On Thu, Aug 6, 2020 at 8:21 AM Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:
> * Whether or not this statement should be supplemented with a "bug bounty" program.
In my experience (several years running openssl.org), bug bounties for websites are not worthwhile.
It really depends on how complicated the website is. Lots of web software companies have bounty programs: <https://hackerone.com/bug-bounty-programs>
I think the IETF infrastructure might be able to use one. Trying it out seems like a reversible decision, too.
thanks,
Rob