[Owasp-leaders] Bug Bounty page
johanna curiel curiel
johanna.curiel at owasp.org
Tue Jun 21 12:57:41 UTC 2016
It's going to be a big launch with all these projects.
Could you help us providing proper text on this, to communicate it properly
On Tue, Jun 21, 2016 at 8:45 AM, Tiffany Long <tiffany.long at owasp.org>
> I read this as saying that we have not decided on our next launch:
> "At the moment we have a bounty for projects, starting with ZAP and next
> week we will make a bigger launch for projects like:
> OWASP CRSFGuard
> Java Sanitizer
> Anti Samy
> App sensor
> ESAPI java
> ModSecurity CRS rule"
> If we are going with all of these for sure next week we should remove
> "projects like." If we have yet to choose we should clarify that either by
> ending the sentence after "bigger launch" or expand it to say that these
> projects are in the running for the next expansion. That should help with
> clarity and save time addressing questions.
> On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> I would re-write a little the text in here. To clarify this.
>> At the moment we have a bounty for projects, starting with ZAP and next
>> week we will make a bigger launch for projects like:
>> OWASP CRSFGuard
>> Java Sanitizer
>> Anti Samy
>> App sensor
>> ESAPI java
>> ModSecurity CRS rule
>> For this Bounty there is a page and a website hosting the apps protected
>> by some of these libraries
>> which is hosted here:
>> I have requested Claudia to create a repo under OWASP Github to host the
>> apps such as this:
>> In order to make things much easier for us, we will provide the example
>> web apps with the protected libraries (Like Apache-Shiro example app
>> protected with CRSFGuard) for the researchers to test with a clear setup ,
>> example OWASP Webgoat protected by Appsensor. We have our environment for
>> own validation.
>> We have to take that page out because there are Bug Bunters that have
>> submitted issues under ZAP that are for the Wiki and not ZAP.
>> We have to make clear OWASP is not running at this moment any bug bounty
>> on the infrastructure.
>> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <vanderaj at owasp.org
>> > wrote:
>>> Even as draft, can you please make it clear it only applies to OWASP Zap
>>> at this stage, and not our infrastructure, which remains off limits.
>>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for
>>> bugs they find on their own systems. Not GitHub's, not ours.
>>> So get kudos for finding Zap bugs. Go nuts!
>>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>> Wiki editors
>>>> I have set this page as draft cuz is confusing peeps about OWASP
>>>> running a bug bounty
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>> Johanna Curiel
>> OWASP Volunteer
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders