Bounty for ecosystem package: pilot program

[vdeturckheim]

HackerOne suggests we define a list of pilot projects we would mark as eligible for bounties if vulnerabilites are reported into. I have an arbitrary list (based on popularity and how maintained I feel these projects are):

• lodash
• jQuery
• node-red
• Express (all packages under the GH org) (Bounty for ecosystem package: pilot program #525 (comment))
• hapi (all packages under the GH org)
• Koajs (all packages under the GH org)
• Webpack
• ESLint
• socket.io

wdyt?

[lirantal]

@vdeturckheim this is very much connected to #503 so we can't really start without that being resolved either.

[dougwilson]

Based on what has transpired with the finalhandler incident, please do not include Express in this bounty program, as I don't have confidence in the processes that are in place here.

[lirantal]

We could probably add some of Matteo's projects to that list as he is pretty active on them as well and they're popular too (/cc @mcollina)

[vdeturckheim]

Good point for @mcollina 's repos!

[mhdawson]

I'm ok with the list provided we get opt-in by the maintainers.

[lirantal]

handled in #593 so closing