Security-wg: Paying Bounties on HackerOne

Created on 6 Nov 2019  路  24Comments  路  Source: nodejs/security-wg

Hi team,

As it stands, the node.js third-party modules program is being treated as a simple VDP. However, the program is a Bug Bounty Program, and you currently have funds ($12k) to pay bounties.

  1. What are the current blockers in place preventing us from beginning to pay bounties?
  2. Where are the bounty funds coming from?
  3. Once the current $12k is depleted, can we source more funds?
  4. If we are to begin paying bounties moving forward, what should we do with the 200+ old reports that are potentially eligible for bounty?
  5. Is your current structured scope up to date (in terms of which components are eligible for bounty)?

cc: @reedloden

BugBounties security-wg-agenda

Most helpful comment

Beyond the bug bounty criteria above, are there any other blockers preventing us from beginning to payout on reports?

Nope, nothing stops us. If there's a bounty to be payed for an approved module per https://github.com/nodejs/security-wg/blob/master/processes/bug_bounty_criteria.md then it should be payed for sure.

All 24 comments

Hi @mralekzandr,

Have you seen https://github.com/nodejs/security-wg/blob/master/processes/bug_bounty_criteria.md ?

We may not always be able to publicly share about the origin of bug bounties as those who contribute them may choose to stay off of the media. Are you sure we have 200+ reports that are eligible for bounties? there are only specific modules whom are eligible for this program.

@lirantal - I have not seen that - thank you for sharing!

To clarify - there are 200+ reports _eligible_ for bounty; this is just according to the inbox views.
Screen Shot 2019-11-08 at 12 28 25 PM

We'll have our work cut out for us here, but I'd like to begin clearing out that inbox. We can mark the reports ineligible for bounty as such, and begin paying bounties on the ones that are eligible.

Does anybody in the SWG have time to begin tackling this? If not, I can set aside time in the coming weeks to begin chipping away at it. I can at least mark the ones that are ineligible for bounty, according to the criteria in that document you shared. The next step, though, is to figure out who can begin authorizing bounty payments. Beyond the bug bounty criteria above, are there any other blockers preventing us from beginning to payout on reports?

@mralekzandr are you sure that these 200+ items all match up with the list of modules we have in that link I shared of approved modules for bounties? I highly doubt it because we have a rather small list and most are popular projects which I don't think have these amount of vulnerabilities. I would say the majority of these 200 items are for modules we don't have an approved bounty for.

Beyond the bug bounty criteria above, are there any other blockers preventing us from beginning to payout on reports?

Nope, nothing stops us. If there's a bounty to be payed for an approved module per https://github.com/nodejs/security-wg/blob/master/processes/bug_bounty_criteria.md then it should be payed for sure.

@lirantal - sorry to be confusing. No, I'm not sure all the reports match up with the documentation you provided. I am just mentioning that according the inbox, there are 200+ reports _potentially eligible_, according to the normal workflow in the inbox. I very much understand that it's likely most of those aren't eligible for bounty.

My request is that we begin working through the "Pending Bounty" inbox view; marking the ones ineligible for bounty as such, and eventually paying bounties on the ones that are eligible.

I'll set aside some time this week to start marking reports ineligible for bounty according to the documentation you have provided.

Thanks!

Makes sense. I'll do my best to set some time out for this.

@mralekzandr I went through it all based on the modules that we do allow and I found about 5 out of the whole 292 that are eligible to receive them. I took the conversation on our slack channel where it is easier to communicate with regards to how this will be done on the H1 platform in private and see if the rest of the WG would have anything to add with regards to my findings.

responded in slack, thanks!!

Updating with current proposal:

Let's discuss for approval on next WG call

thanks @lirantal !

Give me a shout once it's approved; I'll help you all implement a structured bounty table/language clearly defining payouts in your policy

Sue thing. Thanks Alek

Discussed in the WG agenda meeting and nobody rejects so let's kick off the bounty payments.

@lirantal - thank you! Let me know if you need any help on the execution of payments.

-Alek

@mralekzandr is it simply paying out the bounty in the relevant H1 report's UI or is there something else to it that needs setting up?

@lirantal - yup, straight through the report UI. Go to the bottom of the report, as if you are leaving a comment, and click the action picker:
Screen Shot 2019-12-02 at 11 58 27 AM

Click "Set Award", which will give you the option to fill in the bounty amount. Once you've selected the appropriate amount, click set award.
Screen Shot 2019-12-02 at 11 58 42 AM

The funds are coming from your bounty pool, which you can check anytime here: https://hackerone.com/nodejs-ecosystem/billing

I can find time to set these awards today or tomorrow if you'd like me too! Just let me know the report numbers and bounty amounts.

Can you also tell me the final bounty structure you have decided upon? I'd like to work on implementing a structured bounty table for all researchers to see when they come to the program.

Sounds good, I'll take a first pass at them!

Bounty structure wise - this is it: https://github.com/nodejs/security-wg/issues/593#issuecomment-557507441

thanks!

@mralekzandr is it technically possible to also pay the maintainers we invite to triage and fix their projects?

@mralekzandr also, can I ask you to update the relevant pages on our H1 program with regards to the bounties and supported models in the scope? thanks!

@mralekzandr I believe I have addressed all bounties to be payed and awarded the bug hunters. The modules I couldn't find on our reports are yarn, MQTT.js and pino (although I do remember yarn was indeed submitted at some point). If indeed the case is that you don't find any of these then we're done with the bounty awards and I'd appreciate if you could bulk update all the remaining 290 reports in the queue as not eligible.

@lirantal Apologies for the delay here! Thank you for the ping on slack :)

I'm not sure about paying maintainers that fix the the projects; I'll have to check platform limitations and see if that's possible. Stay tuned.

I'll add this link - https://github.com/nodejs/security-wg/blob/master/processes/bug_bounty_criteria.md - to the bounty table for researchers to reference.

I'll also go through the remaining reports this week and mark them ineligible for bounty as needed. I'll keep my eye open for those modules you mentioned.

I'm not sure about paying maintainers
Would love to hear an update on that.

Sounds good on everything else, thanks!

@reedloden - can you chime in on paying maintainers?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

mhdawson picture mhdawson  路  5Comments

vdeturckheim picture vdeturckheim  路  8Comments

RRomoff picture RRomoff  路  8Comments

mhdawson picture mhdawson  路  5Comments

mhdawson picture mhdawson  路  4Comments