Description
In the past we had mention the option to run a bounty program (ref) to engage with more security researches. Also other Open Source project within the foundation engaged with this programs too.
I was thinking that Hacker One (H1) is a great option for us as they have a Community Edition that fits well with our approach.
Even if we don't have enough economical resources to reward for bounties this program will provide reputation to the researches.
I already sent them an email to see if they want to accept us in their program (exploring not confirming).
Note that this was part of the objectives that we set for the milestone 3 in STF:
We will also explore the possibility of joining a bug bounty platform to encourage more community engagement in reporting bugs and vulnerabilities, thereby enhancing the overall security of the project.
It also worth mention that we are actively working on defining better the process on how to handle security reports (expressjs/security-wg#56) and manage expectations (expressjs/.github#15)
WDYT @expressjs/express-tc @expressjs/security-wg @expressjs/security-triage?