[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

johanna curiel curiel johanna.curiel at owasp.org
Sat Nov 12 08:48:14 UTC 2016


BTW we are asking a total of USD6000 for the bounty. I like to take things
step by step and evaluate instead of thinking scenarios that might not be
the case


On Sat, Nov 12, 2016 at 9:46 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Bil
>
> Just to Clarify, we can change the nature of the bounty at any time, from
> pay to kudos or vice versa. If we noticed that this was the case, then we
> can stop , change the nature and reevaluate, so the scenario you are
> sketching will probably not be our case
>
> Based on what we have seen so far since May, many submissions result not
> valid under the determined scope. I don't expect that suddenly, if we pay
> for a bounty USD100 that we will have 20x more valid submissions., even if
> thats the case , we can indeed hold it until we revise them and be able to
> pay with the budget
>
> If it results in many successful submissions, then we can re-evaluatethe
> program and request for more budget, not only for finding but also for
> fixing
>
> Also the amount we will pay per bounty will be lower than let's say,
> Google. Keep in mind we want to compensate but in no way we are a
> commercial venture paying more than a certain amount for  bounty
>
> Hope this clarifies our plans
>
> Cheers
>
> Johanna
>
> On Sat, Nov 12, 2016 at 12:31 AM, Bil Corry <bil.corry at owasp.org> wrote:
>
>> > taking over 20 emails for such a small amount of money for such a high
>> performing project is just silly.
>>
>> Just a clarification as to why I was asking questions - once the bug
>> bounty program offers a financial reward, it's now obligated to pay for
>> valid findings.  And while the ask to OWASP BoD for might be small ($2k),
>> if the bug bounty program suddenly gets 20 RCEs, it will greatly exceed the
>> project's budget and now who is going to pay the $20k?  It seemed prudent
>> to make sure this was covered.
>>
>> I didn't ask about collusion because it's just a handful of projects, but
>> that also will be a concern once the financial bounties are expanded to
>> encompass more projects.  We'll need a way to detect and deter bad
>> behaviour.
>>
>>
>> - Bil
>>
>>
>> On Fri, Nov 11, 2016 at 2:51 PM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> Josh we've known each other for about a decade so you know I'm not
>>> trying to be divisive, I'm simply stating facts right out of the Donation
>>> Scoreboard.  You've been a strong advocate for Chapters and that's great.
>>> I'm outing myself as the person who is going to advocate for projects going
>>> forward.
>>>
>>> And whatever the scoreboard says, taking over 20 emails for such a small
>>> amount of money for such a high performing project is just silly.
>>>
>>> The thing that inspired my <rant> was how hard it was for an awesome
>>> project that has always done the right thing to do more of the right thing.
>>>
>>>
>>> Take the sentence above and search & replace "project" with "chapter"
>>> (:1,$s/project/chapter/g) and the statement still holds true.
>>>
>>> <aside>
>>> Removing chapters that ran AppSec's from the scorecard isn't the issue -
>>> in fact its a symptom of the different treatment of project and chapters.
>>>
>>> Ways to raise money if you're a chapter:
>>> - Put a PayPal button on your Chapter page and hope someone clicks on
>>> it. Maybe get $?
>>> - Ask the people you see on a regular basis to become OWASP members, get
>>> a bit of $
>>> - Ask companies where people work that you see on a regular basis to
>>> become corporate sponsors and tag your chapter, get $$
>>> - Run a local event, training, whatever, get $$$
>>> - Run a regional event that is successful, get $$$$ [*]
>>> - Run an AppSec Conference, get $$$$$$
>>>
>>> Yes, those increasing $'s represent increasing work that the chapter
>>> must do but its AVAILABLE to chapters at OWASP.
>>>
>>> [*] BTW, if your event flops, the Foundation has your back since it
>>> provides seed money in many cases, plus provides event insurance, staff
>>> time...
>>>
>>> Ways to raise money if you're a project leader:
>>> - Sell t-shirt or stickers. Maybe get $ or use it as marketing for your
>>> project and break even
>>> - Put a PayPal button on your project page and hope someone clicks on
>>> it. Maybe get $?
>>> - Ask people you probably never see fact to face to become an OWASP
>>> member, get a bit of $
>>> - Ask people who use your project (and maybe don't interact with OWASP
>>> other then your project) to become an OWASP member, get a bit of $
>>> - Ask a company to select your project when they become an OWASP Corp
>>> member, get $$
>>>
>>> When are we going to have a project run conference with the profit
>>> splits that chapters have available to them?
