[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Bil Corry bil.corry at owasp.org
Thu Nov 10 22:58:40 UTC 2016


You'll need to make sure that it's clear that once funds run out, bounties
will no longer be paid.  You don't want to be in a situation where your bug
queue is long and it takes a few days to triage, and in the mean time you
run out of funds and now can't pay for bounties you said you would pay on.


- Bil

On Thu, Nov 10, 2016 at 9:35 AM, psiinon <psiinon at gmail.com> wrote:

> Oh, and I dont think that any of the previously reported bugs would
> qualify for the bounty.
>
> Simon
>
> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>
>> At the moment I believe it is only ZAP that is paying any money out.
>> The change to pay out money has only just been made today so we have not
>> paid anything out yet.
>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>> The final decision will be made by the ZAP team in conjunction with
>> bugcrowd.
>> We are planning on paying for any bounties from the ZAP project funds,
>> although obviously any help from OWASP would be appreciated :)
>> If we receive so many valid submissions that we run out of project funds
>> then we will either need to raise more funds or change the program to
>> reduce / remove the bounty.
>>
>> Cheers,
>>
>> Simon
>>
>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>>> What are the proposed bounty amounts?  Who decides which bugs qualify
>>> and how much is paid?  What happens when the $6k runs out?
>>>
>>> And to gauge the flow of funds, pretend you had been paying a bounty,
>>> how much would you have paid so far on the already-received bugs?
>>>
>>>
>>> - Bil
>>>
>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Dear Board,
>>>>
>>>> So far the bug bounty is running since May , and I believe one of the
>>>> projects that have benefit most from this program is ZAP.
>>>>
>>>> Others projects which are less popular have not received many
>>>> submissions, still valuable feedback.
>>>>
>>>> So far it is clear that for bug hunters to spent time on this there
>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>> monetary bounties from their own project budget (USD 1000).
>>>>
>>>> My request is to have a Budget of USD 6000 for the Bounty as a support
>>>> for projects that are working proactively in their security. ZAP is sure
>>>> leading by example and with this budget, we can have the existing
>>>> participating projects   being challenged by this
>>>>
>>>> For the budget , it will be break down as follows
>>>>
>>>>    - ZAP==>USD 2000
>>>>    - Java Encoder==>USD1000
>>>>    - Java Sanitizer==> USD 1000
>>>>    - CRSFGuard==>USD 1000
>>>>    - Any new project that wants to participate==>USD 1000
>>>>
>>>> We can discuss this during the next OWASP meeting
>>>>
>>>> Regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/d141dc0d/attachment.html>


More information about the Owasp-board mailing list