blog post: Bug Bounty, Three Years In - Write Blog Post - Githubissues

GSA-TTS / tts-tech-operations

TTS Technology Operations

https://handbook.tts.gsa.gov/tech-operations/

Other

6 stars 0 forks source link

blog post: Bug Bounty, Three Years In - Write Blog Post #313

Closed afeld closed 4 years ago

afeld commented 4 years ago

https://docs.google.com/document/d/1v7xkzG03-r98jyXlnyxJfY7s6qbZjCvorScNjwHCxfg/edit

Background information

We put together a number of talking points about the Bug Bounty for the CISO Exchange meeting on 1/16. Given that there is probably broader interest, would be worth the bit of extra effort to turn that into a blog post.

User stories

As someone at an agency overseeing information systems, I want to understand the benefits and level of effort to run a bug bounty program.
As a member of the Tech Portfolio, I want the success of our bug bounty program to be recognized so that it's easier to justify continuation/expansion (down the road, if needed).

Implementation

[x] Get some examples from other bug bounties
[x] Set up time to co-work
[x] Write draft
- [x] Get it to 66% complete
  - [x] mention at Sprint Review and give folks 2 weeks to provide comments
  - [x] Get internal feedback
- [x] Get it to 88% complete
  - [x] Share w/ #bug-bounty slack channel
  - [x] Share w/ #g-security-compliance slack channel
  - [x] Share GSA IT Security & CTO
  - [ ] Get external feedback
- [ ] 'Demo' at Sprint Review
[ ] Talk to Kristina Britt about whether we want to do media pitches
[ ] Get external feedback
- [ ] Share w/ CISA (Cameron)
- [ ] Share w/ DC3
- [ ] Share w/ HackerOne
[ ] All comments from feedback are resolved
[ ] Publish

Acceptance criteria

Our various stats and qualitative outcomes and experiences are somewhere public that we can share

its-a-lisa-at-work commented 4 years ago

Great information pulled

its-a-lisa-at-work commented 4 years ago

Got some really great examples from HackerOne

afeld commented 4 years ago

Some questions that came up in an email that may be useful to speak to, to the extent we can:

pricing set up

how did you reach out to the additional companies

share some lessons learned

[Firm-Fixed Price] was it the best?

evaluation how did the oral evaluations went?

how did you plan around the security concerns?

its-a-lisa-at-work commented 4 years ago

Got the draft to 66% -- moving to Waiting/Blocked until can get some feedback; will mention at the Review tomorrow and give folks a 2 weeks to provide input.

its-a-lisa-at-work commented 4 years ago

@afeld I feel like we're at the point where I should pick this up next or we should make the hard decision that we're not going to go through with it

its-a-lisa-at-work commented 4 years ago

Starting the time-boxed enhancement of this document now -- moving into In-Progress and will move to 'Waiting/Blocked' once I finish and mark Feedback Needed for a peer review to determine if we should go forward or kill it

afeld commented 4 years ago

Left some comments! I do still think it would be useful to speak to the pricing structure a bit, since that's a question that seems to come up a lot.

its-a-lisa-at-work commented 4 years ago

Ok, I changed the title of this issue to 'Write Blog Post' -- The blog post is now written; so going to open a new issue to get the Blog Post published as a way to break this task down to a smaller components