[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 15:18:47 UTC 2016


My thinking is that this bounty would be used for the OWASP Foundation
resources.  The wiki, conference sites, etc.  Projects could participate
with kudos and could self-fund out of their project funds for any bounties
that they would like to pay out.  I still need to work on defining those
rules of engagement, but for now we need to come up with an initial deposit
amount that we feel comfortable transferring to BugCrowd to get this
rolling.

~josh

On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org> wrote:

> Josh,
>
> I would support putting some $ behind this.  Definitely a bounded small
> initial commitment but $.  That will result in better faster feedback IMO.
>
> I think we need to make sure we think through how it gets used.  90% to a
> smaller lesser known OWASP project and 10% to ZAP for example might be a
> possible problem.  Do we have a rule that project committers can't receive
> bounty?  :)
>
> We could start with a few projects and do the kudos approach and match
> funds that those projects want to use.
>
> I defer to the team that is focused here, just wanted to share my thoughts.
>
> Matt
>
>
> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Board,
>>
>> Now that we have announced BugCrowd as our bug bounty program platform,
>> it is time to take the next step of figuring out how much of a bounty we
>> want to start with.  There is no minimum funding amount (we could do "kudo"
>> bounties if we want) and we can scale the rewards however we would like for
>> different categories.  Obviously, money equates to more motivated
>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>> $5,000 and go from there.  I think we were originally talking about just
>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>> what others thought about it.  Should we throw some money into the pot?
>> How much?  Your feedback is greatly appreciated.
>>
>> ~josh
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/0c2b0196/attachment-0001.html>


More information about the Owasp-board mailing list