[Owasp-leaders] Bug Bounty for Projects

Claudia Casanovas claudia.aviles-casanovas at owasp.org
Mon Apr 18 22:55:36 UTC 2016


Perfect.  I will work on this and email you the link.

Claudia



On Mon, Apr 18, 2016 at 2:55 PM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Thank you Claudia
>
> @Project leaders:
>
> We are awaiting the final signing of BugCrowd contract and OWASP in order
> to provide more info on this part.
>
> @Claudia: In the mean time we can set an FAQ wiki section explaining the
> program .
>
> After the official signing, we can go a head a set a webinar to inform
> interested project leaders how they can be part of the BugCrowd bounty
> program and the requirements (what kind of technical steps they need to
> take) to provide hackers/researchers what they need to actually 'hack' and
> test their project
>
> Additionally, we can use the GoToTraining Platform and record the session
> so leaders can go over the video afterwards if could assist.
>
> The bounty is highly recommended for projects in the 'Defender' category
> such as
>
>    - CRSFGuard
>    - SeraphimDroid
>    - Mod-Security Core Rules
>    - Appsensor
>    - ESAPI
>    - Python Security Library
>    - Java Encoder
>    - Java Sanitizer
>
> The major goals of these above mentioned projects is to protect (defend)
> applications. However, there are some projects like ZAP, that once
> installed in a computer, could make machines vulnerable to exploitation if
> there are issues found.
> Projects such as
>
>    - Ende
>    - Benchmark
>    - ZAP
>    - Dependency Check
>    - Xenotix
>    - ZSC
>    - Any install/exe project
>
>
> We exclude from this program those obviously vulnerable projects such as
> WebGoat
>
> So far I have spoken with CRSFGuard and SeraphimDroid Project leader to
> start with these ones. (SeraphimDroid after Gsoc and when ready for this)
>
> CRSFGuard will be the first project I'll be assisting with the Bounty
> program.
>
> Hope to have informed you accordingly
>
> Johanna
>
>
>
>
>
>
>
>
> On Mon, Apr 18, 2016 at 4:40 PM, Claudia Casanovas <
> claudia.aviles-casanovas at owasp.org> wrote:
>
>> Hi Johanna,
>>
>> Please let me know if you need any assistance.
>>
>>
>> Thank you
>>
>> On Mon, Apr 18, 2016 at 12:22 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Jim, Josh & project leaders of Defender projects
>>>
>>> While there has been discussions regarding a budget for a Bug Bounty
>>> http://lists.owasp.org/pipermail/owasp-board/2016-April/017100.html
>>>
>>> I want to make clear that , during the meetings we had with Bugcrowd, we
>>> spoke about starting the program for Security Libraries or Defender
>>> projects (like SeraphimDroid) with the Kudos program
>>>
>>> They also advised us to start this way so the low hanging fruits are
>>> found first
>>>
>>> In a later phase we could determine finding sponsors for paying bug
>>> bounties after this phase, but this has not been defined yet.
>>>
>>> Also to clarify, I'm not part of any bug bounty related to OWASP assets,
>>> especially because I agree 100% with Matt Tesauro, who has clarified all
>>> the issues regarding this.
>>> http://lists.owasp.org/pipermail/owasp-board/2016-April/017091.html
>>>
>>> Common sense and best practices dictates that there should be a mirror
>>> QA environment instead of allowing hackers go against OWASP production
>>> environment.
>>>
>>>
>>> Regards
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> --
>>
>>
>> Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
>> Project Coordinator
>> Phone:973-288-1697
>>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>



-- 


Claudia Aviles-Casanovas <claudia.aviles-casanovas at owasp.org>
Project Coordinator
Phone:973-288-1697
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160418/78a78ff3/attachment-0001.html>


More information about the OWASP-Leaders mailing list