[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

psiinon psiinon at gmail.com
Thu Nov 10 16:35:08 UTC 2016


Oh, and I dont think that any of the previously reported bugs would qualify
for the bounty.

Simon

On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:

> At the moment I believe it is only ZAP that is paying any money out.
> The change to pay out money has only just been made today so we have not
> paid anything out yet.
> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are various
> exclusions as detailed on https://bugcrowd.com/owaspzap
> The final decision will be made by the ZAP team in conjunction with
> bugcrowd.
> We are planning on paying for any bounties from the ZAP project funds,
> although obviously any help from OWASP would be appreciated :)
> If we receive so many valid submissions that we run out of project funds
> then we will either need to raise more funds or change the program to
> reduce / remove the bounty.
>
> Cheers,
>
> Simon
>
> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:
>
>> What are the proposed bounty amounts?  Who decides which bugs qualify and
>> how much is paid?  What happens when the $6k runs out?
>>
>> And to gauge the flow of funds, pretend you had been paying a bounty, how
>> much would you have paid so far on the already-received bugs?
>>
>>
>> - Bil
>>
>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Dear Board,
>>>
>>> So far the bug bounty is running since May , and I believe one of the
>>> projects that have benefit most from this program is ZAP.
>>>
>>> Others projects which are less popular have not received many
>>> submissions, still valuable feedback.
>>>
>>> So far it is clear that for bug hunters to spent time on this there must
>>> be a financial gain, not just kudos. Zap has recently launched monetary
>>> bounties from their own project budget (USD 1000).
>>>
>>> My request is to have a Budget of USD 6000 for the Bounty as a support
>>> for projects that are working proactively in their security. ZAP is sure
>>> leading by example and with this budget, we can have the existing
>>> participating projects   being challenged by this
>>>
>>> For the budget , it will be break down as follows
>>>
>>>    - ZAP==>USD 2000
>>>    - Java Encoder==>USD1000
>>>    - Java Sanitizer==> USD 1000
>>>    - CRSFGuard==>USD 1000
>>>    - Any new project that wants to participate==>USD 1000
>>>
>>> We can discuss this during the next OWASP meeting
>>>
>>> Regards
>>>
>>> Johanna
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/6709ebed/attachment-0001.html>


More information about the Owasp-board mailing list