[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Josh Sokol josh.sokol at owasp.org
Fri Nov 11 03:42:19 UTC 2016


That is correct.  Chapters and Projects should be spending their funds, not
saving them.  The OWASP Foundation will continue to support initiatives
beyond that point, but money should always come from the individual Chapter
or Project's account first.

~josh

On Thu, Nov 10, 2016 at 6:56 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> >> If those get used up, then absolutely this is something that the
> Foundation could consider chipping in for.
>
> Ideally, if I understand  what you are saying is, that Projects should
> spend their budget up to 0 in order to get any financial support from OWASP
> budget?
>
> On Thu, Nov 10, 2016 at 10:28 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Johanna,
>>
>> I get what you're saying, but it doesn't change the fact that the funds
>> are there and aren't being used.  Andrew just went on a huge rant about all
>> of the money sitting around reserved in funding buckets in another thread.
>> I agree that this is a great initiative, and would support it for CSRFGuard
>> since they don't have any funds.  For the other three, I would like to see
>> them using their funds.  If those get used up, then absolutely this is
>> something that the Foundation could consider chipping in for.
>>
>> ~josh
>>
>> On Thu, Nov 10, 2016 at 2:57 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Josh
>>>
>>> While I agree ZAP has funds, I think we need to support the best
>>> projects we have. We should provide a support framework to our Flagship
>>> projects, which is definitely part of the support we should provide as an
>>> organization to outstanding project and project leaders.
>>>
>>> The funds ZAP has at the moment, have been donations they have received,
>>> they have not cost anything to the foundation. I believe the more we invest
>>> in the best projects we have, helps OWASP as organization to profile as
>>> leading in secuirty and continue the amazing work project leaders like
>>> Simon have reached. ZAP is one of these project that rarely or never have
>>> made request from community funds , so why not help to improve and support
>>> their quality with this?
>>>
>>> Indeed, CRSFGuard has no budget and so far has had no submissions ,
>>> sadly enough. Other projects like Sanitizer and Encoder have had some and
>>> the idea is to see if with some monetary incentives, we can receive more
>>> submission so the security of the projects can improve too.
>>>
>>> Also every project that falls within the criteria can be part of the
>>> Bounty and help improve the quality and security of their project. I
>>> believe we should support this. Our flagship projects definitely deserve
>>> more support and care.
>>>
>>> I'm planning to set this as goal. Project leaders need more support that
>>> they are actually receive , especially our top projects
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>> On Thu, Nov 10, 2016 at 9:43 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put up
>>>> the money when ZAP has more than enough currently to cover its bounties?
>>>>
>>>> Java Encoder and Java Sanitizer each have $500.  Can we start with that
>>>> and see if we need more funds after that?  Keep in mind that the $500 was a
>>>> grant from the Foundation to empower these projects to do things exactly
>>>> like this.  Why would they not be spending it?
>>>>
>>>> I don't see CSRFGuard in the donation scoreboard which likely means
>>>> that they don't have any funds.  That also likely means that they don't
>>>> have at least two active leaders or else they would have received the $500
>>>> stipend.
>>>>
>>>> ~josh
>>>>
>>>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Bil
>>>>>
>>>>> >>What are the proposed bounty amounts?
>>>>> >>Who decides which bugs qualify and how much is paid?  What happens
>>>>> when the $6k runs out?
>>>>>
>>>>> That mostly depends on the type of Bug. For example ZAP team can
>>>>> decide how much they will pay for a certain bug. Each bug can be classified
>>>>> from low to High, being high the highest you can pay, but the amount can be
>>>>> defined by ourselves
>>>>>
>>>>> Example
>>>>>
>>>>> Low ==>USD50
>>>>> medium==> USD 100
>>>>> High==> USD 500
>>>>>
>>>>> First come first served. The first one to report gets the prize.Old
>>>>> bugs do not count.
>>>>>
>>>>> If we run out of budget this year we can:
>>>>> Make a new request or
>>>>> we go back to Kudos ;-P .
>>>>>
>>>>> It can also happen that no-one finds anything and the money will be
>>>>> reserved until it is.
>>>>>
>>>>> >>And to gauge the flow of funds, pretend you had been paying a
>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>
>>>>> Nothing, since the program at that moment was running on Kudos. The
>>>>> bug hunters receive Points that help their ranking, that was the initial
>>>>> motivation but many do not just do it for these purpose but financially.
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>> Oh, and I dont think that any of the previously reported bugs would
>>>>>> qualify for the bounty.
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>>>> The change to pay out money has only just been made today so we have
>>>>>>> not paid anything out yet.
>>>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>>>> bugcrowd.
>>>>>>> We are planning on paying for any bounties from the ZAP project
>>>>>>> funds, although obviously any help from OWASP would be appreciated :)
>>>>>>> If we receive so many valid submissions that we run out of project
>>>>>>> funds then we will either need to raise more funds or change the program to
>>>>>>> reduce / remove the bounty.
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Simon
>>>>>>>
>>>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> What are the proposed bounty amounts?  Who decides which bugs
>>>>>>>> qualify and how much is paid?  What happens when the $6k runs out?
>>>>>>>>
>>>>>>>> And to gauge the flow of funds, pretend you had been paying a
>>>>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>>>>
>>>>>>>>
>>>>>>>> - Bil
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>>> Dear Board,
>>>>>>>>>
>>>>>>>>> So far the bug bounty is running since May , and I believe one of
>>>>>>>>> the projects that have benefit most from this program is ZAP.
>>>>>>>>>
>>>>>>>>> Others projects which are less popular have not received many
>>>>>>>>> submissions, still valuable feedback.
>>>>>>>>>
>>>>>>>>> So far it is clear that for bug hunters to spent time on this
>>>>>>>>> there must be a financial gain, not just kudos. Zap has recently launched
>>>>>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>>>>>
>>>>>>>>> My request is to have a Budget of USD 6000 for the Bounty as a
>>>>>>>>> support for projects that are working proactively in their security. ZAP is
>>>>>>>>> sure leading by example and with this budget, we can have the existing
>>>>>>>>> participating projects   being challenged by this
>>>>>>>>>
>>>>>>>>> For the budget , it will be break down as follows
>>>>>>>>>
>>>>>>>>>    - ZAP==>USD 2000
>>>>>>>>>    - Java Encoder==>USD1000
>>>>>>>>>    - Java Sanitizer==> USD 1000
>>>>>>>>>    - CRSFGuard==>USD 1000
>>>>>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>>>>>
>>>>>>>>> We can discuss this during the next OWASP meeting
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>>
>>>>>>>>> Johanna
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Owasp-board mailing list
>>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161110/b35ffe32/attachment-0001.html>


More information about the Owasp-board mailing list