The other day I broached the idea of a security bounty in the Drupal project. I had first heard about this concept from the Mozilla Foundation's Security Bug Bounty which appears to be the most famous of these.
Why Security Bug Bounty's are a good idea
This is pretty simple:
- It provides at least some motivation for folks to actually look at the code and find security bugs making the software more secure.
- More folks looking at the code is always a good thing.
- Just the concept and the existence of the program reminds people that we take security seriously, and informs them of the proper way to report a bug.
- In the case of the Drupal Association - which can't make decisions about the code based about the statutes (en pdf) (more formats/languages).
Generalized Security Bug Bounty System
This concept seems to me like it could be generalized for any software project. Here are the rules I came up with, based upon the Mozilla foundation's rules.