>>>
>>> For that matter, what happened to the OWASP Project tracks in our
>>> conferences.  I went to AppSec US a few weeks ago and my talk covered 4
>>> OWASP projects - OWASP WTE, AppSec Pipeline, Zap and Defect Dojo but sure
>>> seemed like the exception.  I've not run though the schedule but I can only
>>> recall one lightning talk mentioning OWASP projects.  That's sad.
>>>
>>> My point is that there's lots of strong opportunities for Chapters to
>>> raise funds for themselves - I don't want to see that changed.
>>>
>>> What I want to see changed is the ability to raise funds and the level
>>> of support provided to Projects from the Foundation.  I'd like to see that
>>> 10x difference get down to 5x.
>>>
>>> Look for 2017 Budget requests geared towards large increases in support
>>> systems for our projects.  I've been running a project since 2008 and its
>>> lonely and hard work.  It's more then time for someone to focus a little
>>> more OWASP Foundation love towards projects.
>>> </aside>
>>>
>>> Cheers!
>>>
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP AppSec Pipeline Lead
>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>> OWASP WTE Project Lead
>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>>> site
>>>
>>>
>>> On Fri, Nov 11, 2016 at 12:27 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Matt,
>>>>
>>>> I've got nothing but love for you, but turning this into a Chapters vs
>>>> Projects debate does none of us any good.  When you take the Chapters who
>>>> are running AppSec conferences out of the equation, the Chapters and
>>>> Projects are basically on equal footing when it comes to budgets.
>>>>
>>>> $276,780 spread across 291 chapters who did not host an AppSec =
>>>> $951.13 avg/chapter
>>>> $75,736 spread across 61 projects who did not host an AppSec =
>>>> $1,241.57 avg/project
>>>>
>>>> And, last year, I pushed, and got approved, a measure to ensure that
>>>> everyone who did the bare minimum of having at least 2 leaders, got $500
>>>> from the Foundation in their account.  I'm pushing to do that again this
>>>> year for this very reason.  I want our Chapters and Projects to feel like
>>>> they both have money and are empowered to spend it.
>>>>
>>>> There is no point in being divisive when in the end we both said the
>>>> exact same thing.  This needs to be budgeted for 2017.
>>>>
>>>> ~josh
>>>>
>>>>
>>>> On Fri, Nov 11, 2016 at 11:26 AM, Matt Tesauro <matt.tesauro at owasp.org>
>>>> wrote:
>>>>
>>>>> I've written this email in my head about 5 times - at this point, I
>>>>> might as well spill some digital ink and get these thoughts out of my head.
>>>>>
>>>>> <rant>
>>>>>
>>>>> 21, yeah that's right, 21 emails to request funds that represent a
>>>>> tiny fraction of the funds that OWASP has to budget for next year.
>>>>>
>>>>> In 2016, OWASP budgeted $136K for project outreach. If we do the same
>>>>> for 2017, and restrict this request to just that pool of funds, this
>>>>> represents a mere 1.4705882% of that budget.
>>>>>
>>>>> 21 emails for 1.4% of a single budget category - 0.09% of the 2016 Net
>>>>> Income for the Foundation [*
>>>>> <https://docs.google.com/spreadsheets/d/1tCD2IDtDneI0ZzDeSBehXpaSzTantftUrp_b5YUWsVE/edit#gid=1248581809>
>>>>> ]
>>>>>
>>>>> And this isn't some relatively unknown project, its by far one of our
>>>>> most popular and best known projects (hard to say for sure but its easily
>>>>> in the top 3).  Its also crazy mature and doing what I wish all OWASP
>>>>> projects could do - having the lead paid to make the project better while
>>>>> bringing on many, many additional contributors, reaching out to devs, etc.
>>>>>
>>>>> If one of our rock star projects has to deal with a 21 email thread to
>>>>> get $2,000 allocated in the 2017 budget something is very broken.
>>>>>
>>>>> I'm not going to list this as a plus when I try to recruit new
>>>>> projects to OWASP.
>>>>>
>>>>> @ the donation score board (worst name ever) and unspent funds, I'd
>>>>> like to provide a different perspective
>>>>>
>>>>> Total unspent chapter funds: 758,789.51
>>>>> Total unspent project funds:  75,735.54
>>>>>
>>>>> So let be realistic when we talk about unspent funds - there's *over 10
>>>>> times*, let me say that again
>>>>>   10 times  10 times  10 times  10 times  10 times  10 times  10 times
>>>>>  10 times  10 times  10 times
>>>>> the amount of unspent chapter funds vs project funds.
