organise a team of designers + developers and follow the "Performace Report" guidelines. This is where all the points raised in the "Performance Report" become reality.

Thank you for being concerned @whit537. I wish you and the Gratipay team a happy New Year. 🎉🎉🎉

On a side note, I want to introduce the team to more tools by Scott Helme (report-uri.io, securityheaders.io, hardenize.com) and then document the process of how we used them and how we improved our platform's security (This does not directly belong to the "Security Report").

@chadwhitacre
Copy link
Contributor

Awesome, looking forward to working together in 2017! 💃

!m @EdOverflow

@EdOverflow
Copy link
Contributor Author

@whit537: Would you like access to our report-uri.io account?

Yes, please.

@chadwhitacre
Copy link
Contributor

I find a password for report-uri.io in 1password, but it does not appear to work. I issued a password reset and received the mail, but when I click the button in the email I just get the asset png(?). Not sure if that's a bug in Report URI or Freshdesk.

screen shot 2017-07-10 at 12 40 43 pm

@chadwhitacre
Copy link
Contributor

I'm considering gratipay/gratipay.com#4526 instead.

@EdOverflow
Copy link
Contributor Author

@whit537 Scott Helme believes that this is a Zendesk issue.

@chadwhitacre
Copy link
Contributor

Could be (though it's Freshdesk, not Zendesk).

I've sent a Sentry invite to the email you have on file on Gratipay.

@EdOverflow
Copy link
Contributor Author

Could be (though it's Freshdesk, not Zendesk).

🤦‍♂️

I've sent a Sentry invite to the email you have on file on Gratipay.

Thank you and accepted.

@chadwhitacre
Copy link
Contributor

chadwhitacre commented Jul 22, 2017

Per slack I've granted @EdOverflow admin perms on HackerOne.

This group has Admin and Program permissions

Specifically to work on defining scope.

@chadwhitacre
Copy link
Contributor

Per slack (scroll down?) I've granted @EdOverflow agent permissions on Freshdesk to respond to security@ emails.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

2 participants