I have heard that some security researchers may not bother reporting absent a small bounty. So I would love to hear from any of you that may have direct experience either (1) being paid a bounty as a security researcher or (2) working at company that pays bounties (such as reacting to/validating those bugs).
Thanks
Jason
From: ietf <ietf-bounces@xxxxxxxx> on behalf of Rob Sayre <sayrer@xxxxxxxxx>
Date: Thursday, August 6, 2020 at 3:14 PM
To: "Salz, Rich" <rsalz=40akamai.com@xxxxxxxxxxxxxx>
Cc: "ietf@xxxxxxxx" <ietf@xxxxxxxx>
Subject: Re: Bounty: Consultation on DRAFT Infrastructure and Services Vulnerability Disclosure Statement
On Thu, Aug 6, 2020 at 8:21 AM Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:
> * Whether or not this statement should be supplemented with a "bug bounty" program.
In my experience (several years running openssl.org), bug bounties for websites are not worthwhile.
It really depends on how complicated the website is. Lots of web software companies have bounty programs: <https://hackerone.com/bug-bounty-programs>
I think the IETF infrastructure might be able to use one. Trying it out seems like a reversible decision, too.
thanks,
Rob
Both (I donate the bounties).
I would suggest contracting it out to something like Hackerone for an experiment, so the initial strain on the IETF is low.
thanks,
Rob
On Thu, Aug 6, 2020 at 12:28 PM Livingood, Jason <Jason_Livingood@xxxxxxxxxxx> wrote:
