[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 11 00:38:56 UTC 2016


>>You'll need to make sure that it's clear that once funds run out,
bounties will no longer be paid.

I don't think this is a problem, changing the Bounty Page scope after a
certain amount (we won't wait to be at 0 to do this) will ensure this.



On Thu, Nov 10, 2016 at 11:58 PM, Bil Corry <bil.corry at owasp.org> wrote:

> You'll need to make sure that it's clear that once funds run out, bounties
> will no longer be paid.  You don't want to be in a situation where your bug
> queue is long and it takes a few days to triage, and in the mean time you
> run out of funds and now can't pay for bounties you said you would pay on.
>
>
> - Bil
>
> On Thu, Nov 10, 2016 at 9:35 AM, psiinon <psiinon at gmail.com> wrote:
>
>> Oh, and I dont think that any of the previously reported bugs would
>> qualify for the bounty.
>>
>> Simon
>>
>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>
>>> At the moment I believe it is only ZAP that is paying any money out.
>>> The change to pay out money has only just been made today so we have not
>>> paid anything out yet.
>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>> The final decision will be made by the ZAP team in conjunction with
>>> bugcrowd.
>>> We are planning on paying for any bounties from the ZAP project funds,
>>> although obviously any help from OWASP would be appreciated :)
>>> If we receive so many valid submissions that we run out of project funds
>>> then we will either need to raise more funds or change the program to
>>> reduce / remove the bounty.
>>>
>>> Cheers,
>>>
>>> Simon
>>>
>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>>
>>>> What are the proposed bounty amounts?  Who decides which bugs qualify
>>>> and how much is paid?  What happens when the $6k runs out?
>>>>
>>>> And to gauge the flow of funds, pretend you had been paying a bounty,
>>>> how much would you have paid so far on the already-received bugs?
>>>>
>>>>
>>>> - Bil
>>>>
>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Dear Board,
>>>>>
>>>>> So far the bug bounty is running since May , and I believe one of the
>>>>> projects that have benefit most from this program is ZAP.
>>>>>
>>>>> Others projects which are less popular have not received many
>>>>> submissions, still valuable feedback.
>>>>>
>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>
>>>>> My request is to have a Budget of USD 6000 for the Bounty as a support
>>>>> for projects that are working proactively in their security. ZAP is sure
>>>>> leading by example and with this budget, we can have the existing
>>>>> participating projects   being challenged by this
>>>>>
>>>>> For the budget , it will be break down as follows
>>>>>
>>>>>    - ZAP==>USD 2000
>>>>>    - Java Encoder==>USD1000
>>>>>    - Java Sanitizer==> USD 1000
>>>>>    - CRSFGuard==>USD 1000
>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>
>>>>> We can discuss this during the next OWASP meeting
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161111/8e54a9c8/attachment-0001.html>


More information about the Owasp-board mailing list