[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

johanna curiel curiel johanna.curiel at owasp.org
Fri Nov 11 00:56:02 UTC 2016


>> If those get used up, then absolutely this is something that the
Foundation could consider chipping in for.

Ideally, if I understand  what you are saying is, that Projects should
spend their budget up to 0 in order to get any financial support from OWASP
budget?

On Thu, Nov 10, 2016 at 10:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Johanna,
>
> I get what you're saying, but it doesn't change the fact that the funds
> are there and aren't being used.  Andrew just went on a huge rant about all
> of the money sitting around reserved in funding buckets in another thread.
> I agree that this is a great initiative, and would support it for CSRFGuard
> since they don't have any funds.  For the other three, I would like to see
> them using their funds.  If those get used up, then absolutely this is
> something that the Foundation could consider chipping in for.
>
> ~josh
>
> On Thu, Nov 10, 2016 at 2:57 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Josh
>>
>> While I agree ZAP has funds, I think we need to support the best projects
>> we have. We should provide a support framework to our Flagship projects,
>> which is definitely part of the support we should provide as an
>> organization to outstanding project and project leaders.
>>
>> The funds ZAP has at the moment, have been donations they have received,
>> they have not cost anything to the foundation. I believe the more we invest
>> in the best projects we have, helps OWASP as organization to profile as
>> leading in secuirty and continue the amazing work project leaders like
>> Simon have reached. ZAP is one of these project that rarely or never have
>> made request from community funds , so why not help to improve and support
>> their quality with this?
>>
>> Indeed, CRSFGuard has no budget and so far has had no submissions , sadly
>> enough. Other projects like Sanitizer and Encoder have had some and the
>> idea is to see if with some monetary incentives, we can receive more
>> submission so the security of the projects can improve too.
>>
>> Also every project that falls within the criteria can be part of the
>> Bounty and help improve the quality and security of their project. I
>> believe we should support this. Our flagship projects definitely deserve
>> more support and care.
>>
>> I'm planning to set this as goal. Project leaders need more support that
>> they are actually receive , especially our top projects
>>
>> Cheers
>>
>> Johanna
>>
>> On Thu, Nov 10, 2016 at 9:43 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put up
>>> the money when ZAP has more than enough currently to cover its bounties?
>>>
>>> Java Encoder and Java Sanitizer each have $500.  Can we start with that
>>> and see if we need more funds after that?  Keep in mind that the $500 was a
>>> grant from the Foundation to empower these projects to do things exactly
>>> like this.  Why would they not be spending it?
>>>
>>> I don't see CSRFGuard in the donation scoreboard which likely means that
>>> they don't have any funds.  That also likely means that they don't have at
>>> least two active leaders or else they would have received the $500 stipend.
>>>
>>> ~josh
>>>
>>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Bil
>>>>
>>>> >>What are the proposed bounty amounts?
>>>> >>Who decides which bugs qualify and how much is paid?  What happens
>>>> when the $6k runs out?
>>>>
>>>> That mostly depends on the type of Bug. For example ZAP team can decide
>>>> how much they will pay for a certain bug. Each bug can be classified from
>>>> low to High, being high the highest you can pay, but the amount can be
>>>> defined by ourselves
>>>>
>>>> Example
>>>>
>>>> Low ==>USD50
>>>> medium==> USD 100
>>>> High==> USD 500
>>>>
>>>> First come first served. The first one to report gets the prize.Old
>>>> bugs do not count.
>>>>
>>>> If we run out of budget this year we can:
>>>> Make a new request or
>>>> we go back to Kudos ;-P .
>>>>
>>>> It can also happen that no-one finds anything and the money will be
>>>> reserved until it is.
>>>>
>>>> >>And to gauge the flow of funds, pretend you had been paying a bounty,
>>>> how much would you have paid so far on the already-received bugs?
>>>>
>>>> Nothing, since the program at that moment was running on Kudos. The bug
>>>> hunters receive Points that help their ranking, that was the initial
>>>> motivation but many do not just do it for these purpose but financially.
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>>
>>>>> Oh, and I dont think that any of the previously reported bugs would
>>>>> qualify for the bounty.
>>>>>
>>>>> Simon
>>>>>
>>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>>> The change to pay out money has only just been made today so we have
>>>>>> not paid anything out yet.
>>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>>> bugcrowd.
>>>>>> We are planning on paying for any bounties from the ZAP project
>>>>>> funds, although obviously any help from OWASP would be appreciated :)
>>>>>> If we receive so many valid submissions that we run out of project
>>>>>> funds then we will either need to raise more funds or change the program to
>>>>>> reduce / remove the bounty.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> What are the proposed bounty amounts?  Who decides which bugs
>>>>>>> qualify and how much is paid?  What happens when the $6k runs out?
>>>>>>>
>>>>>>> And to gauge the flow of funds, pretend you had been paying a
>>>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>>>
>>>>>>>
>>>>>>> - Bil
>>>>>>>
>>>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Dear Board,
>>>>>>>>
>>>>>>>> So far the bug bounty is running since May , and I believe one of
>>>>>>>> the projects that have benefit most from this program is ZAP.
>>>>>>>>
>>>>>>>> Others projects which are less popular have not received many
>>>>>>>> submissions, still valuable feedback.
>>>>>>>>
>>>>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>>>>
>>>>>>>> My request is to have a Budget of USD 6000 for the Bounty as a
>>>>>>>> support for projects that are working proactively in their security. ZAP is
>>>>>>>> sure leading by example and with this budget, we can have the existing
>>>>>>>> participating projects   being challenged by this
>>>>>>>>
>>>>>>>> For the budget , it will be break down as follows
>>>>>>>>
>>>>>>>>    - ZAP==>USD 2000
>>>>>>>>    - Java Encoder==>USD1000
>>>>>>>>    - Java Sanitizer==> USD 1000
>>>>>>>>    - CRSFGuard==>USD 1000
>>>>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>>>>
>>>>>>>> We can discuss this during the next OWASP meeting
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161111/3353761e/attachment-0001.html>


More information about the Owasp-board mailing list