[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017
psiinon at gmail.com
Thu Nov 10 16:35:08 UTC 2016
Oh, and I dont think that any of the previously reported bugs would qualify
for the bounty.
On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
> At the moment I believe it is only ZAP that is paying any money out.
> The change to pay out money has only just been made today so we have not
> paid anything out yet.
> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are various
> exclusions as detailed on https://bugcrowd.com/owaspzap
> The final decision will be made by the ZAP team in conjunction with
> We are planning on paying for any bounties from the ZAP project funds,
> although obviously any help from OWASP would be appreciated :)
> If we receive so many valid submissions that we run out of project funds
> then we will either need to raise more funds or change the program to
> reduce / remove the bounty.
> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:
>> What are the proposed bounty amounts? Who decides which bugs qualify and
>> how much is paid? What happens when the $6k runs out?
>> And to gauge the flow of funds, pretend you had been paying a bounty, how
>> much would you have paid so far on the already-received bugs?
>> - Bil
>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> Dear Board,
>>> So far the bug bounty is running since May , and I believe one of the
>>> projects that have benefit most from this program is ZAP.
>>> Others projects which are less popular have not received many
>>> submissions, still valuable feedback.
>>> So far it is clear that for bug hunters to spent time on this there must
>>> be a financial gain, not just kudos. Zap has recently launched monetary
>>> bounties from their own project budget (USD 1000).
>>> My request is to have a Budget of USD 6000 for the Bounty as a support
>>> for projects that are working proactively in their security. ZAP is sure
>>> leading by example and with this budget, we can have the existing
>>> participating projects being challenged by this
>>> For the budget , it will be break down as follows
>>> - ZAP==>USD 2000
>>> - Java Encoder==>USD1000
>>> - Java Sanitizer==> USD 1000
>>> - CRSFGuard==>USD 1000
>>> - Any new project that wants to participate==>USD 1000
>>> We can discuss this during the next OWASP meeting
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board