On Fri, Aug 7, 2020, at 06:15, Jay Daley wrote:
> On 7/08/2020, at 8:04 AM, Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:>> The IETF website is not worth people hacking. If you had a bounty program in my view you’d get things like “I can read your .htaccess file” or the equivalent – nobody cares.I’ve run a bounty program that got exactly that, all from individuals using automated tools. We paid in the region of $20 - $50 and after about 20 or so they dried up as all the basic things an automated scanner can find had been addressed. There was no indication of anyone doing more sophisticated testing. I was quite happy with it as a way of pushing us to take an "outside looking in" view and it was cheap and easy to administer but it basically just found the small issues we introduced ourselves in-between regular commissioned pen tests, which in my view are the one thing nobody can do without (for opsec that is).
You're not going to get anything good for $50! We've paid up to $4000, which is still not heaps but does attract people willing to do more detailed research than just running an automated scanner:
One thing to keep in mind - you will get quite a lot of work to do just processing bug reports. I'd say we've spent more on the staff time to review incoming reports and assess them for correctness (not to mention arguing with cranks who are sure they deserve a payout for some nonsense that a tool told them) than we have on payouts.
Bron.
--
Bron Gondwana, CEO, Fastmail Pty Ltd
brong@xxxxxxxxxxxxxxxx
