[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 19:30:21 UTC 2016

Agreed on starting with the WoF.  But, does that mean that our initial
deposit (ie. the money that we could reward from) should be $0?  Or, if
someone found something major, would we want to have the ability to reward


On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:

> +1 What a very sensible way to start. Shake out the lower, low hanging
> fruit before turning on the money spigot...
> Aloha,
> Jim
> On 4/18/16 8:40 AM, Bil Corry wrote:
> Speaking as someone that knows a thing or two about bug bounty programs, I
> strongly suggest you start with the wall of fame.  After you've fixed all
> the found issues and have an understanding of roughly how many bugs you'll
> get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
> If you do it from the beginning, I guarantee you'll break the bank.
> Also, be sure your terms of service prohibit providing anything of
> monetary worth to persons on the sanctions list or persons residing in
> sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug
> researchers for this.
> - Bil
> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Board,
>> Now that we have announced BugCrowd as our bug bounty program platform,
>> it is time to take the next step of figuring out how much of a bounty we
>> want to start with.  There is no minimum funding amount (we could do "kudo"
>> bounties if we want) and we can scale the rewards however we would like for
>> different categories.  Obviously, money equates to more motivated
>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>> $5,000 and go from there.  I think we were originally talking about just
>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>> what others thought about it.  Should we throw some money into the pot?
>> How much?  Your feedback is greatly appreciated.
>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/b05ae55d/attachment.html>

More information about the Owasp-board mailing list