its-a-lisa-at-work
commented
4 years ago Mentioned this to Kristina B. and the outcome will be the following:
- [ ] Determine way forward for Bug Bounty program and the longevity of it
- [ ] Set up meeting with H1 after above is accomplished
We talked about the following activities that outreach could support on
- Twitter account
- Hacker of the Month
- Monthly one-pager
The outcome is that getting a Twitter account is difficult and we'd want to make sure that this is something that wouldn't die immediately; so Alyssa will mention this to GSA to see if it is something they would like to take on and feature TTS until they get things going. The Hacker of the Month will need to be run by legal since there are potential conflict of interest and the monthly one-pager might be good for the Service Catalogue as a web page.
Going to close this card and will create a new one if/when the meeting is schedule based on the mentioned blocker is figured out from #817
Background information
Once a security researcher has found a bug, they submit it to HackerOne who does the traige; TTS validates the bug and that the criticality is accurate. Based on the criticality, a bounty is provided. Sometimes, researchers will want to disclose the bug they found and so far we've been doing this in an ad-hoc fashion. The Bug Bounty PM feels as though there is opportunity to better leverage this process to increase the security posture of the TTS systems.
Implementation Steps
Acceptance criteria
The assignee should add some checkboxes as a "sketch" of the steps to complete, which may evolve.