increasing the clarity on the vulnerability reporting process
Created by: chayim
Our vulnerability reporting process is reasonably clear, but the guidelines for getting a higher value vulnerability report need some tweaking. I felt that:
-
Vulnerability reporting really does deserve it's own top-level page, like other organizations.
-
The 1 day (to respond) timeline is far too quick - and having now viewed several other organization, I have data on that. The result is a table containing expectations as a response - an experiment to see if others find it easier to understand (as I do).
-
We ought clarify what constitutes a higher quality vulnerability report.
Please provide comments, I'd like to turn this into a higher value page, as I think it can help us get down the path to higher value vulnerabilities. Finally, I validated our amounts with the few organizations I found possible. Paypal and Github have maximums of $30K. This, along with our existing bounty pay outs lead me to feel that our existing amount is well positioned given our size and scale as a result.