[Owasp-leaders] OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Mon Jan 25 19:53:25 UTC 2016


Timo,

I agree with you for the most part.  In order to be successful, I think
that we would need to very careful about how we scope it and who is allowed
to participate.  A Bug Bounty program would be a big undertaking, even with
a third-party handling much of the logistics.  Participation should be
limited to our more mature projects and there would need to be expectations
of a response time and an expected time to remediate.  That said, I keep
going back to the e-mail Simon sent a while back wondering if it wasn't
time for ZAP to fly the OWASP nest.  The issue is in the perceived lack of
value in being on the OWASP platform.  He's already gotten as far as he can
with what we can provide him.  Adding a Bug Bounty platform into the mix
should be a tremendous value-add to a mature project like ZAP.  And as I
think about OWASP and it's community-centric approach to security, a Bug
Bounty program actually makes a lot of sense.  I guess that you could say
that I am cautiously optimistic about this initiative and would like to at
least experiment with it to see what happens.

~josh

On Mon, Jan 25, 2016 at 1:14 PM, Timo Goosen <timo.goosen at owasp.org> wrote:

> My 2 cents, don't run a bug bounty program if you don't have the capacity
> to respond to the vulnerabilities reported in a timely fashion.
>
> Also adding all owasp projects to the scope of the bug bounty program
> would be a bad idea.
> Maybe adding the more mature well recognised projects to the scope will be
> okay, but not all projects including new projects.
>
> Regards.
> Timo
>
> On Sat, Jan 23, 2016 at 1:29 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Frank,
>>
>> We are looking for complete proposals to manage or provide some kind of
>> service for OWASP's potential bug bounty program. Please send a proposal
>> our way if you are interested!
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 1/22/16 6:27 PM, Frank Catucci wrote:
>>
>>> Jim, I'd be interested in assisting with this effort.
>>>
>>> Regards,
>>>
>>> Frank
>>>
>>>
>>> On Jan 22, 2016, at 6:12 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>
>>>> (Forwarded from the Community list)
>>>>
>>>> OWASP Community,
>>>>
>>>> There has been a lot of discussion lately about the possibility of
>>>> starting a Bug Bounty program here at OWASP. It could cover OWASP
>>>> Foundation assets (the website, servers, etc) as well as interested OWASP
>>>> Projects. The scope, payout, and even the types of vulnerabilities that we
>>>> honor is yet to be determined. Please consider this an open call that, as
>>>> our ED, the OWASP Board, and our Projects Team contemplate what a Bug
>>>> Bounty program would mean to OWASP, we are willing to entertain any and all
>>>> offers from anyone interested in helping with such a program. Please reach
>>>> out to us over the next week or so if you are interested. Thanks!
>>>>
>>>> Sincerely,
>>>>
>>>> Josh Sokol
>>>> Vice Chair, OWASP Foundation Board of Directors
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160125/38637045/attachment-0001.html>


More information about the OWASP-Leaders mailing list