We will be creating an TeamMentor Security Bounty Program for this week, which is when we are doing a Security Push for TeamMentor (before it is released officially next week).
There still needs to be a bit of thinking on this, with the rules-of-engagement defined, but here is the thinking so far:
- Create a Security Bug Bounty Program for the release of the TeamMentor 3.2
- Rewards to be given based on severity, with a budget of 2,000 USD and the following criteria:
- 150 USD High vulns/bugs
- 100 USD Medium
- 50 USD Low
- The criteria for a High, Medium and Low is yet to be defined (if you have good ideas please add them to the comments below)
Security Bounties are an important step and one that (in my opinion) shows the commitment of a product/service vendor on the security of their product (yes we should had launch this sooner, but its better later than never).
As the main developer of TeamMentor, I want to make sure that it is really secure, so hack away and accept the reward as a 'Thank you' token (yes I know that you will probably get better paid at flipping burgers, but I bet it won't be as rewarding as breaking TeamMentor's Security :) )
Who else is doing this
- Mozilla: http://www.mozilla.org/security/bug-bounty.html
- Facebook: http://www.facebook.com/whitehat/bounty
- Piwik: http://piwik.org/security
- Barracuda: http://www.barracudalabs.com/bugbounty
- Paypal: https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues
- Google: http://www.google.com/about/appsecurity/reward-program
Articles about it:
Ping me if you have other ideas on how to do this, or if there are other good examples out there.