[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Seba seba at owasp.org
Fri Nov 11 14:56:40 UTC 2016


my hope is that we channel a big chunk of unused project/chapter funds into
the upcoming summit
https://www.owasp.org/index.php?title=Owasp-DevSecCon-Summit

Seba

On Fri, Nov 11, 2016 at 3:48 PM psiinon <psiinon at gmail.com> wrote:

> I should point out that I completely agree with the push to make sure that
> chapters and projects actually use their funds.
> I'm planning on releasing a statement at the end of this year giving an
> overview of what we've spent ZAP project money on in 2016 and to give an
> idea of how we plan to allocate our funds for 2017.
>
> Cheers,
>
> Simon
>
> On Fri, Nov 11, 2016 at 2:38 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> Nobody is saying that Simon/ZAP has to beg for funds.  What I am saying is
> that this is currently unbudgeted money and it has to come from somewhere.
> Right now, the pool of "empowered funds" (ie. the ones these projects can
> spend on the mission without asking the Foundation) is their account
> balance.  If they can't or don't want to use those funds, that is fine, but
> two things need to happen:
>
> 1) There needs to be justification as to why they can't or don't want to
> use their funds.
>
> 2) The OWASP Foundation budget is supposed to be a net neutral every
> year.  That means that in order to fund this now, something else will not
> receive funds that were allocated.
>
> So, let's start over here.  Simon has now provided #1 (haven't heard this
> yet from the other projects) which sounds reasonable to me.  That means
> that the next question in my mind is does this have to happen now or can we
> work this into the 2017 OWASP Foundation budget?  If now, then something
> else has to get shorted and we need to figure out what that will be.  If
> 2017, well, we're working on those numbers now so send it to Andrew and we
> can try to make it happen.  That's not a promise that it will happen as I
> know he sent an email the other day saying that the numbers are tight, but
> we can try.
>
> ~josh
>
> On Fri, Nov 11, 2016 at 5:53 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> @Simon:
> Rest assure that one of the reasons I joined the board was to change this
>
> @Josh
> We cannot expect that top project like ZAP has to go into $0 budget to beg
> for funds. I don't think this is a respectful treatment for projects of
> this caliber and category, A project that has done so much for the OWASP
> image and spreading our mission.
>
> There are other ways we can provide support that works for the projects
> own planning and financial support from OWASP without creating unused funds.
>
> I'll put this issue on the next OWASP board agenda
>
> Cheers
>
> Johanna
>
> On Fri, Nov 11, 2016 at 12:26 PM, psiinon <psiinon at gmail.com> wrote:
>
> Yes, we do have sufficient fiunds in the ZAP budget. This is why we are
> the first OWASP project to offer a bug bounty paid for from our funds.
> But these funds _are_ being used.
> We have:
>
>    - Paid a technical auther to rewrite the ZAP Getting Started Guide
>    - Commissioned the same author to rewrite the ZAP alerts to make them
>    more developer friendly
>    - Set up a bounty for passive scan unit tests:
>    http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-test-bounties.html
>    - Reserved money for active scan unit tests
>    - Reserved over $5000 for specific changes that we are paying to be
>    developed right now
>    - Reservered $2000 for the bug bounty
>
> That means that most of our funds are allocated, and thats why I suggested
> OWASP could _contribute_ to the bug bounties in order to increase the
> amount would be able to pay out.
>
> But OWASP (as an organisation) hasnt really helped ZAP (or other projects)
> that much historically, so why should it now?
>
> In case you hadnt noticed I have stepped back my involvement in OWASP and
> have just been concentrating on ZAP. The lack of support for projects is
> one of the reasons why. I'll now go back to lurking.
>
> Yours disappointedly (but not surprised),
>
> Simon
>
> On Thu, Nov 10, 2016 at 8:43 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> ZAP currently has $8,373.11 in funds.  Why would the Foundation put up the
> money when ZAP has more than enough currently to cover its bounties?
>
> Java Encoder and Java Sanitizer each have $500.  Can we start with that
> and see if we need more funds after that?  Keep in mind that the $500 was a
> grant from the Foundation to empower these projects to do things exactly
> like this.  Why would they not be spending it?
>
> I don't see CSRFGuard in the donation scoreboard which likely means that
> they don't have any funds.  That also likely means that they don't have at
> least two active leaders or else they would have received the $500 stipend.
>
> ~josh
>
> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Hi Bil
>
> >>What are the proposed bounty amounts?
> >>Who decides which bugs qualify and how much is paid?  What happens when
> the $6k runs out?
>
> That mostly depends on the type of Bug. For example ZAP team can decide
> how much they will pay for a certain bug. Each bug can be classified from
> low to High, being high the highest you can pay, but the amount can be
> defined by ourselves
>
> Example
>
> Low ==>USD50
> medium==> USD 100
> High==> USD 500
>
> First come first served. The first one to report gets the prize.Old bugs
> do not count.
>
> If we run out of budget this year we can:
> Make a new request or
> we go back to Kudos ;-P .
>
> It can also happen that no-one finds anything and the money will be
> reserved until it is.
>
> >>And to gauge the flow of funds, pretend you had been paying a bounty,
> how much would you have paid so far on the already-received bugs?
>
> Nothing, since the program at that moment was running on Kudos. The bug
> hunters receive Points that help their ranking, that was the initial
> motivation but many do not just do it for these purpose but financially.
> Cheers
>
> Johanna
>
> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>
> Oh, and I dont think that any of the previously reported bugs would
> qualify for the bounty.
>
> Simon
>
> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>
> At the moment I believe it is only ZAP that is paying any money out.
> The change to pay out money has only just been made today so we have not
> paid anything out yet.
> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are various
> exclusions as detailed on https://bugcrowd.com/owaspzap
> The final decision will be made by the ZAP team in conjunction with
> bugcrowd.
> We are planning on paying for any bounties from the ZAP project funds,
> although obviously any help from OWASP would be appreciated :)
> If we receive so many valid submissions that we run out of project funds
> then we will either need to raise more funds or change the program to
> reduce / remove the bounty.
>
> Cheers,
>
> Simon
>
> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org> wrote:
>
> What are the proposed bounty amounts?  Who decides which bugs qualify and
> how much is paid?  What happens when the $6k runs out?
>
> And to gauge the flow of funds, pretend you had been paying a bounty, how
> much would you have paid so far on the already-received bugs?
>
>
> - Bil
>
> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
> Dear Board,
>
> So far the bug bounty is running since May , and I believe one of the
> projects that have benefit most from this program is ZAP.
>
> Others projects which are less popular have not received many submissions,
> still valuable feedback.
>
> So far it is clear that for bug hunters to spent time on this there must
> be a financial gain, not just kudos. Zap has recently launched monetary
> bounties from their own project budget (USD 1000).
>
> My request is to have a Budget of USD 6000 for the Bounty as a support for
> projects that are working proactively in their security. ZAP is sure
> leading by example and with this budget, we can have the existing
> participating projects   being challenged by this
>
> For the budget , it will be break down as follows
>
>    - ZAP==>USD 2000
>    - Java Encoder==>USD1000
>    - Java Sanitizer==> USD 1000
>    - CRSFGuard==>USD 1000
>    - Any new project that wants to participate==>USD 1000
>
> We can discuss this during the next OWASP meeting
>
> Regards
>
> Johanna
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161111/51b34608/attachment-0001.html>


More information about the Owasp-board mailing list