[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Jim Manico jim.manico at owasp.org
Mon Apr 18 18:45:20 UTC 2016


+1 What a very sensible way to start. Shake out the lower, low hanging
fruit before turning on the money spigot...

Aloha,
Jim

On 4/18/16 8:40 AM, Bil Corry wrote:
> Speaking as someone that knows a thing or two about bug bounty
> programs, I strongly suggest you start with the wall of fame.  After
> you've fixed all the found issues and have an understanding of roughly
> how many bugs you'll get on-going, then you can allocate funds
> (bounties, swag, etc) for bugs.  If you do it from the beginning, I
> guarantee you'll break the bank.
>
> Also, be sure your terms of service prohibit providing anything of
> monetary worth to persons on the sanctions list or persons residing in
> sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the
> bug researchers for this.
>
>
> - Bil
>
> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>
>     Board,
>
>     Now that we have announced BugCrowd as our bug bounty program
>     platform, it is time to take the next step of figuring out how
>     much of a bounty we want to start with.  There is no minimum
>     funding amount (we could do "kudo" bounties if we want) and we can
>     scale the rewards however we would like for different categories. 
>     Obviously, money equates to more motivated researchers. 
>     BugCrowd's recommendation is to fund the initial pot at $5,000 and
>     go from there.  I think we were originally talking about just
>     leveraging a Wall of Fame to start with (ie. "kudos"), but I
>     wanted to see what others thought about it.  Should we throw some
>     money into the pot?  How much?  Your feedback is greatly appreciated.
>
>     ~josh
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/e36bebf5/attachment.html>


More information about the Owasp-board mailing list