[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Mishra Dhiraj mishra.dhiraj95 at gmail.com
Mon Apr 18 17:08:11 UTC 2016

Hey Josh Sir ,

Yes Putting the Bug Bounties to the PROJECT will be Great Idea ,
Small Idea Behalf of My Side Sir ,

- Bug Bounty will should Cover Web-Application [owasp.org] and Sub-Domains
to but  Blog domain should not be a Part of it , and   Projects to but only
the Project which is Matured like ZAP , OWTF and etc should only cover Bug
Bounty Programs not all Projects.
- Talking About $ depends upon the Vulnerability founded by the Researcher
, Minimum amount should be $500 ,  or Sir depends upon the Board member
discussion , or else sir , In my Opinion  OWASP been a security
organization , and a greater  trend to the Security / Hacker Community
around the Globe only HoF would give a Swag and will Rise up the Researches
a-lot , researcher will be Honoured to be part of it , if $ is not paid to.
- Talking about web-application sir I suggest only few attacks should be
Eli-gibe for the  Bug Bounty , like OWASP Top 10 Should be Covered only but
the attacks Like CRIME , POODLE , Content Spoofing , MITM , and many should
not be a Part of it.
- But sir before announcing  the Bug Bounty Program Globally , Our
Technical team should do and Find a Bug and Fix Before , a small Technical
Walk through is must needed Sir and we can Go on then.

On Mon, Apr 18, 2016 at 10:09 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Thanks for the feedback, Matt.  Projects are definitely in scope, on an
> opt-in basis, and subject to certain requirements that are yet to be
> defined.  There will be both opportunities for "kudos" as well as for paid
> bounties for them.  Regardless of whether we are talking about Project
> bounties, or Foundation bounties, however, we still need to determine how
> much money (if any) we put into the pot.  So, that question remains.
> As for the Foundation bounties, I hear what you're saying, and tend to
> agree.  If there are low-hanging fruit types of issues, they need to be
> addressed internally first.  While I agree that there is little value-add
> in piling up more work on your plate, I do find myself curious about the
> issues that would be discovered and wondering about proper prioritization
> of our limited resources.  I also wonder if, given your current state of
> being overworked, we shouldn't open up a full-time position to handle our
> IT work (or at least more than the currently allocated 10 hours).  It seems
> that there is a lot to be done, and not a lot of time allocated to do it
> in.  Ultimately, considering that we are a security organization, we should
> be greatly interested in eliminating issues that could lead to compromise.
> That would be quite embarrassing.  So, in my opinion, this is a merited
> discussion that we probably need to pull into a different thread.
> ~josh
> On Mon, Apr 18, 2016 at 10:51 AM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>> My thoughts for what they are worth:
>> My understanding was that the scope of this effort was OWASP projects -
>> so that our projects have been vetted and, hopefully, are free from
>> security defects.  This seems like a very sensible use of Foundation
>> resources.
>> Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
>> initial triage handled by a 3rd party, is foolish.  Why?
>>    - I can list the problems with the current infrastructure for you and
>>    zero cost. There is very little value in these being rediscovered by random
>>    Internet bug hunters.
>>    - I've spent the last 3 weekends writing various fail2ban rules to
>>    try and stop the dramatic increase in automated crawling (aka pro bono
>>    scanning) of the wiki.  The wiki, which wasn't running any where near
>>    capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>>    alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>>    see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>    - It took several iterations to find a rule that adequately blocks
>>       punks and lets the staff aka heavy wiki users get things done.  During
>>       those iterations, several of the staff were temporarily blocked from the
>>       wiki by fail2ban.
>>    - Ask the staff about how much they liked last week when two
>>    instances of some Internet putz fuzzing our Wiki account registration has
>>    created a backlog of bogus registrations.  Beyond the hundreds of
>>    notification emails the staff and I received, we how have a wiki
>>    registration system which
>>       - Needs to manually have 100's of bogus requests reviewed and
>>       deleted
>>       - Legit requests are getting lost in the bogus requests
>>       - On one occasion, a bogus registration was accidentally confirmed
>>       leading to SPAM on the wiki which then needs to be cleaned up wasting more
>>       staff time/resources non-productively.
>> I completely agree that bug bounties of our PROJECTS is a great idea.
>> However, until we have an infrastructure that is both more resilient and
>> shored up with the issues we already know about, having the Internet poke
>> at our servers is counter productive.  Of late, my 10 hours per week are
>> spent either cleaning up cruft from those that don't realize that wiki page
>> isn't an endorsement to poke at our infrastructure or just routine
>> maintenance.
>> The opportunity cost of a bug bounty is
>>    - Staff work interrupted, delayed or refocused on clean-up that
>>    inevitably happens when those with ranges of skills poke at infrastructure.
>>    - Fire drills for our Infrastructure rather then planned and focused
>>    upgrades across our infrastructure.  I'd have much rather used the last 3
>>    weeks of my 10 hours to complete setting up a new Mailman instance.
>>    Instead, I'm cleaning up messes and answering emails about problems I
>>    already know about and have prioritized lower for various reasons.  This
>>    email is an example of me being diverted from infrastructure enhancing
>>    activities.
>> Considering the large difference between my 'day job' pay rate and what
>> OWASP pays me for 10 hours/week and the fact that I have and like my
>> family, I'm loath to spend more then my allotted OWASP time - though I
>> frequently do anyway.
>> </Matt's 2 cents>
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>> My thinking is that this bounty would be used for the OWASP Foundation
>>> resources.  The wiki, conference sites, etc.  Projects could participate
>>> with kudos and could self-fund out of their project funds for any bounties
>>> that they would like to pay out.  I still need to work on defining those
>>> rules of engagement, but for now we need to come up with an initial deposit
>>> amount that we feel comfortable transferring to BugCrowd to get this
>>> rolling.
>>> ~josh
>>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>>> wrote:
>>>> Josh,
>>>> I would support putting some $ behind this.  Definitely a bounded small
>>>> initial commitment but $.  That will result in better faster feedback IMO.
>>>> I think we need to make sure we think through how it gets used.  90% to
>>>> a smaller lesser known OWASP project and 10% to ZAP for example might be a
>>>> possible problem.  Do we have a rule that project committers can't receive
>>>> bounty?  :)
>>>> We could start with a few projects and do the kudos approach and match
>>>> funds that those projects want to use.
>>>> I defer to the team that is focused here, just wanted to share my
>>>> thoughts.
>>>> Matt
>>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>> Board,
>>>>> Now that we have announced BugCrowd as our bug bounty program
>>>>> platform, it is time to take the next step of figuring out how much of a
>>>>> bounty we want to start with.  There is no minimum funding amount (we could
>>>>> do "kudo" bounties if we want) and we can scale the rewards however we
>>>>> would like for different categories.  Obviously, money equates to more
>>>>> motivated researchers.  BugCrowd's recommendation is to fund the initial
>>>>> pot at $5,000 and go from there.  I think we were originally talking about
>>>>> just leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to
>>>>> see what others thought about it.  Should we throw some money into the
>>>>> pot?  How much?  Your feedback is greatly appreciated.
>>>>> ~josh
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board


*Dhiraj Mishra.*

*OWASP Bug Bounty.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/9c496299/attachment-0001.html>

More information about the Owasp-board mailing list