I have heard that some security researchers may not bother reporting absent a small bounty. So I would love to hear from any of you that may have direct experience either (1) being paid a bounty as a security
researcher or (2) working at company that pays bounties (such as reacting to/validating those bugs). Thanks Jason From: ietf <ietf-bounces@xxxxxxxx> on behalf of Rob Sayre <sayrer@xxxxxxxxx> On Thu, Aug 6, 2020 at 8:21 AM Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:
It really depends on how complicated the website is. Lots of web software companies have bounty programs: <https://hackerone.com/bug-bounty-programs> I think the IETF infrastructure might be able to use one. Trying it out seems like a reversible decision, too. thanks, Rob |