[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Bil Corry bil.corry at owasp.org
Mon Apr 18 18:40:52 UTC 2016


Speaking as someone that knows a thing or two about bug bounty programs, I
strongly suggest you start with the wall of fame.  After you've fixed all
the found issues and have an understanding of roughly how many bugs you'll
get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
If you do it from the beginning, I guarantee you'll break the bank.

Also, be sure your terms of service prohibit providing anything of monetary
worth to persons on the sanctions list or persons residing in
sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug
researchers for this.


- Bil

On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Board,
>
> Now that we have announced BugCrowd as our bug bounty program platform, it
> is time to take the next step of figuring out how much of a bounty we want
> to start with.  There is no minimum funding amount (we could do "kudo"
> bounties if we want) and we can scale the rewards however we would like for
> different categories.  Obviously, money equates to more motivated
> researchers.  BugCrowd's recommendation is to fund the initial pot at
> $5,000 and go from there.  I think we were originally talking about just
> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
> what others thought about it.  Should we throw some money into the pot?
> How much?  Your feedback is greatly appreciated.
>
> ~josh
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/9ae25e34/attachment.html>


More information about the Owasp-board mailing list