

Heroku Security Bug Bounty - leahculver
https://blog.heroku.com/archives/2014/4/17/security_bug_bounty

======
daeken
> As part of Heroku and our parent company Salesforce.com’s commitment to
> philanthropy, if you are interested in donating your bounty to a recognized
> charity we will match it dollar-for-dollar.

Kudos to the Heroku folks for this. I haven't seen any other bug bounty
program doing this (I'd love to be wrong -- please let me know if I am!), and
it's a very nice change from the norm.

~~~
jon-wood
Google also match anyone who donates their bounty to charity.

------
oijaf888
I wonder why they chose BugCrowd over the seemingly significantly cheaper
HackerOne?

~~~
infosectosser
I would guess it is precisely because BugCrowd is more expensive. They offer a
managed program where BugCrowd's employees validate bug reports for
participating companies. Speaking from experience, that process can become
very time-consuming.

~~~
EricDeb
If I were running a startup or even a moderately-sized company, implementing
and managing a bug bounty program internally sounds like a headache, and
probably would be put off indefinitely. A managed solution like BugCrowd could
definitely fill this void.

