I'd love to hear feedback about crowdsourced security programs from anyone who has used or researched them. I personally have used Bugcrowd (as a program sponsor) and Hackerone (as a reporter) and they both seemed roughly similar. I haven't really researched the others.
What do folks think about these programs? Anyone using one or more of them, either as sponsor or researcher, and have feedback to share? Do any of their models provide a better match to the Drupal community?
The Drupal Security Team is investigating how it might utilize a program like this for a subset of the work we do. Most bug reports would still be handled via security.drupal.org, but for a special subset program we would run the program (with funding) via this external tool.
We've previously used Bugcrowd for one special project closely related to Drupal.org (the tfa bounty, run by Michael Hess, Ben Jeavons, me and funded by CARD.com). In that case I think it worked quite well, in part because tfa didn't have a stable release so there was no extra work for getting the issues into the s.d.o workflow.