[Owasp-board] OWASP Bug Bounty Proposals

psiinon psiinon at gmail.com
Tue Apr 12 14:51:44 UTC 2016


Great to see this initiative coming together :)

So whats the process for OWASP projects which would like to be involved in
the OWASP Bug Bounty Program?
Not surprisingly I'd like ZAP to be involved, ideally as soon as the
program is officially announced.
The core ZAP team are happy to manage the ZAP side of things, including
validating reports, crediting security researchers who report ZAP security
bugs, and probably handing out ZAP t-shirts, whether or not OWASP decides
to cover any additional payments to researchers.

Cheers,

Simon

On Fri, Apr 8, 2016 at 11:24 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Board,
>
> We had three companies submit proposals for the OWASP Bug Bounty Program.
> Selecting one of them was a very difficult decision.  With the proposals
> themselves being fairly equal, we placed much of our emphasis in making the
> decision on the functional aspects of the platforms.  Johanna created an
> excellent matrix of desired functionality which we were able to use to
> narrow down to the one we selected.  Even that was a difficult decision,
> but we have officially given the nod to the company who handles the triage
> and validation of vulnerabilities internally (as opposed to outsourced) as
> we felt that having an internal team looking after us would provide the
> most value.  We are still firming up the contractual pieces, but I feel
> confident in announcing to you that we have officially selected BugCrowd as
> OWASP's new Bug Bounty platform.
>
> The BugCrowd team is very excited about the prospects of working more
> closely with us and has already reached out to Johanna about onboarding a
> couple of projects that she was interested in handling bug bounties for.  I
> am out on vacation next week, but my next steps here will be to work with
> the staff as well as some members of the team and community in order to
> scope out and define what a formal bug bounty program will look like for
> the OWASP Foundation and it's assets.  I am unable to attend this month's
> Board meeting, so please consider this my official update on the progress
> and I will hopefully have and update on our progression for the May
> meeting.  Thank you!
>
> ~josh
>
> On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org> wrote:
>
>> Sounds great, thank you for the information.
>>
>>
>> - Bil
>>
>> On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>>
>>> .>Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>> providing recognition?  And what's the scope for the program?
>>>
>>> Hi Bill,
>>>
>>> Clarifications on your questions:
>>>
>>> No, OWASP will not be paying bounties but purely recognition, sure in
>>> this first phase once it is announced which Bounty management company we
>>> have selected
>>>
>>>  >>And what's the scope for the program?
>>>
>>> Right now the part I'll be supporting , some security libraries will
>>> participate in the program, to start with
>>>
>>>    - CRSFGuard
>>>    - OWASP SeraphimDroid
>>>
>>> Other projects leaders could manage a program directly within the
>>> interface, like ZAP.
>>>
>>> The management of vulnerabilities will be totally in charge of the
>>> Bounty service provider and only those confirmed bugs we need to finalise
>>> verifying
>>>
>>> The idea is also to have a Bounty program for OWASP wiki and mailman,
>>> this is lead by Frank Catucci and other OWASP volunteers that offered their
>>> support:
>>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>>
>>> On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>>
>>>> Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>>> providing recognition?  And what's the scope for the program?
>>>>
>>>>
>>>> - Bil
>>>>
>>>> On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> All good Josh, thank you for this. I support the process.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>> On 4/6/16 10:12 AM, Josh Sokol wrote:
>>>>>
>>>>> OWASP Board,
>>>>>
>>>>> The OWASP Bug Bounty initiative team, consisting of Kelly, Claudia,
>>>>> Johanna, Frank, Simon, and myself, have performed both a technical and
>>>>> contractual analysis of three bug bounty vendors.  We have come to a
>>>>> consensus on the vendor that we feel will provide us with the most
>>>>> capabilities and will be the best fit for the OWASP Foundation.  Before we
>>>>> notify the vendors and make an announcement of our selected vendor, I
>>>>> wanted to ask if any of you had any reservations with respect to the team's
>>>>> ability to conduct an impartial evaluation and select a vendor to move
>>>>> forward with?  If there are any concerns, I want to make sure that they are
>>>>> addressed now, before an announcement has been made.  If not, then you can
>>>>> expect an announcement in the next few days.  Thank you.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160412/5b260eda/attachment.html>


More information about the Owasp-board mailing list