>>>>>
>>>>> If I were bleeding 10 times more from one wound over the other, guess
>>>>> where I'd apply pressure.
>>>>>
>>>>> Let look at the top 5 largest unspent budgets:
>>>>>               #1       #2       #3       #4      #5      Total of 1 to
>>>>> 5
>>>>> ------------------------------------------------------------------
>>>>> Chapter  | 123,421 | 54,515 | 49,726 | 32,146 | 32,146 | 291,954 |
>>>>> Projects |  18,972 |  8,373 |  4,939 |  4,116 |  4,000 |  40,400 |
>>>>> Percent    |       15%      |       15%     |       10%    |
>>>>> 13%    |        12%    |       14%      |
>>>>> of Project vs Chapter
>>>>>
>>>>> More fun facts:
>>>>> Chapter with 3 or more digits of unspent funds ($1,000+): 74
>>>>> Projects with 3 or more digits of unspent funds ($1,000+): 13
>>>>>
>>>>> So, in a time where part my job as a full-time OWASP staff is to
>>>>> prepare and budget for 2017 to try to make projects better, I think it time
>>>>> I become a strong and vocal advocate for Projects at OWASP.
>>>>>
>>>>> I think Chapters are great - I'm involved in 2 of them in Texas - but
>>>>> Chapters don't seem to need a vocal advocate.  Plus, if you think Projects
>>>>> are of equal importance to Chapters at OWASP, we have to seriously
>>>>> reallocate funds in 2017 to get them on equal footing.
>>>>>
>>>>> So, for the Project leaders at OWASP, I'm with you and want to make
>>>>> Projects a great home for your awesome work.  Please let me know what isn't
>>>>> working for you and I'll do everything I can to get your interests
>>>>> represented in the 2017 budget and beyond.
>>>>>
>>>>> Cheers!
>>>>>
>>>>> </rant>
>>>>>
>>>>> --
>>>>> -- Matt Tesauro
>>>>> OWASP AppSec Pipeline Lead
>>>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>>>> OWASP WTE Project Lead
>>>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>>>> http://AppSecLive.org <http://appseclive.org/> - Community and
>>>>> Download site
>>>>>
>>>>>
>>>>> On Fri, Nov 11, 2016 at 9:18 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> >>That means that the next question in my mind is does this have to
>>>>>> happen now or can we work this into the 2017 OWASP Foundation budget?
>>>>>>
>>>>>> As the email title suggest, yes is a budget for 2017. Zap will be
>>>>>> using already part of their funds for their Bounty and we want to set an
>>>>>> additional USD2,000- for 2017 for ZAP as also for other  projects, which
>>>>>> have 0 budget.
>>>>>>
>>>>>> We could indeed conclude that if a project has funds but has
>>>>>> allocated them already, setting a budget for supporting Flagship projects
>>>>>> for the bounty should be part of the support OWASP provides to top
>>>>>> projects. To be discussed next meeting hopefully
>>>>>>
>>>>>> @Seba: Chapters need to come with clear plans on how they will spend
>>>>>> their funds or support relocation for other purposes. The fact is that
>>>>>> Chapters hosting appsec conferences have a great why to generate
>>>>>> substantial funds opposite to projects.
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> On Fri, Nov 11, 2016 at 3:56 PM, Seba <seba at owasp.org> wrote:
>>>>>>
>>>>>>> my hope is that we channel a big chunk of unused project/chapter
>>>>>>> funds into the upcoming summit
>>>>>>> https://www.owasp.org/index.php?title=Owasp-DevSecCon-Summit
>>>>>>>
>>>>>>> Seba
>>>>>>>
>>>>>>> On Fri, Nov 11, 2016 at 3:48 PM psiinon <psiinon at gmail.com> wrote:
>>>>>>>
>>>>>>>> I should point out that I completely agree with the push to make
>>>>>>>> sure that chapters and projects actually use their funds.
