Peace,
On Fri, Oct 23, 2020, 10:59 PM Salz, Rich <rsalz=40akamai.com@xxxxxxxxxxxxxx> wrote:
I would put the "WE don't pay" sentence at the top, right after the intro paragraph.
Vendors might have their own bug bounties for the protocols they implement. Nonprofit organizations might have bounties for protocol security research, to ensure safer Internet in general. Looking for those should be suggested then. "We don't pay" is a powerful message which, when it comes down to a typical Initech, generally implies "we don't care".
A list of sponsoring and shepherding organizations offering bounties for vulnerabilities found in the WG documents might be published for each of the WGs (just a suggestion). One might argue then that processing potential vulnerabilities through the
IETF process might be easier together with points of contact in those
vendors who were responsible for document development and
implementation, as opposed to doing it with the vulnerability
researchers directly. For those researchers, IETF processes might seem, well, unusual.
--
Töma
