So today at the iSEC Partners security open forum I heard a talk from Zane Lackey,
the former security lead for Etsy, concerning the effectiveness of bug bounties.
He made two points:
1) Bug bounties are unlikely to cause harm, especially for Wikipedia, which I asked
him about, because the mere popularity of our service means we are already being
scanned, pentested, etc. With a bounty program, there will be incentive for people to
report those bugs rather than pastebin them.
2) Even without a monetary reward, which I imagine WMF would not be able to supply,
crackers are motivated simply by the “hall of fame”, or being able to be recognized for
Therefore, I thought it may be beneficial to take that over to Wikipedia and start our
bug bounty program. Most likely, it would be strictly a hall of fame like structure where
people would be recognized for submitting bug reports (maybe we could even use the
OpenBadges extension *wink* *wink*). It would help by increasing the number of bugs
(both security and non-security) that are found and reported to us.
Any thoughts? (Of course, Chris would have to approve of this program before we even