docs(processes): bug bounty program

[lirantal]

Addresses #503 and #525 for a list of module criteria for monetary rewards in the bug bounty program

[lirantal]

I would also like us to capture and finalize the bounty rates so we can actually kick it off.

[mhdawson]

LGTM, generally looks good but @Trott's comments should be addressed and I also made a few suggestions.

[mhdawson]

LGTM, generally looks good. We should incorporate @Trott's suggestions and I made a couple of suggestions as well.

[lirantal]

Cool thanks for the feedback @Trott & @mhdawson ❤️
Will hopefully be able to get to it in a couple of days while in between travels.

[lirantal]

I think we're at a good point here to land so will wait till we talk it out in the monthly agenda call before merging.

[sam-github]

Discussed at #541 , removing from agenda (but please add back if it should be discussed again).

[lirantal]

We currently have the PR mentioning the actual modules:

## Modules list 

 The following is a list of modules which are eligible in the monetary reward due to their maintainers
explicitly confirming to collaborate with the working group and security researchers to receive and 
resolve security reports.

 * lodash
* jQuery
* node-red
* hapi (all packages under the GH org)
* Koajs (all packages under the GH org)
* Webpack
* ESLint
* socket.io

So before landing this PR we need to get agreement from their maintainers.
How do we go about reaching out to them? for bigger projects like webpack/lodash there is mostly a team than a BDFL

[sam-github]

I'd suggest opening an issue on their repo and ask if they want to participate. That should reach the right people, or get a response about who the right people are.

[lirantal]

Cool. We've already got a few I'll proceed with contacting some of those in the WIP

[mcollina]

We should probably include links to the github organizations.

[mhdawson]

I agree although I'd be ok with the links being added in a follow on PR.

[lirantal]

I added links to the github repos