>>>>>>>> I'm planning on releasing a statement at the end of this year
>>>>>>>> giving an overview of what we've spent ZAP project money on in 2016 and to
>>>>>>>> give an idea of how we plan to allocate our funds for 2017.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Simon
>>>>>>>>
>>>>>>>> On Fri, Nov 11, 2016 at 2:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Nobody is saying that Simon/ZAP has to beg for funds.  What I am
>>>>>>>> saying is that this is currently unbudgeted money and it has to come from
>>>>>>>> somewhere.  Right now, the pool of "empowered funds" (ie. the ones these
>>>>>>>> projects can spend on the mission without asking the Foundation) is their
>>>>>>>> account balance.  If they can't or don't want to use those funds, that is
>>>>>>>> fine, but two things need to happen:
>>>>>>>>
>>>>>>>> 1) There needs to be justification as to why they can't or don't
>>>>>>>> want to use their funds.
>>>>>>>>
>>>>>>>> 2) The OWASP Foundation budget is supposed to be a net neutral
>>>>>>>> every year.  That means that in order to fund this now, something else will
>>>>>>>> not receive funds that were allocated.
>>>>>>>>
>>>>>>>> So, let's start over here.  Simon has now provided #1 (haven't
>>>>>>>> heard this yet from the other projects) which sounds reasonable to me.
>>>>>>>> That means that the next question in my mind is does this have to happen
>>>>>>>> now or can we work this into the 2017 OWASP Foundation budget?  If now,
>>>>>>>> then something else has to get shorted and we need to figure out what that
>>>>>>>> will be.  If 2017, well, we're working on those numbers now so send it to
>>>>>>>> Andrew and we can try to make it happen.  That's not a promise that it will
>>>>>>>> happen as I know he sent an email the other day saying that the numbers are
>>>>>>>> tight, but we can try.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Fri, Nov 11, 2016 at 5:53 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>> @Simon:
>>>>>>>> Rest assure that one of the reasons I joined the board was to
>>>>>>>> change this
>>>>>>>>
>>>>>>>> @Josh
>>>>>>>> We cannot expect that top project like ZAP has to go into $0 budget
>>>>>>>> to beg for funds. I don't think this is a respectful treatment for projects
>>>>>>>> of this caliber and category, A project that has done so much for the OWASP
>>>>>>>> image and spreading our mission.
>>>>>>>>
>>>>>>>> There are other ways we can provide support that works for the
>>>>>>>> projects own planning and financial support from OWASP without creating
>>>>>>>> unused funds.
>>>>>>>>
>>>>>>>> I'll put this issue on the next OWASP board agenda
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>> On Fri, Nov 11, 2016 at 12:26 PM, psiinon <psiinon at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> Yes, we do have sufficient fiunds in the ZAP budget. This is why we
>>>>>>>> are the first OWASP project to offer a bug bounty paid for from our funds.
>>>>>>>> But these funds _are_ being used.
>>>>>>>> We have:
>>>>>>>>
>>>>>>>>    - Paid a technical auther to rewrite the ZAP Getting Started
>>>>>>>>    Guide
>>>>>>>>    - Commissioned the same author to rewrite the ZAP alerts to
>>>>>>>>    make them more developer friendly
>>>>>>>>    - Set up a bounty for passive scan unit tests:
>>>>>>>>    http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-te
>>>>>>>>    st-bounties.html
>>>>>>>>    <http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-test-bounties.html>
>>>>>>>>    - Reserved money for active scan unit tests
>>>>>>>>    - Reserved over $5000 for specific changes that we are paying
>>>>>>>>    to be developed right now
>>>>>>>>    - Reservered $2000 for the bug bounty
>>>>>>>>
>>>>>>>> That means that most of our funds are allocated, and thats why I
>>>>>>>> suggested OWASP could _contribute_ to the bug bounties in order to increase
>>>>>>>> the amount would be able to pay out.
>>>>>>>>
>>>>>>>> But OWASP (as an organisation) hasnt really helped ZAP (or other
>>>>>>>> projects) that much historically, so why should it now?
>>>>>>>>
>>>>>>>> In case you hadnt noticed I have stepped back my involvement in
>>>>>>>> OWASP and have just been concentrating on ZAP. The lack of support for
>>>>>>>> projects is one of the reasons why. I'll now go back to lurking.
>>>>>>>>
>>>>>>>> Yours disappointedly (but not surprised),
>>>>>>>>
>>>>>>>> Simon
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 8:43 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put
>>>>>>>> up the money when ZAP has more than enough currently to cover its bounties?
