Thanks for sharing this talk. I didn’t know about MobX, but I did use your fork of wa-sqlite (https://github.com/team-reflect/wa-sqlite/) since I also needed the sqlite-vec extension :)
By the way, Reflect is an awesome app; I'm actually a paid subscriber.
For small companies, this can be a valuable tradeoff. For example, we just secured a background processing service using Cloudflare Access; very practical and without too much security tradeoffs.
There doesn't seem to be any PopSQL users around here so I'll share my experience with it.
Currently, we're a team of 5 on a paid plan and we're loving the tool. We mainly use it to:
- Share queries to extract some kind of data from our databases
- Quickly run queries to answer a quick question
- My favorite use case: We create queries around bugs we've noticed in our data. We add "TODO:" in front of the query's name. We'll then move the query to a "Done" folder once we get the expected result.
As someone who has used hackerone on both sides (managing and reporting bugs) I'd suggest starting a private program first. Select a small group of researches known to provide good reports and wait for them to start rolling in. Use this as a pilot, if you see value in what's being reported keep it open.
Keep in mind you're going to see a lot of reports in the beginning, it will level off as you apply fixes. You'll need to prioritize these bug fixes in your organization, if you do not fix them within a time period the researcher has the ability to disclose the bug publicly.
I recommend you review your program guidelines with a lawyer before starting it.
Agreed with others that it's worth considering a small private program. You can do time boxed bounties with a capped cost, that way you're getting results without committing to a huge budget. Check out Bugcrowd's "on demand" bounty: https://bugcrowd.com/solutions
I strongly urge you to find security management people at existing startups to talk to before starting a bug bounty program at your own startup. There are things about them that are good, but those things can be counterintuitive.
I haven't had to manage one (yet), but because we'll no doubt be doing that for several startups this year I've been talking to friends about what their bounty programs have been like, and I've learned a lot of stuff. Frankly, bounties are something I might push back on for a lot of startups.
If you introduce a bug bounty too early, you will be paying out for vulnerabilities that could be caught or prevented in a much more cost effective manner (vulnerability assessments, penetration tests, developer training, appropriate monitoring).
Sqreen also have a handy basic security checklist: http://cto-security-checklist.sqreen.io Specific to bug bounties they say "You need security aware people inside your development teams to evaluate any reports you receive."
Alex Stamos gave a great talk a while back at https://www.youtube.com/watch?v=2OTRU--HtLM while he was at yahoo. Among the things he covered were the risks of bug bounties.
[Edited to add following]
Another article http://searchsecurity.techtarget.com/opinion/Is-the-
bug-bounty-program-concept-flawed "There can be a lot of noise in these systems, and the quality isn’t always there, nor are the findings always significant."
And from the same article Google says "Approximately 90% of the submissions we receive through our vulnerability reporting form are ultimately deemed to have little or no practical significance to product security,"
The issue I've read about (I'm not a security practitioner, more like a hobbyist) is that the sheer mass of bogus bounty submissions take valuable time to evaluate. If you start up a bug bounty program, you're essentially signing up to read hordes of submissions that you'll be obligated to check out, the overwhelming majority of which pan out to be nothing. And many (most?) of those, will contain petulant and arrogant demands that the bounty be paid even though the "finding" presented is no actual vulnerability at all.
(Disclosure: I work for Bugcrowd) That's why we suggest going with a 'managed' bounty. That's where Bugcrowd triages all of the incoming bugs and then passes along the valid bugs for you to prioritize and reward. It cuts out all of the noise and only gives you the results.
Every startup with significant bounty programs I've talked to either staff an internal triage team or outsource triage --- but, either way, they are spending extra money on triage. I haven't talked to any that don't do this.
The concerns I've had raised to me about the value of these programs in practice all assume you're already paying extra to triage.
Right but the cost differential between staffing it yourself and paying someone else to do it is substantial. Doing it yourself will cost you 3-5x more than paying someone else who is able to do it at scale.
