-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add bug bounty section to readme #389
Conversation
For example, something like:
These maximums are EF bounty program's maximums divided by 10. Examples are just the first thing that came to mind for each severity; you may want to come up with better ones. With a $50k pool, that would support:
This seems pretty reasonable IMO. Should last a while. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jtraglia.
@avalonche can you please add the levels to our bounty information? I like Justin's numbers as a way to get started, we can adjust them as we go. What about making a post in the forum with the bug bounty details and link to it in these repositories?
* Add bug bounty section to readme * Add table to security doc * Simplify blurb on readme
📝 Summary
During the roundtable at Bogota, someone mentioned that the bug bounty program wasn't on the README when it should have been. This PR moves that section from SECURITY to README. There should be more details about the bug bounty program in that security file though 🔒
Also, I think the details this bug bounty program are pretty vague. What does a "shared pool of $50k" mean exactly? I understand that's the total allocation for the program, but what are the actual expected bounties? If someone finds a critical vulnerability, will they get all of that $50k? A table of maximum bounties would be nice, like:
⛱ Motivation and Context
More exposure for the bug bounty 👍
✅ I have run these commands
make lint
make test-race
go mod tidy