[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 22:48:59 UTC 2016


OK, I am hearing you all loud and clear.  I will set the initial funding to
$0 and conduct a WoF approach for OWASP Foundation infrastructure once the
IT issues have been remedied.  For the near-term, I will focus on working
with Johanna, Claudia, and others on setting up the requirements for OWASP
Projects to take advantage of the platform sans bounty.

~josh

On Mon, Apr 18, 2016 at 2:38 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Maybe do WOF for the first month and then move to paid bounties? I am just
> worried about a flood of LHF's that could break the bank.
>
> And Josh, I'm just commenting. I trust you to make good decisions here.
> You likely have your eye on details that I do not see yet.
>
> Aloha,
> - Jim
>
>
> On 4/18/16 9:30 AM, Josh Sokol wrote:
>
> Agreed on starting with the WoF.  But, does that mean that our initial
> deposit (ie. the money that we could reward from) should be $0?  Or, if
> someone found something major, would we want to have the ability to reward
> that?
>
> ~josh
>
> On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> +1 What a very sensible way to start. Shake out the lower, low hanging
>> fruit before turning on the money spigot...
>>
>> Aloha,
>> Jim
>>
>>
>> On 4/18/16 8:40 AM, Bil Corry wrote:
>>
>> Speaking as someone that knows a thing or two about bug bounty programs,
>> I strongly suggest you start with the wall of fame.  After you've fixed all
>> the found issues and have an understanding of roughly how many bugs you'll
>> get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
>> If you do it from the beginning, I guarantee you'll break the bank.
>>
>> Also, be sure your terms of service prohibit providing anything of
>> monetary worth to persons on the sanctions list or persons residing in
>> sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug
>> researchers for this.
>>
>>
>> - Bil
>>
>> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol < <josh.sokol at owasp.org>
>> josh.sokol at owasp.org> wrote:
>>
>>> Board,
>>>
>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>> it is time to take the next step of figuring out how much of a bounty we
>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>> bounties if we want) and we can scale the rewards however we would like for
>>> different categories.  Obviously, money equates to more motivated
>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>> $5,000 and go from there.  I think we were originally talking about just
>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>> what others thought about it.  Should we throw some money into the pot?
>>> How much?  Your feedback is greatly appreciated.
>>>
>>> ~josh
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/3b8d0a31/attachment.html>


More information about the Owasp-board mailing list