An employee at EpicGames wants me to fill out this questionnaire to use my OSS(twitter.com)
twitter.com
An employee at EpicGames wants me to fill out this questionnaire to use my OSS
https://twitter.com/geerlingguy/status/1542589998725300229
35 comments
Yep, even with certification you'll get these from time to time.
Two options:
1) point them to your existing policies and processes for SOC2, IRAP, ISO27001 and similar, the questionnaire is already filled
2) fill it out as best you can if it's going to earn you bank.
Two options:
1) point them to your existing policies and processes for SOC2, IRAP, ISO27001 and similar, the questionnaire is already filled
2) fill it out as best you can if it's going to earn you bank.
Yep, somehow this project got included in a spreadsheet of vendors, and somebody told the new guy in the compliance department, "email this compliance form to all of the vendors in this spreadsheet".
This is a missed opportunity. Ask epic nicely for $5k to fill the form, offer it done a week after the check clears.
Worst they can say is no.
Worst they can say is no.
This is The Way. It also inevitably comes with a written agreement.
What always gives me pause with this is that my open source software comes with no warranty and I don't want to compromise the license terms. So nailing down the written agreement (what are they going to do with it, and what are they attempting to hold you liable for?) is an opportunity to address that.
(Full disclosure: haven't had this come up in well over a decade.)
What always gives me pause with this is that my open source software comes with no warranty and I don't want to compromise the license terms. So nailing down the written agreement (what are they going to do with it, and what are they attempting to hold you liable for?) is an opportunity to address that.
(Full disclosure: haven't had this come up in well over a decade.)
$5k also doesn't sound like a whole lot of money to give a guarantee about the security of your FOSS code. Unless I were already rather confident about it, it would take work for me to convince myself about it to the extent that I would be willing to answer a hundred questions on someone else's form. $5k isn't necessarily that much of a compensation for that kind of work, unless you're also gaining something from the work itself (e.g. from reviewing the security of your code for its own sake).
I don't know if filling and returning these kinds of forms can have any kinds of legal implications, but if it did, even potentially, there's no way I'd do that for $5k unless I were in absolutely dire need of that money.
I don't know if filling and returning these kinds of forms can have any kinds of legal implications, but if it did, even potentially, there's no way I'd do that for $5k unless I were in absolutely dire need of that money.
I'm not the person who said "$5K". But it's not about the money per se. Mooting a number is the polite way to say you're open minded to assisting them.
Maybe they'll share a third party audit of your code with you.
Maybe the written agreement reiterates "you agree to be bound by the license terms and FULLY UNDERSTAND AND ACCEPT ALL LIABILITY" and you still get $5K.
Besides at the negotiation stage it's still plus costs. It's been a decade, but if you spend $20K on lawyers and liability insurance and they pay you $25K, you still make $5K.
Maybe they'll share a third party audit of your code with you.
Maybe the written agreement reiterates "you agree to be bound by the license terms and FULLY UNDERSTAND AND ACCEPT ALL LIABILITY" and you still get $5K.
Besides at the negotiation stage it's still plus costs. It's been a decade, but if you spend $20K on lawyers and liability insurance and they pay you $25K, you still make $5K.
More than $5k. Just recovering your associated costs will be a couple $k:
A lawyer to help negotiate a contract. If you find someone who is familiar with OSS and isn’t in a big firm, this might be $1k or so.
Liability insurance.
Any incorporation costs if you choose to incorporate, which (in the US, I’m not a lawyer, and this is not advice) you should seriously consider if you start making money from independent work.
Throw in a bit of support and you might get paid fairly well. Keep in mind that the fact that you got asked for this means that someone wants to use your work enough that they asked the procurement department to set it up.
A lawyer to help negotiate a contract. If you find someone who is familiar with OSS and isn’t in a big firm, this might be $1k or so.
Liability insurance.
Any incorporation costs if you choose to incorporate, which (in the US, I’m not a lawyer, and this is not advice) you should seriously consider if you start making money from independent work.
Throw in a bit of support and you might get paid fairly well. Keep in mind that the fact that you got asked for this means that someone wants to use your work enough that they asked the procurement department to set it up.
If they accepted the offer this would actually create a Catch22 chicken-and-the-egg situation where they can't employ a non-approved vendor.
Also: filling this in can open up liability. There's no way you get it all accurate, and in the event of a breech (e.g. supply chain attack where you get hacked leading to them getting hacked) they could argue that you misrepresented or didn't comply with your stated response.
So the 5k which could never be paid might also not be worth it.
Also: filling this in can open up liability. There's no way you get it all accurate, and in the event of a breech (e.g. supply chain attack where you get hacked leading to them getting hacked) they could argue that you misrepresented or didn't comply with your stated response.
So the 5k which could never be paid might also not be worth it.
I really get an itchy feeling I'd love to fill this in and send it back.
Q: Detailed policies blah blah management of Epic Confidential Data? A: I'll sell it to the highest bidder, unless they want me to fill in some stupid questionnaire first.
Q: Detailed policies blah blah management of Epic Confidential Data? A: I'll sell it to the highest bidder, unless they want me to fill in some stupid questionnaire first.
Q: Provide a detailed Data Flow Diagram. This diagram should provide a detailed, step-by-step description of how data...
A: Data comes in, data goes out. You can't explain that.
A: Data comes in, data goes out. You can't explain that.
It's very common to ask this kind of stuff to software vendors.
Probably some intern or manager with no clue about open source made a mistake there. Better take it to Twitter to get those nice re-tweets, inside of writing a simple email to explain the mistake...
Probably some intern or manager with no clue about open source made a mistake there. Better take it to Twitter to get those nice re-tweets, inside of writing a simple email to explain the mistake...
