[Owasp-board] Initial Funding for OWASP Bug Bounty Program
Matt Konda
matt.konda at owasp.org
Mon Apr 18 15:07:09 UTC 2016
Josh,
I would support putting some $ behind this. Definitely a bounded small
initial commitment but $. That will result in better faster feedback IMO.
I think we need to make sure we think through how it gets used. 90% to a
smaller lesser known OWASP project and 10% to ZAP for example might be a
possible problem. Do we have a rule that project committers can't receive
bounty? :)
We could start with a few projects and do the kudos approach and match
funds that those projects want to use.
I defer to the team that is focused here, just wanted to share my thoughts.
Matt
On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Board,
>
> Now that we have announced BugCrowd as our bug bounty program platform, it
> is time to take the next step of figuring out how much of a bounty we want
> to start with. There is no minimum funding amount (we could do "kudo"
> bounties if we want) and we can scale the rewards however we would like for
> different categories. Obviously, money equates to more motivated
> researchers. BugCrowd's recommendation is to fund the initial pot at
> $5,000 and go from there. I think we were originally talking about just
> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
> what others thought about it. Should we throw some money into the pot?
> How much? Your feedback is greatly appreciated.
>
> ~josh
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/395c87b3/attachment.html>
More information about the Owasp-board
mailing list