[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Mishra Dhiraj mishra.dhiraj95 at gmail.com
Tue Apr 19 00:43:56 UTC 2016

Sorry to Interrupt all @Sir , Been a first Bug Hunter , i also want to be in , in this program and contribute my self please allow me sir , i hope i may help in this.

From: Jim Manico
Sent: 19 April 2016 01:09 AM
To: Josh Sokol
Cc: OWASP Board List
Subject: Re: [Owasp-board] Initial Funding for OWASP Bug Bounty Program

Maybe do WOF for the first month and then move to paid bounties? I am just worried about a flood of LHF's that could break the bank.

And Josh, I'm just commenting. I trust you to make good decisions here. You likely have your eye on details that I do not see yet.

- Jim
On 4/18/16 9:30 AM, Josh Sokol wrote:
Agreed on starting with the WoF.  But, does that mean that our initial deposit (ie. the money that we could reward from) should be $0?  Or, if someone found something major, would we want to have the ability to reward that?

On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
+1 What a very sensible way to start. Shake out the lower, low hanging fruit before turning on the money spigot...


On 4/18/16 8:40 AM, Bil Corry wrote:
Speaking as someone that knows a thing or two about bug bounty programs, I strongly suggest you start with the wall of fame.  After you've fixed all the found issues and have an understanding of roughly how many bugs you'll get on-going, then you can allocate funds (bounties, swag, etc) for bugs.  If you do it from the beginning, I guarantee you'll break the bank.

Also, be sure your terms of service prohibit providing anything of monetary worth to persons on the sanctions list or persons residing in sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug researchers for this.

- Bil

On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
Now that we have announced BugCrowd as our bug bounty program platform, it is time to take the next step of figuring out how much of a bounty we want to start with.  There is no minimum funding amount (we could do "kudo" bounties if we want) and we can scale the rewards however we would like for different categories.  Obviously, money equates to more motivated researchers.  BugCrowd's recommendation is to fund the initial pot at $5,000 and go from there.  I think we were originally talking about just leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see what others thought about it.  Should we throw some money into the pot?  How much?  Your feedback is greatly appreciated.

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160419/d6205430/attachment-0001.html>

More information about the Owasp-board mailing list