[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

psiinon psiinon at gmail.com
Thu Nov 10 13:08:07 UTC 2016


A suggestion.
Rather than transfer money which might not be used to projects for the bug
bounty, how about underwriting an amount for relevant projects.
For example, OWASP could offer to pay 50% of the ZAP bug bounties up to a
total of $2000, the other 50% to come out of ZAP funds.
We have nominally set aside $2,000 for the bug bounty from the ZAP funds,
this would then in effect be raised to $4,000.
And if (as we hope) no one finds any ZAP RCEs then the money OWASP has
underwritten will not be tied up.

Cheers,

Simon

On Thu, Nov 10, 2016 at 12:28 PM, psiinon <psiinon at gmail.com> wrote:

> Thanks for driving this Johanna!
>
> Not surprisingly I'm fully behind this request :)
>
> Cheers,
>
> Simon
>
> On Thu, Nov 10, 2016 at 12:22 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Dear Board,
>>
>> So far the bug bounty is running since May , and I believe one of the
>> projects that have benefit most from this program is ZAP.
>>
>> Others projects which are less popular have not received many
>> submissions, still valuable feedback.
>>
>> So far it is clear that for bug hunters to spent time on this there must
>> be a financial gain, not just kudos. Zap has recently launched monetary
>> bounties from their own project budget (USD 1000).
>>
>> My request is to have a Budget of USD 6000 for the Bounty as a support
>> for projects that are working proactively in their security. ZAP is sure
>> leading by example and with this budget, we can have the existing
>> participating projects   being challenged by this
>>
>> For the budget , it will be break down as follows
>>
>>    - ZAP==>USD 2000
>>    - Java Encoder==>USD1000
>>    - Java Sanitizer==> USD 1000
>>    - CRSFGuard==>USD 1000
>>    - Any new project that wants to participate==>USD 1000
>>
>> We can discuss this during the next OWASP meeting
>>
>> Regards
>>
>> Johanna
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/467adc05/attachment.html>


More information about the Owasp-board mailing list