BLT
BLT copied to clipboard
OWASP-BLT
make sure that privately reported issues do not show up in the public image folder - create a new bucket and use that for private issues
we'll have a separate private bucket for private issues
Private Bug Bounties with Paid Incentives and Confidentiality.
A feature that allows companies to conduct private, paid bug bounties in a non-commercial way would enable companies to crowdsource security testing for their software systems while maintaining a high level of confidentiality. This feature would involve creating a closed bug bounty program that is accessible only to a select group of researchers who have been vetted by the company. The bounty program could be offered as a paid incentive to researchers who discover and report critical bugs in the company's software.
Here's how this feature might work:
- The company would set up a private bug bounty program on a third-party platform, which would allow them to define the scope of the bounty, the types of vulnerabilities that are eligible for rewards, and the amount of compensation that will be offered for each bug.
- The company would invite a select group of researchers to participate in the program, based on their experience, skills, and reputation in the security research community. The researchers would be required to sign a non-disclosure agreement (NDA) that would prohibit them from sharing any details about the vulnerabilities they discover with anyone outside the company.
- The researchers would conduct security testing on the company's software systems and report any vulnerabilities they find through the bounty program's platform. The company would review each vulnerability report and determine whether it is eligible for a reward based on the bounty program's criteria.
- The company would pay out rewards to the researchers who submit eligible vulnerabilities through the bounty program's platform. The researchers would be able to track their earnings and performance through a dashboard that displays their submissions, rewards, and overall ranking in the program.
This feature would allow companies to conduct private, paid bug bounties without the need for a commercial marketplace or public disclosure of vulnerabilities. It would help companies to identify and fix security vulnerabilities in their software systems more quickly and efficiently, while also building a relationship
A private bucket, in the context of cloud computing and storage, typically refers to a storage container within a cloud storage service that is designed to hold data. Unlike public buckets, which can be accessed by anyone with the right URL, private buckets are restricted and can only be accessed by specific, authorized users or systems.
Key features of a private bucket include:
-
Access Control: The owner of the bucket can set permissions to control who can view, upload, or download data from the bucket.
-
Security: Private buckets often have enhanced security measures like encryption, both at rest and in transit, to protect sensitive data.
-
Data Integrity: They often include features to ensure the integrity of the data stored, like versioning and checksums.
-
Integration: These buckets can be integrated with other cloud services for data processing, analysis, or backup.
-
Cost: The cost of using a private bucket can vary based on the amount of data stored, the level of access control, and additional security features.
Private buckets are commonly used by businesses and individuals to store sensitive data like personal information, confidential business documents, or proprietary data, ensuring that it's not publicly accessible or vulnerable to unauthorized access.
No, this issue is still valid - we'll have a separate private bucket for private issues
for this issue if the issue is private use the PRIVATE_BUCKET_ID (code this in and we can change it when we deploy)