[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Tobias tobias.gondrom at owasp.org
Wed Apr 20 22:52:38 UTC 2016


I agree with Bil: start with a WoF.
And we can increase it from there later.
Best regards, Tobias



On 19/04/16 05:04, Josh Sokol wrote:
> We can absolutely award with other things.  T-shirts, bumper stickers, 
> OWASP memberships, conference passes, etc.
>
> ~josh
>
> On Mon, Apr 18, 2016 at 9:49 PM, Kevin W. Wall <kevin.w.wall at gmail.com 
> <mailto:kevin.w.wall at gmail.com>> wrote:
>
>     Instead of (only) paid bounties and WoF, would BugCrowd allow
>     something like paid for OWASP membership for N years or free
>     admittance to any of our yearly sponsored AppSec conferences? That
>     might give us some additional options if BugCrowd accepts that
>     sort of thing.
>
>     -kevin
>     Sent from my Droid; please excuse typos.
>
>     On Apr 18, 2016 3:39 PM, "Jim Manico" <jim.manico at owasp.org
>     <mailto:jim.manico at owasp.org>> wrote:
>
>         Maybe do WOF for the first month and then move to paid
>         bounties? I am just worried about a flood of LHF's that could
>         break the bank.
>
>         And Josh, I'm just commenting. I trust you to make good
>         decisions here. You likely have your eye on details that I do
>         not see yet.
>
>         Aloha,
>         - Jim
>
>         On 4/18/16 9:30 AM, Josh Sokol wrote:
>>         Agreed on starting with the WoF.  But, does that mean that
>>         our initial deposit (ie. the money that we could reward from)
>>         should be $0?  Or, if someone found something major, would we
>>         want to have the ability to reward that?
>>
>>         ~josh
>>
>>         On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico
>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>
>>             +1 What a very sensible way to start. Shake out the
>>             lower, low hanging fruit before turning on the money
>>             spigot...
>>
>>             Aloha,
>>             Jim
>>
>>
>>             On 4/18/16 8:40 AM, Bil Corry wrote:
>>>             Speaking as someone that knows a thing or two about bug
>>>             bounty programs, I strongly suggest you start with the
>>>             wall of fame.  After you've fixed all the found issues
>>>             and have an understanding of roughly how many bugs
>>>             you'll get on-going, then you can allocate funds
>>>             (bounties, swag, etc) for bugs.  If you do it from the
>>>             beginning, I guarantee you'll break the bank.
>>>
>>>             Also, be sure your terms of service prohibit providing
>>>             anything of monetary worth to persons on the sanctions
>>>             list or persons residing in sanctioned/embargoed
>>>             countries.  I'm assuming Bug Crowd is vetting the bug
>>>             researchers for this.
>>>
>>>
>>>             - Bil
>>>
>>>             On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol
>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>                 Board,
>>>
>>>                 Now that we have announced BugCrowd as our bug
>>>                 bounty program platform, it is time to take the next
>>>                 step of figuring out how much of a bounty we want to
>>>                 start with.  There is no minimum funding amount (we
>>>                 could do "kudo" bounties if we want) and we can
>>>                 scale the rewards however we would like for
>>>                 different categories.  Obviously, money equates to
>>>                 more motivated researchers. BugCrowd's
>>>                 recommendation is to fund the initial pot at $5,000
>>>                 and go from there.  I think we were originally
>>>                 talking about just leveraging a Wall of Fame to
>>>                 start with (ie. "kudos"), but I wanted to see what
>>>                 others thought about it.  Should we throw some money
>>>                 into the pot?  How much?  Your feedback is greatly
>>>                 appreciated.
>>>
>>>                 ~josh
>>>
>>>                 _______________________________________________
>>>                 Owasp-board mailing list
>>>                 Owasp-board at lists.owasp.org
>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>
>>>             _______________________________________________
>>>             Owasp-board mailing list
>>>             Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160421/9c649d5c/attachment.html>


More information about the Owasp-board mailing list