Bug bounty program rewards.

[EdOverflow]

If we want to launch a bug bounty program we would need to be able to financially reward security researchers that report valid issues. @Changaco noted the following in https://github.com/liberapay/liberapay.com/issues/549#issuecomment-333525944:

Using the organization's funds requires consensus among the codirectors.

I would like to hear some thoughts on this.

[Changaco]

(This is going to need a longer explanation, probably in French, as it's likely that the other codirectors are not familiar with what a bug bounty program is and why we would want to spend money on one.)

[Zatalyz]

I agree to open bug bounty programm but... with what money ? Liberapay don't receive a lot of money. Propose a bounty for very little reward is it efficient ? If the reward is meager, it concern only very easy bug ? And in this case, add a bounty is probably more work than just resolve bug ?

I am not familiar with bounty. I love the concept but I don't know if we have the means to handle this.

[EdOverflow]

@Zatalyz, I suggest taking a look at my definitions here:

I forgot to clarify my terminology. We need to discuss whether you want to launch a bug bounty program (BBP) or a vulnerability disclosure program (VDP). The former would require financially rewarding researchers that report valid security issues to Liberapay. The latter is basically a security@ address on a platform such as HackerOne. [1]

We don't have to run a bug bounty program, but if we do then we need to discuss bounty amounts. A VDP on the other hand would only consist of triaging reports and then rewarding hackers with reputation and a place in our hall of fame. We could also consider rewarding researchers with "swag". Gratipay used to send little heartcoins and a handwritten letter. Personally from experience, a bug bounty program will attract more highly-skilled researchers, but only if we are able to reward fair amounts. We also have to put together a whole triaging, incident response and resolution process before we actually launch a security program, because otherwise we will be overwhelmed by the incoming reports.

[Changaco]

[fr] On va faire simple : pour ou contre récompenser financièrement, si on en a les moyens, une personne qui découvrirait et nous alerterait d'une faille de sécurité dans Liberapay ?

Ping @Zatalyz @MartinDelille @MarionRousseaux. Conformément au règlement vous avez deux semaines pour répondre.

[Changaco]

@EdOverflow What are "fair amounts"? The org only has approximately 520 euros of yearly income (€10/week).

[EdOverflow]

[en 🇬🇧]: I used the term "fair" with respect to how much we can afford to pay. Researchers are aware of how much to expect from a company or organization based on their annual revenue and size. Right now I am currently leaning towards starting with a VDP and then if things go according to plan, once we have a big enough budget we can transition into a BBP.

[fr 🇫🇷]: J'ai utilisé le terme "juste" en ce qui concerne combien nous pouvons nous permettre de payer. Les chercheures en sécurité sont conscients du fait que nous sommes une petite organisation. En ce moment je préférerais commencer avec un VDP et ensuite je pense que ce serait une bonne idée de faire une transition vers un BBP.

[Zatalyz]

[fr] Pour récompenser (financièrement, avec un Hall of Fame, avec des goodies... suivant nos moyens) toute personne qui découvre et nous alerte d'une faille de sécurité sur Liberapay :)

[Changaco]

I'm adding my approval and closing the vote. We have 2 officially in favor and no objections, so we're good to go. (I mentioned the proposal to @MarionRousseaux when I met her and she also agreed IIRC.)