Oh hey, that was fun, I read all the way up to the last page, realised I was logged out, logged in, and was booted back to page 26. I guess that's where my bookmark was
In all seriousness, guys, I want to spend a quick minute to mention that we've taken your criticisms to heart and want to come up with a solution that doesn't seem like we're raking in money and expecting free pull requests when things go sideways.
UI/UX bugs and oddities aside, we want to focus on security and penetration testing, and so we've reached out to Hackerone and Bugcrowd. They've given us quotes, but they're beyond what I was expecting to pay*.
Bug bounty aside, these programs seem to want me to pay a large amount of money (in my view) for access to their system... but aren't these programs basically CRUD apps with nice interfaces to track vulnerabilities and host leaderboards so security researchers can show others how well they fared against each other?
Not that I'm complaining, I think that the social aspect is great, but I personally feel that goes contrary to the whole premise of a bug bounty program: to have security researchers help projects find holes in software. I'm feeling a bit conflicted about whether gamifying the penetration testing industry is a net positive or not.
I'll paste what I wrote earlier today to a security researcher to reached out to us:
As project owners, our goal is to produce high-quality software with no security vulnerabilities, and so having exposure to security researchers is a plus. So I should ask, would a self-managed bug bounty program be a deterrent to you and your colleagues?
We don't quite know what we're going to do with respect to a bug bounty system yet, but we're more than happy to establish one privately and see where that goes. At the start we're matching Discourse's payout strategy:
- Medium — CSRF / exploit that causes a user to perform an operation they didn't explicitly consent to ($128)
- High — XSS exploits ($256)
- Critical — exploit resulting in privilege escalation to admin, or downloading the site database ($512+)
Standard spiel about not testing against community.nodebb.org applies (use try.nodebb.org), social and physical attacks don't count... disclose all discovered vulnerabilities to security@nodebb.org.
* I want to point out here, that I'm not a security researcher, nor do I have much exposure to the pentesting community, and so if the prices I was quoted are in the standard range, then I am the one who is misinformed. The last thing I want to do here is come off as hypocritical.