Time for a bounty program?

[UlisesGascon]

In the past we had mention the option to run a bounty program (ref) to engage with more security researches. Also other Open Source project within the foundation engaged with this programs too.

I was thinking that Hacker One (H1) is a great option for us as they have a Community Edition that fits well with our approach.

Even if we don't have enough economical resources to reward for bounties this program will provide reputation to the researches.

I already sent them an email to see if they want to accept us in their program (exploring not confirming).

Note that this was part of the objectives that we set for the milestone 3 in STF:

We will also explore the possibility of joining a bug bounty platform to encourage more community engagement in reporting bugs and vulnerabilities, thereby enhancing the overall security of the project.

It also worth mention that we are actively working on defining better the process on how to handle security reports (expressjs/security-wg#56) and manage expectations (expressjs/.github#15)

WDYT @expressjs/express-tc @expressjs/security-wg @expressjs/security-triage?

[bjohansebas]

+1, although it would mean that we would no longer use GitHub in the future to report security issues (see expressjs/security-wg#30), right?

[UlisesGascon]

+1, although it would mean that we would no longer use GitHub in the future to report security issues (see expressjs/security-wg#30), right?

Not really, We include it as a valid way to report vulnerabilities in https://github.com/expressjs/.github/blob/master/SECURITY.md#reporting-a-bug. I will create a PR to clarify that See: expressjs/.github#16

[0xAverageUser]

@UlisesGascon I think might be worth reaching out to [email protected] to get this sponsored by the Internet Bug Bounty Program

[bjohansebas]

@UlisesGascon I think might be worth reaching out to [email protected] to get this sponsored by the Internet Bug Bounty Program

I see that several projects from the foundation are included here, I think it's great to request inclusion. (https://hackerone.com/ibb/policy_scopes)

[UlisesGascon]

@marco-ippolito @RafaelGSS can you tell us about your experience in the program with Node.js? How was your experience so far (day to day, reports quality, tricks...)? 🙏

[wesleytodd]

I don't see it mentioned here, but it looks like the STF also has a program for bug bounties which we should assess. I don't have a strong opinion in general here, but just wanted to drop this note since it was only mentioned so far in an email with @UlisesGascon and I on it.

[wesleytodd]

As discussed on last week's working session, this discussion is moving to the @expressjs/security-wg. So removing the agenda label.