Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
docs/BUG-BOUNTY: proposed additional docs [ci skip] #3067
I don't think we can speak for other programs in which we have no say or influence. What do you think we should say about IBB? Mention that it exists (which we already do the in SECURITY-PROCESS doc) or state that we won't pay reward money for vulnerabilities already paid for by other bug bounties?
I don't think we should add "not getting paid by another bounty program" as a requirement. First, it makes it really hard to keep track of and secondly, a flaw is a flaw to us no matter if another program will pay for it or not and to the same extent. A reported security flaw that fulfills our requirement may be eligible for a bounty I think.
IBB has a requirement for paying a bounty that the reported flaw has to "be novel: vulnerability is new or unusual in an interesting way" - which we certyinly don't have as a requirement.
I think this reads well and to the point. Once we've had requests pass through we might find improvements on wordings but for now I think this is a good start.