Hey everybody, So today at the iSEC Partners security open forum I heard a talk from Zane Lackey, the former security lead for Etsy, concerning the effectiveness of bug bounties.
He made two points: 1) Bug bounties are unlikely to cause harm, especially for Wikipedia, which I asked him about, because the mere popularity of our service means we are already being scanned, pentested, etc. With a bounty program, there will be incentive for people to report those bugs rather than pastebin them. 2) Even without a monetary reward, which I imagine WMF would not be able to supply, crackers are motivated simply by the “hall of fame”, or being able to be recognized for their efforts. Therefore, I thought it may be beneficial to take that over to Wikipedia and start our own bug bounty program. Most likely, it would be strictly a hall of fame like structure where people would be recognized for submitting bug reports (maybe we could even use the OpenBadges extension *wink* *wink*). It would help by increasing the number of bugs (both security and non-security) that are found and reported to us. Any thoughts? (Of course, Chris would have to approve of this program before we even consider it.) -- Tyler Romeo 0xC86B42DF
signature.asc
Description: Message signed with OpenPGP using AMPGpg
_______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
