Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
docs/BUG-BOUNTY: proposed additional docs [ci skip] #3067
I don't think we can speak for other programs in which we have no say or influence. What do you think we should say about IBB? Mention that it exists (which we already do the in SECURITY-PROCESS doc) or state that we won't pay reward money for vulnerabilities already paid for by other bug bounties?
I don't think we should add "not getting paid by another bounty program" as a requirement. First, it makes it really hard to keep track of and secondly, a flaw is a flaw to us no matter if another program will pay for it or not and to the same extent. A reported security flaw that fulfills our requirement may be eligible for a bounty I think.
IBB has a requirement for paying a bounty that the reported flaw has to "be novel: vulnerability is new or unusual in an interesting way" - which we certyinly don't have as a requirement.