Start a HackerOne bug bounty program.

[EdOverflow]

HackerOne Professional is now free for open source projects: https://www.hackerone.com/blog/HackerOne-Professional-Free-For-Open-Source-Projects

[EdOverflow]

@Changaco: Would you like to go ahead and set up a VRP on Hackerone? I will help write a nice policy and triage reports.

[Changaco]

I'm worried about being distracted by both noise and genuine reports. I would also prefer having fewer known issues before asking the community to help us find more.

[EdOverflow]

@Changaco: From experience, no matter what you do, there is very little chance that you will prevent noise. I agree that some of the Self-defense tickets should be resolved before we start, but I would not worry too much about noise.

[EdOverflow]

I forgot to clarify my terminology. We need to discuss whether you want to launch a bug bounty program (BBP) or a vulnerability disclosure program (VDP). The former would require financially rewarding researchers that report valid security issues to Liberapay. The latter is basically a security@ address on a platform such as HackerOne.

[Changaco]

Using the organization's funds requires consensus among the codirectors. Want to open an issue in the org repo?

[EdOverflow]

I am still up for managing this. Since I work for HackerOne now, I can probably get things sorted out fairly quickly. It would be nice to have an inbox that all project maintainers can keep an eye on — a platform seems ideal compared to an email inbox.

[Changaco]

@EdOverflow I've created the program and invited you. I guess the next step is to figure out bounty amounts, then we should be ready to launch.

[Changaco]

Done: https://hackerone.com/liberapay.

[EdOverflow]

Fantastic work! This is just what we needed.

[Changaco]

For the record, a small illustration of the negative side of opening a program on HackerOne:

Without Cloudflare's "Under Attack" mode all those requests would have hit the origin server.

Related comments: liberapay/salon#218 (comment).