Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have heard that some security researchers may not bother reporting absent a small bounty. So I would love to hear from any of you that may have direct experience either (1) being paid a bounty as a security researcher or (2) working at company that pays bounties (such as reacting to/validating those bugs).

 

Thanks

Jason

 

From: ietf <ietf-bounces@xxxxxxxx> on behalf of Rob Sayre <sayrer@xxxxxxxxx>
Date: Thursday, August 6, 2020 at 3:14 PM
To: "Salz, Rich" <rsalz=40akamai.com@xxxxxxxxxxxxxx>
Cc: "ietf@xxxxxxxx" <ietf@xxxxxxxx>
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement

 

On Thu, Aug 6, 2020 at 8:21 AM Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:

    >    * Whether or not this statement should be supplemented with a "bug bounty" program.

In my experience (several years running openssl.org), bug bounties for websites are not worthwhile.

 

It really depends on how complicated the website is. Lots of web software companies have bounty programs: <https://hackerone.com/bug-bounty-programs>

 

I think the IETF infrastructure might be able to use one. Trying it out seems like a reversible decision, too.

 

thanks,

Rob

 

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux