[Owasp-leaders] Bug Bounty for Projects

johanna curiel curiel johanna.curiel at owasp.org
Mon Apr 18 21:55:55 UTC 2016

Thank you Claudia

@Project leaders:

We are awaiting the final signing of BugCrowd contract and OWASP in order
to provide more info on this part.

@Claudia: In the mean time we can set an FAQ wiki section explaining the
program .

After the official signing, we can go a head a set a webinar to inform
interested project leaders how they can be part of the BugCrowd bounty
program and the requirements (what kind of technical steps they need to
take) to provide hackers/researchers what they need to actually 'hack' and
test their project

Additionally, we can use the GoToTraining Platform and record the session
so leaders can go over the video afterwards if could assist.

The bounty is highly recommended for projects in the 'Defender' category
such as

   - CRSFGuard
   - SeraphimDroid
   - Mod-Security Core Rules
   - Appsensor
   - ESAPI
   - Python Security Library
   - Java Encoder
   - Java Sanitizer

The major goals of these above mentioned projects is to protect (defend)
applications. However, there are some projects like ZAP, that once
installed in a computer, could make machines vulnerable to exploitation if
there are issues found.
Projects such as

   - Ende
   - Benchmark
   - ZAP
   - Dependency Check
   - Xenotix
   - ZSC
   - Any install/exe project

We exclude from this program those obviously vulnerable projects such as

So far I have spoken with CRSFGuard and SeraphimDroid Project leader to
start with these ones. (SeraphimDroid after Gsoc and when ready for this)

CRSFGuard will be the first project I'll be assisting with the Bounty

Hope to have informed you accordingly


On Mon, Apr 18, 2016 at 4:40 PM, Claudia Casanovas <
claudia.aviles-casanovas at owasp.org> wrote:

> Hi Johanna,
> Please let me know if you need any assistance.
> Thank you
> On Mon, Apr 18, 2016 at 12:22 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Hi Jim, Josh & project leaders of Defender projects
>> While there has been discussions regarding a budget for a Bug Bounty
>> http://lists.owasp.org/pipermail/owasp-board/2016-April/017100.html
>> I want to make clear that , during the meetings we had with Bugcrowd, we
>> spoke about starting the program for Security Libraries or Defender
>> projects (like SeraphimDroid) with the Kudos program
>> They also advised us to start this way so the low hanging fruits are
>> found first
>> In a later phase we could determine finding sponsors for paying bug
>> bounties after this phase, but this has not been defined yet.
>> Also to clarify, I'm not part of any bug bounty related to OWASP assets,
>> especially because I agree 100% with Matt Tesauro, who has clarified all
>> the issues regarding this.
>> http://lists.owasp.org/pipermail/owasp-board/2016-April/017091.html
>> Common sense and best practices dictates that there should be a mirror QA
>> environment instead of allowing hackers go against OWASP production
>> environment.
>> Regards
>> --
>> Johanna Curiel
>> OWASP Volunteer
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
> Project Coordinator
> Phone:973-288-1697

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160418/a0f4fe3f/attachment.html>

More information about the OWASP-Leaders mailing list