This is unfortunate.
I shared with
@Tallyho a copy of the quote that was provided to me by BugCrowd, upon which I based my estimates for the budget proposal. The content of that quote is subject to a non-disclosure agreement that BugCrowd required me to sign. This is not unusual or nefarious. It is a standard business practice to enable parties to engage in negotiation involving sensitive information such as pricing and discounts.
I believe
@Tallyho's main concern is the trade-offs that have to be made between defining the scope of the program and the size of the bounty pool.
Here is what I wrote to
@Tallyho, with figures redacted because they are covered under the non-disclosure agreement with BugCrowd:
"When I started working on this project I envisioned a $100,000 bug bounty fund that would be trumpeted from the mountaintops. After researching top tier bug bounty programs, I quickly learned that the amount of the bounty fund is the least important factor. What's important is a relationship with thousands of hackers, hundreds of fully vetted expert researchers, a tested methodology for assigning priority and value to vulnerabilities, and systems in place to accomplish all of that efficiently, securely, and safely. I would be glad to put you in touch directly with the BugCrowd rep to explain in detail what their system entails.
"To be clear, <redacted> is what BugCrowd stated in their quote and is NOT what I have allocated for the bounty pool. As I have stated repeatedly, all these amounts are subject to negotiation, wherein I will be working to get the best deal for Dash.
"Perhaps it would help if I gave you some scenarios with specific numbers. For these scenarios I will not set aside a reserve to deal with USD/Dash price fluctuation. Instead, those funds will be included in the bounty fund and any price fluctuation will be absorbed there."
I then presented figures for 4 scenarios of exactly how the funding could be allocated, which included a scenario in which over $100,000 is allocated for the bounty fund, but only one application could be included in the scope of the program.
I concluded my email with
@Tallyho with the following:
"I am of the opinion that it is better for Dash to cover as many important applications as possible in the program and keep the bounty pool to a viable minimum. I also think it is unnecessary to ask the MNOs for more funding to increase the amount of the bounty pool.
"My negotiating position with BugCrowd is that we should receive substantial discounts because we are paying in cash up front for a 12-month program, and those discounts will be applied for additional applications to be included in the program".
If anyone would like to see the numbers, I will be happy to share them privately and confidentially, subject to the terms of the non-disclosure agreement that I am bound to uphold.