[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Bil Corry bil.corry at owasp.org
Sat Apr 23 15:10:06 UTC 2016


My suggestion would be to do WoF for the first six months, but talk to Bug
Crowd and ask them what the numbers look like for a brand new bug bounty
program.

As for swag, keep in mind you'll need someone to package and mail it out,
plus fill out customs forms for international bounties, and the person
receiving the swag will have to pay duty on it (depending on where they're
at in the world).  And it might go missing in transit.  It's actually
easier in many respects to have Bug Crowd award cash, or award memberships
and conference passes.


- Bil

On Mon, Apr 18, 2016 at 9:38 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Maybe do WOF for the first month and then move to paid bounties? I am just
> worried about a flood of LHF's that could break the bank.
>
> And Josh, I'm just commenting. I trust you to make good decisions here.
> You likely have your eye on details that I do not see yet.
>
> Aloha,
> - Jim
>
>
> On 4/18/16 9:30 AM, Josh Sokol wrote:
>
> Agreed on starting with the WoF.  But, does that mean that our initial
> deposit (ie. the money that we could reward from) should be $0?  Or, if
> someone found something major, would we want to have the ability to reward
> that?
>
> ~josh
>
> On Mon, Apr 18, 2016 at 1:45 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> +1 What a very sensible way to start. Shake out the lower, low hanging
>> fruit before turning on the money spigot...
>>
>> Aloha,
>> Jim
>>
>>
>> On 4/18/16 8:40 AM, Bil Corry wrote:
>>
>> Speaking as someone that knows a thing or two about bug bounty programs,
>> I strongly suggest you start with the wall of fame.  After you've fixed all
>> the found issues and have an understanding of roughly how many bugs you'll
>> get on-going, then you can allocate funds (bounties, swag, etc) for bugs.
>> If you do it from the beginning, I guarantee you'll break the bank.
>>
>> Also, be sure your terms of service prohibit providing anything of
>> monetary worth to persons on the sanctions list or persons residing in
>> sanctioned/embargoed countries.  I'm assuming Bug Crowd is vetting the bug
>> researchers for this.
>>
>>
>> - Bil
>>
>> On Mon, Apr 18, 2016 at 4:06 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Board,
>>>
>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>> it is time to take the next step of figuring out how much of a bounty we
>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>> bounties if we want) and we can scale the rewards however we would like for
>>> different categories.  Obviously, money equates to more motivated
>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>> $5,000 and go from there.  I think we were originally talking about just
>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>> what others thought about it.  Should we throw some money into the pot?
>>> How much?  Your feedback is greatly appreciated.
>>>
>>> ~josh
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160423/b7bac01c/attachment.html>


More information about the Owasp-board mailing list