>>>>>>>>
>>>>>>>> Java Encoder and Java Sanitizer each have $500.  Can we start with
>>>>>>>> that and see if we need more funds after that?  Keep in mind that the $500
>>>>>>>> was a grant from the Foundation to empower these projects to do things
>>>>>>>> exactly like this.  Why would they not be spending it?
>>>>>>>>
>>>>>>>> I don't see CSRFGuard in the donation scoreboard which likely means
>>>>>>>> that they don't have any funds.  That also likely means that they don't
>>>>>>>> have at least two active leaders or else they would have received the $500
>>>>>>>> stipend.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>> Hi Bil
>>>>>>>>
>>>>>>>> >>What are the proposed bounty amounts?
>>>>>>>> >>Who decides which bugs qualify and how much is paid?  What
>>>>>>>> happens when the $6k runs out?
>>>>>>>>
>>>>>>>> That mostly depends on the type of Bug. For example ZAP team can
>>>>>>>> decide how much they will pay for a certain bug. Each bug can be classified
>>>>>>>> from low to High, being high the highest you can pay, but the amount can be
>>>>>>>> defined by ourselves
>>>>>>>>
>>>>>>>> Example
>>>>>>>>
>>>>>>>> Low ==>USD50
>>>>>>>> medium==> USD 100
>>>>>>>> High==> USD 500
>>>>>>>>
>>>>>>>> First come first served. The first one to report gets the prize.Old
>>>>>>>> bugs do not count.
>>>>>>>>
>>>>>>>> If we run out of budget this year we can:
>>>>>>>> Make a new request or
>>>>>>>> we go back to Kudos ;-P .
>>>>>>>>
>>>>>>>> It can also happen that no-one finds anything and the money will be
>>>>>>>> reserved until it is.
>>>>>>>>
>>>>>>>> >>And to gauge the flow of funds, pretend you had been paying a
>>>>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>>>>
>>>>>>>> Nothing, since the program at that moment was running on Kudos. The
>>>>>>>> bug hunters receive Points that help their ranking, that was the initial
>>>>>>>> motivation but many do not just do it for these purpose but financially.
>>>>>>>> Cheers
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Oh, and I dont think that any of the previously reported bugs would
>>>>>>>> qualify for the bounty.
>>>>>>>>
>>>>>>>> Simon
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>>>
>>>>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>>>>> The change to pay out money has only just been made today so we
>>>>>>>> have not paid anything out yet.
>>>>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>>>>> bugcrowd.
>>>>>>>> We are planning on paying for any bounties from the ZAP project
>>>>>>>> funds, although obviously any help from OWASP would be appreciated :)
>>>>>>>> If we receive so many valid submissions that we run out of project
>>>>>>>> funds then we will either need to raise more funds or change the program to
>>>>>>>> reduce / remove the bounty.
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Simon
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> What are the proposed bounty amounts?  Who decides which bugs
>>>>>>>> qualify and how much is paid?  What happens when the $6k runs out?
>>>>>>>>
>>>>>>>> And to gauge the flow of funds, pretend you had been paying a
>>>>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>>>>
>>>>>>>>
>>>>>>>> - Bil
>>>>>>>>
>>>>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>>
>>>>>>>> Dear Board,
>>>>>>>>
>>>>>>>> So far the bug bounty is running since May , and I believe one of
>>>>>>>> the projects that have benefit most from this program is ZAP.
>>>>>>>>
>>>>>>>> Others projects which are less popular have not received many
>>>>>>>> submissions, still valuable feedback.
>>>>>>>>
>>>>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>>>>
>>>>>>>> My request is to have a Budget of USD 6000 for the Bounty as a
>>>>>>>> support for projects that are working proactively in their security. ZAP is
>>>>>>>> sure leading by example and with this budget, we can have the existing
>>>>>>>> participating projects   being challenged by this
>>>>>>>>
>>>>>>>> For the budget , it will be break down as follows
>>>>>>>>
>>>>>>>>    - ZAP==>USD 2000
>>>>>>>>    - Java Encoder==>USD1000
>>>>>>>>    - Java Sanitizer==> USD 1000
>>>>>>>>    - CRSFGuard==>USD 1000
>>>>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>>>>
>>>>>>>> We can discuss this during the next OWASP meeting
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Johanna Curiel
>>>>>>>> OWASP Volunteer
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Johanna Curiel
>>>>>>>> OWASP Volunteer
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161112/b9b5414a/attachment-0001.html>


More information about the Owasp-board mailing list