[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Jim Manico jim.manico at owasp.org
Mon Apr 18 19:38:29 UTC 2016


Maybe do WOF for the first month and then move to paid bounties? I am
just worried about a flood of LHF's that could break the bank.

And Josh, I'm just commenting. I trust you to make good decisions here.
You likely have your eye on details that I do not see yet.

Aloha,
- Jim

On 4/18/16 9:30 AM, Josh Sokol wrote:
> Agreed on starting with the WoF.  But, does that mean that our initial
> deposit (ie. the money that we could reward from) should be $0?  Or,
> if someone found something major, would we want to have the ability to
> reward that?
>
> ~josh
>
> On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
>     +1 What a very sensible way to start. Shake out the lower, low
>     hanging fruit before turning on the money spigot...
>
>     Aloha,
>     Jim
>
>
>     On 4/18/16 8:40 AM, Bil Corry wrote:
>>     Speaking as someone that knows a thing or two about bug bounty
>>     programs, I strongly suggest you start with the wall of fame. 
>>     After you've fixed all the found issues and have an understanding
>>     of roughly how many bugs you'll get on-going, then you can
>>     allocate funds (bounties, swag, etc) for bugs.  If you do it from
>>     the beginning, I guarantee you'll break the bank.
>>
>>     Also, be sure your terms of service prohibit providing anything
>>     of monetary worth to persons on the sanctions list or persons
>>     residing in sanctioned/embargoed countries.  I'm assuming Bug
>>     Crowd is vetting the bug researchers for this.
>>
>>
>>     - Bil
>>
>>     On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org
>>     <mailto:josh.sokol at owasp.org>> wrote:
>>
>>         Board,
>>
>>         Now that we have announced BugCrowd as our bug bounty program
>>         platform, it is time to take the next step of figuring out
>>         how much of a bounty we want to start with.  There is no
>>         minimum funding amount (we could do "kudo" bounties if we
>>         want) and we can scale the rewards however we would like for
>>         different categories.  Obviously, money equates to more
>>         motivated researchers.  BugCrowd's recommendation is to fund
>>         the initial pot at $5,000 and go from there.  I think we were
>>         originally talking about just leveraging a Wall of Fame to
>>         start with (ie. "kudos"), but I wanted to see what others
>>         thought about it.  Should we throw some money into the pot? 
>>         How much?  Your feedback is greatly appreciated.
>>
>>         ~josh
>>
>>         _______________________________________________
>>         Owasp-board mailing list
>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/3c332d73/attachment.html>


More information about the Owasp-board mailing list