[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Tue Apr 19 03:04:07 UTC 2016


We can absolutely award with other things.  T-shirts, bumper stickers,
OWASP memberships, conference passes, etc.

~josh

On Mon, Apr 18, 2016 at 9:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
wrote:

> Instead of (only) paid bounties and WoF, would BugCrowd allow something
> like paid for OWASP membership for N years or free admittance to any of our
> yearly sponsored AppSec conferences? That might give us some additional
> options if BugCrowd accepts that sort of thing.
>
> -kevin
> Sent from my Droid; please excuse typos.
> On Apr 18, 2016 3:39 PM, "Jim Manico" <jim.manico at owasp.org> wrote:
>
>> Maybe do WOF for the first month and then move to paid bounties? I am
>> just worried about a flood of LHF's that could break the bank.
>>
>> And Josh, I'm just commenting. I trust you to make good decisions here.
>> You likely have your eye on details that I do not see yet.
>>
>> Aloha,
>> - Jim
>>
>> On 4/18/16 9:30 AM, Josh Sokol wrote:
>>
>> Agreed on starting with the WoF.  But, does that mean that our initial
>> deposit (ie. the money that we could reward from) should be $0?  Or, if
>> someone found something major, would we want to have the ability to reward
>> that?
>>
>> ~josh
>>
>> On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> +1 What a very sensible way to start. Shake out the lower, low hanging
>>> fruit before turning on the money spigot...
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>> On 4/18/16 8:40 AM, Bil Corry wrote:
>>>
>>> Speaking as someone that knows a thing or two about bug bounty programs,
>>> I strongly suggest you start with the wall of fame.  After you've fixed all
>>> the found issues and have an understanding of roughly how many bugs you'll
>>> get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
>>> If you do it from the beginning, I guarantee you'll break the bank.
>>>
>>> Also, be sure your terms of service prohibit providing anything of
>>> monetary worth to persons on the sanctions list or persons residing in
>>> sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug
>>> researchers for this.
>>>
>>>
>>> - Bil
>>>
>>> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol < <josh.sokol at owasp.org>
>>> josh.sokol at owasp.org> wrote:
>>>
>>>> Board,
>>>>
>>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>>> it is time to take the next step of figuring out how much of a bounty we
>>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>>> bounties if we want) and we can scale the rewards however we would like for
>>>> different categories.  Obviously, money equates to more motivated
>>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>>> $5,000 and go from there.  I think we were originally talking about just
>>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>>> what others thought about it.  Should we throw some money into the pot?
>>>> How much?  Your feedback is greatly appreciated.
>>>>
>>>> ~josh
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/47fc41e1/attachment-0001.html>


More information about the Owasp-board mailing list