Waterfall Bug Bounty Programme
While I work on fixing the minor bugs that have been reported, my mind started to wander. While there's been no showstopping issues reported yet, there's almost certainly a few lurking in the code, waiting to be found. So I thought - why not run a bounty?
What's a bug bounty programme?
Wikipedia can do a better job of explaining, but in short, a bug bounty is an official programme where people who find serious bugs (in this case, security ones) can be rewarded.
Why is Waterfall running one?
There hasn't been one reported yet, but somewhere in the code, there's going to be a serious bug that could have serious consequences. Waterfall is a solo project that's basically for fun and, while I'm not terrible at security by myself, it also means there's nobody to really review my code and find anything glaringly obvious. This means that occasionally, something serious might sneak by, and having that in public with a "here's basically the instructions to ruin everyone's day" attached in the form of a normal bug report is a bad idea. This is where the programme comes in.
How does it work?
Here's the page going into more detail.
In short, if you find a serious bug with security implications, you email it to the address on that page, giving me as much info as you can. It's STRONGLY advised you use a sideblog or side account for this, but specific considerations are outlined on the page, including how to get dev environment access for anything that might be particularly destructive.
It should be noted this bounty is for serious bugs only, mainly affecting security or privacy. Other bugs should still be reported through the GitHub linked in the site footer.
So what are the rewards?
Trivial bugs already get badges rewarded, and the bounty programme is no exception - you'll get the standard ones plus a special VRP badge. In addition, for stuff that's impactful, there are cash rewards on a sliding scale of severity. It's worth noting here - while most companies offer a bit more than this in their BBPs, Waterfall is a solo project, so it's limited by what one guy could realistically afford. Better than nothing though, right?
You can take the cash yourself, or choose to donate it to charity.
With any luck, nothing major will ever be reported - but the chances of that are slim, and it'd be utterly hubristic to think there's no flaws in my code that could be dangerous, and people who help defend against that definitely deserve to be rewarded.