I don’t really understand why someone would take this to twitter instead of just replying with a quote or ignoring it.
Because Jeff Geerling is an internet personality and uses opportunities like this for publicity.
lol
For extra lulz - "I think I'll crowd source advice from teh intarwebs - what could go wrong"
Seriously Jeff, you do great stuff - I always enjoy your writeups and videos.
[edit] mispelt name
Seriously Jeff, you do great stuff - I always enjoy your writeups and videos.
[edit] mispelt name
It's of interest to his audience specifically, and to the wider internet.
I've had my security team ask for this sort of thing before. I laughed at them and didn't send it because I understand the way this works, but they didn't and were following their new vendor requirements process. Get a swe in the middle who doesn't and voila
Or you could fill out the form in such a way as to guarantee they won't pass their audit, submit it and then tell them you're available as a consultant to fix the problems they identified in the code.
We blanket send these to every vendor we use, but OSS doesn't qualify and would not get one of these from me.
[deleted]
That is just insane behavior
Wow who knew Red Shirt Jeff worked for Epic Games.
not surprising in the slightest. corporate security's gonna corporate security
Meet my open source pseudorandom number generator script.
I'm surprised the reaction is 'how they dare'. If you are personally contacted by one of the biggest game company wich would want to use one of your tools, a better response would've be a contract offer no (without trying to be TOO greedy and ask for ridiculous amounts) ?
Haha yeah no, Epic Games is a software company, they should have known better, period. Asking for free labor from people who already created a free product you want to use is disrespectful and clearly incompetent. It's not my responsibility to arrange your business, and make a reasonable counter-offer. I'd just want to say "no, thanks but no thanks" and risk Epic Games not utilizing my OSS project. If they think that's too bad for them, it's their responsibility to then follow up and make a $$$ offer for the labor they request.
In fact my point is : I don't find a citation of the mail stating they refused to pay. What I understand of the twitter feed is :
- someone sent a (probably mass vendor targeted) mail asking for a form filling.
- The author interpreted they wanted it for free (which is not even absurd : some open source project have commercial licences and could use both a whatever security standard compliance to gain commercial value AND the legit right to add a big company name on his website) and was outraged because the email didn't contain a commercial offer.
I may be wrong, but IF the mail was really targeted at him (other comment point a believable theory : the security guy mass sent the mail to every 'vendor' lib in the folder, either by mistake or lack of caring) he just panicked and (if he wanted money) missed a business opportunity by either sending a quote for the form filing, trying to negociate an enterprise grade support/consulting or just politely responded "I'm an open source free code provider and have no financial interst in being used by you. Have a nice day."
I have been requested heavy paperwork kiling to allow my work as freelance to be used with 'big client', sended bills for it, and never had a problem with it. Never the funniest part of the project, but money is money.
- someone sent a (probably mass vendor targeted) mail asking for a form filling.
- The author interpreted they wanted it for free (which is not even absurd : some open source project have commercial licences and could use both a whatever security standard compliance to gain commercial value AND the legit right to add a big company name on his website) and was outraged because the email didn't contain a commercial offer.
I may be wrong, but IF the mail was really targeted at him (other comment point a believable theory : the security guy mass sent the mail to every 'vendor' lib in the folder, either by mistake or lack of caring) he just panicked and (if he wanted money) missed a business opportunity by either sending a quote for the form filing, trying to negociate an enterprise grade support/consulting or just politely responded "I'm an open source free code provider and have no financial interst in being used by you. Have a nice day."
I have been requested heavy paperwork kiling to allow my work as freelance to be used with 'big client', sended bills for it, and never had a problem with it. Never the funniest part of the project, but money is money.
I just didn't respond. I don't particularly like Epic Games anyways, and it's honestly not worth my time, since they'll likely end up using my role or forking it anyways. I mean, that's why I slapped the MIT license on it!
I get around 50 unsolicited emails a day, many asking for help with my OSS projects, but rarely is there something as cookie-cutter as this that's not outright spam.
I wasn't outraged, more like bemused that they'd think an OSS maintainer for a small personal project would care to spend hours working on security documentation for a little project that's like 1 KB of code.
I get around 50 unsolicited emails a day, many asking for help with my OSS projects, but rarely is there something as cookie-cutter as this that's not outright spam.
I wasn't outraged, more like bemused that they'd think an OSS maintainer for a small personal project would care to spend hours working on security documentation for a little project that's like 1 KB of code.
I'm glad for you to hear it was a "rational" response and you were really not interested. The fact the project was 1KB of code was also unknown of me be reading the tweets, and explain furthermore the reaction :)
Surely they should be offering to pay if they're one of the biggest games companies and want you to fill out a form.
If someone's giving something away for free you don't ask for a guarantee, and if you want one for what ever reason you should offer to pay.
You mention greed, but epic seems to be the one wanting the cake and eating it too.
So yes I agree with the "how dare they".
If someone's giving something away for free you don't ask for a guarantee, and if you want one for what ever reason you should offer to pay.
You mention greed, but epic seems to be the one wanting the cake and eating it too.
So yes I agree with the "how dare they".
Funny, probably a cultural thing, in France (in my experience, it maybe depend the context) when you have a special request from a professional entity (company or freelance), you describe your need, the professional say if he can do it, and make a quote. But the client never talk money first.
They never said they would no pay a dime, just stated a request.
If they were asking a company/corporation, yeah, maybe.
But this is a small open source project with a single maintainer on a personal account on GitHub.
But this is a small open source project with a single maintainer on a personal account on GitHub.
crazy, unforgivable behaviour. also they kight use this to make the code proprietary and takedown the original project because why the fuck won't they do that.
turns out this was a very uninformed opinion. my bad
In this case I suspect the employee in question simply misunderstood the company process, and had no malicious intent.