Hey everybody,

So today at the iSEC Partners security open forum I heard a talk from Zane Lackey, the former security lead for Etsy, concerning the effectiveness of bug bounties.

He made two points:

1) Bug bounties are unlikely to cause harm, especially for Wikipedia, which I asked him about, because the mere popularity of our service means we are already being scanned, pentested, etc. With a bounty program, there will be incentive for people to report those bugs rather than pastebin them.

2) Even without a monetary reward, which I imagine WMF would not be able to supply, crackers are motivated simply by the “hall of fame”, or being able to be recognized for their efforts.

Therefore, I thought it may be beneficial to take that over to Wikipedia and start our own bug bounty program. Most likely, it would be strictly a hall of fame like structure where people would be recognized for submitting bug reports (maybe we could even use the OpenBadges extension *wink* *wink*). It would help by increasing the number of bugs (both security and non-security) that are found and reported to us.

Any thoughts? (Of course, Chris would have to approve of this program before we even consider it.)

--  Tyler Romeo 0xC86B42DF