Monday 8 October 2012

Creating an TeamMentor Security Bounty Program

Following the unofficial success of the Test and Hack TeamMentor server with 3.2 RC5 code and SI library request (with already a couple vulnerabilities disclosed), I'm very happy to say that SI is going to make it official.

We will be creating an TeamMentor Security Bounty Program for this week, which is when we are doing a Security Push for TeamMentor (before it is released officially next week).

There still needs to be a bit of thinking on this, with the rules-of-engagement defined, but here is the thinking so far:

  • Create a Security Bug Bounty Program for the release of the TeamMentor 3.2 
  • Rewards to be given based on severity, with a budget of 2,000 USD and the following criteria:
    • 150 USD High vulns/bugs 
    • 100 USD Medium 
    • 50 USD Low
  • The criteria for a High, Medium and Low is yet to be defined (if you have good ideas please add them to the comments below)
Security Bounties are an important step and one that (in my opinion) shows the commitment of a product/service vendor on the security of their product (yes we should had launch this sooner, but its better later than never).

As the main developer of TeamMentor, I want to make sure that it is really secure, so hack away and accept the reward as a 'Thank you' token (yes I know that you will probably get better paid at flipping burgers, but I bet it won't be as rewarding as breaking TeamMentor's Security :) )

Research links: 

Who else is doing this