[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

psiinon psiinon at gmail.com
Thu Nov 10 16:31:44 UTC 2016

At the moment I believe it is only ZAP that is paying any money out.
The change to pay out money has only just been made today so we have not
paid anything out yet.
We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are various
exclusions as detailed on https://bugcrowd.com/owaspzap
The final decision will be made by the ZAP team in conjunction with
We are planning on paying for any bounties from the ZAP project funds,
although obviously any help from OWASP would be appreciated :)
If we receive so many valid submissions that we run out of project funds
then we will either need to raise more funds or change the program to
reduce / remove the bounty.



On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:

> What are the proposed bounty amounts?  Who decides which bugs qualify and
> how much is paid?  What happens when the $6k runs out?
> And to gauge the flow of funds, pretend you had been paying a bounty, how
> much would you have paid so far on the already-received bugs?
> - Bil
> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Dear Board,
>> So far the bug bounty is running since May , and I believe one of the
>> projects that have benefit most from this program is ZAP.
>> Others projects which are less popular have not received many
>> submissions, still valuable feedback.
>> So far it is clear that for bug hunters to spent time on this there must
>> be a financial gain, not just kudos. Zap has recently launched monetary
>> bounties from their own project budget (USD 1000).
>> My request is to have a Budget of USD 6000 for the Bounty as a support
>> for projects that are working proactively in their security. ZAP is sure
>> leading by example and with this budget, we can have the existing
>> participating projects   being challenged by this
>> For the budget , it will be break down as follows
>>    - ZAP==>USD 2000
>>    - Java Encoder==>USD1000
>>    - Java Sanitizer==> USD 1000
>>    - CRSFGuard==>USD 1000
>>    - Any new project that wants to participate==>USD 1000
>> We can discuss this during the next OWASP meeting
>> Regards
>> Johanna
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/f596f644/attachment.html>

More information about the Owasp-board mailing list