[Owasp-leaders] Bug Bounty page

Tiffany Long tiffany.long at owasp.org
Tue Jun 21 12:45:52 UTC 2016


Johanna,

I read this as saying that we have not decided on our next launch:
"At the moment we have a bounty for projects, starting with ZAP and next
week we will make a bigger launch for projects like:
OWASP CRSFGuard
Java Sanitizer
Anti Samy
App sensor
ESAPI java
ModSecurity CRS rule"

If we are going with all of these for sure next week we should remove
"projects like."  If we have yet to choose we should clarify that either by
ending the sentence after "bigger launch" or expand it to say that these
projects are in the running for the next expansion. That should help with
clarity and save time addressing questions.

-Tiffany

On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> I would re-write a little the text in here. To clarify this.
>
> At the moment we have a bounty for projects, starting with ZAP and next
> week we will make a bigger launch for projects like:
> OWASP CRSFGuard
> Java Sanitizer
> Anti Samy
> App sensor
> ESAPI java
> ModSecurity CRS rule
>
>
> For this Bounty there is a page and a website hosting the apps protected
> by some of these libraries
> https://www.owasp.org/index.php/Bug_Bounty_Projects
>
> which is hosted here:
> http://bounty-crsfguard.info
> http://bounty-crsfguard.info:8080
>
> I have requested Claudia to create a repo under OWASP Github to host the
> apps such as this:
> https://github.com/owaspjocur/Apache-Shiro-CSRFGuard
>
> In order to make things much easier for us, we will provide the example
> web apps with the protected libraries (Like Apache-Shiro example app
> protected with CRSFGuard) for the researchers to test with a clear setup ,
> example OWASP Webgoat protected by Appsensor. We have our environment for
> own validation.
>
>
> We have to take that page out because there are Bug Bunters that have
> submitted issues under ZAP that are for the Wiki and not ZAP.
>
> We have to make clear OWASP is not running at this moment any bug bounty
> on the infrastructure.
>
> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>
>> Even as draft, can you please make it clear it only applies to OWASP Zap
>> at this stage, and not our infrastructure, which remains off limits.
>>
>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for bugs
>> they find on their own systems. Not GitHub's, not ours.
>>
>> https://bugcrowd.com/owaspzap
>>
>> So get kudos for finding Zap bugs. Go nuts!
>>
>> thanks,
>> Andrew
>>
>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Wiki editors
>>>
>>> I have set this page as draft cuz is confusing peeps about OWASP running
>>> a bug bounty
>>>
>>> cheers
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/7ae121a0/attachment.html>


More information about the OWASP-Leaders mailing list