[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Josh Sokol josh.sokol at owasp.org
Thu Nov 10 21:28:03 UTC 2016


Johanna,

I get what you're saying, but it doesn't change the fact that the funds are
there and aren't being used.  Andrew just went on a huge rant about all of
the money sitting around reserved in funding buckets in another thread.  I
agree that this is a great initiative, and would support it for CSRFGuard
since they don't have any funds.  For the other three, I would like to see
them using their funds.  If those get used up, then absolutely this is
something that the Foundation could consider chipping in for.

~josh

On Thu, Nov 10, 2016 at 2:57 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Josh
>
> While I agree ZAP has funds, I think we need to support the best projects
> we have. We should provide a support framework to our Flagship projects,
> which is definitely part of the support we should provide as an
> organization to outstanding project and project leaders.
>
> The funds ZAP has at the moment, have been donations they have received,
> they have not cost anything to the foundation. I believe the more we invest
> in the best projects we have, helps OWASP as organization to profile as
> leading in secuirty and continue the amazing work project leaders like
> Simon have reached. ZAP is one of these project that rarely or never have
> made request from community funds , so why not help to improve and support
> their quality with this?
>
> Indeed, CRSFGuard has no budget and so far has had no submissions , sadly
> enough. Other projects like Sanitizer and Encoder have had some and the
> idea is to see if with some monetary incentives, we can receive more
> submission so the security of the projects can improve too.
>
> Also every project that falls within the criteria can be part of the
> Bounty and help improve the quality and security of their project. I
> believe we should support this. Our flagship projects definitely deserve
> more support and care.
>
> I'm planning to set this as goal. Project leaders need more support that
> they are actually receive , especially our top projects
>
> Cheers
>
> Johanna
>
> On Thu, Nov 10, 2016 at 9:43 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put up
>> the money when ZAP has more than enough currently to cover its bounties?
>>
>> Java Encoder and Java Sanitizer each have $500.  Can we start with that
>> and see if we need more funds after that?  Keep in mind that the $500 was a
>> grant from the Foundation to empower these projects to do things exactly
>> like this.  Why would they not be spending it?
>>
>> I don't see CSRFGuard in the donation scoreboard which likely means that
>> they don't have any funds.  That also likely means that they don't have at
>> least two active leaders or else they would have received the $500 stipend.
>>
>> ~josh
>>
>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Bil
>>>
>>> >>What are the proposed bounty amounts?
>>> >>Who decides which bugs qualify and how much is paid?  What happens
>>> when the $6k runs out?
>>>
>>> That mostly depends on the type of Bug. For example ZAP team can decide
>>> how much they will pay for a certain bug. Each bug can be classified from
>>> low to High, being high the highest you can pay, but the amount can be
>>> defined by ourselves
>>>
>>> Example
>>>
>>> Low ==>USD50
>>> medium==> USD 100
>>> High==> USD 500
>>>
>>> First come first served. The first one to report gets the prize.Old bugs
>>> do not count.
>>>
>>> If we run out of budget this year we can:
>>> Make a new request or
>>> we go back to Kudos ;-P .
>>>
>>> It can also happen that no-one finds anything and the money will be
>>> reserved until it is.
>>>
>>> >>And to gauge the flow of funds, pretend you had been paying a bounty,
>>> how much would you have paid so far on the already-received bugs?
>>>
>>> Nothing, since the program at that moment was running on Kudos. The bug
>>> hunters receive Points that help their ranking, that was the initial
>>> motivation but many do not just do it for these purpose but financially.
>>> Cheers
>>>
>>> Johanna
>>>
>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> Oh, and I dont think that any of the previously reported bugs would
>>>> qualify for the bounty.
>>>>
>>>> Simon
>>>>
>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>
>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>> The change to pay out money has only just been made today so we have
>>>>> not paid anything out yet.
>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>> bugcrowd.
>>>>> We are planning on paying for any bounties from the ZAP project funds,
>>>>> although obviously any help from OWASP would be appreciated :)
>>>>> If we receive so many valid submissions that we run out of project
>>>>> funds then we will either need to raise more funds or change the program to
>>>>> reduce / remove the bounty.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Simon
>>>>>
>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> What are the proposed bounty amounts?  Who decides which bugs qualify
>>>>>> and how much is paid?  What happens when the $6k runs out?
>>>>>>
>>>>>> And to gauge the flow of funds, pretend you had been paying a bounty,
>>>>>> how much would you have paid so far on the already-received bugs?
>>>>>>
>>>>>>
>>>>>> - Bil
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Dear Board,
>>>>>>>
>>>>>>> So far the bug bounty is running since May , and I believe one of
>>>>>>> the projects that have benefit most from this program is ZAP.
>>>>>>>
>>>>>>> Others projects which are less popular have not received many
>>>>>>> submissions, still valuable feedback.
>>>>>>>
>>>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>>>
>>>>>>> My request is to have a Budget of USD 6000 for the Bounty as a
>>>>>>> support for projects that are working proactively in their security. ZAP is
>>>>>>> sure leading by example and with this budget, we can have the existing
>>>>>>> participating projects   being challenged by this
>>>>>>>
>>>>>>> For the budget , it will be break down as follows
>>>>>>>
>>>>>>>    - ZAP==>USD 2000
>>>>>>>    - Java Encoder==>USD1000
>>>>>>>    - Java Sanitizer==> USD 1000
>>>>>>>    - CRSFGuard==>USD 1000
>>>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>>>
>>>>>>> We can discuss this during the next OWASP meeting
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Johanna
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/477ef16e/attachment.html>


More information about the Owasp-board mailing list