[Owasp-board] Initial Funding for OWASP Bug Bounty Program
josh.sokol at owasp.org
Mon Apr 18 22:48:59 UTC 2016
OK, I am hearing you all loud and clear. I will set the initial funding to
$0 and conduct a WoF approach for OWASP Foundation infrastructure once the
IT issues have been remedied. For the near-term, I will focus on working
with Johanna, Claudia, and others on setting up the requirements for OWASP
Projects to take advantage of the platform sans bounty.
On Mon, Apr 18, 2016 at 2:38 PM, Jim Manico <jim.manico at owasp.org> wrote:
> Maybe do WOF for the first month and then move to paid bounties? I am just
> worried about a flood of LHF's that could break the bank.
> And Josh, I'm just commenting. I trust you to make good decisions here.
> You likely have your eye on details that I do not see yet.
> - Jim
> On 4/18/16 9:30 AM, Josh Sokol wrote:
> Agreed on starting with the WoF. But, does that mean that our initial
> deposit (ie. the money that we could reward from) should be $0? Or, if
> someone found something major, would we want to have the ability to reward
> On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> +1 What a very sensible way to start. Shake out the lower, low hanging
>> fruit before turning on the money spigot...
>> On 4/18/16 8:40 AM, Bil Corry wrote:
>> Speaking as someone that knows a thing or two about bug bounty programs,
>> I strongly suggest you start with the wall of fame. After you've fixed all
>> the found issues and have an understanding of roughly how many bugs you'll
>> get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
>> If you do it from the beginning, I guarantee you'll break the bank.
>> Also, be sure your terms of service prohibit providing anything of
>> monetary worth to persons on the sanctions list or persons residing in
>> sanctioned/embargoed countries. I'm assuming Bug Crowd is vetting the bug
>> researchers for this.
>> - Bil
>> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol < <josh.sokol at owasp.org>
>> josh.sokol at owasp.org> wrote:
>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>> it is time to take the next step of figuring out how much of a bounty we
>>> want to start with. There is no minimum funding amount (we could do "kudo"
>>> bounties if we want) and we can scale the rewards however we would like for
>>> different categories. Obviously, money equates to more motivated
>>> researchers. BugCrowd's recommendation is to fund the initial pot at
>>> $5,000 and go from there. I think we were originally talking about just
>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>> what others thought about it. Should we throw some money into the pot?
>>> How much? Your feedback is greatly appreciated.
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board