[Owasp-leaders] Bug Bounty page

johanna curiel curiel johanna.curiel at owasp.org
Tue Jun 21 12:57:41 UTC 2016


Tifanny,,

Indeed :-)

It's going to be a big launch with all these projects.

Could you help us providing proper text on this, to communicate it properly
?

On Tue, Jun 21, 2016 at 8:45 AM, Tiffany Long <tiffany.long at owasp.org>
wrote:

> Johanna,
>
> I read this as saying that we have not decided on our next launch:
> "At the moment we have a bounty for projects, starting with ZAP and next
> week we will make a bigger launch for projects like:
> OWASP CRSFGuard
> Java Sanitizer
> Anti Samy
> App sensor
> ESAPI java
> ModSecurity CRS rule"
>
> If we are going with all of these for sure next week we should remove
> "projects like."  If we have yet to choose we should clarify that either by
> ending the sentence after "bigger launch" or expand it to say that these
> projects are in the running for the next expansion. That should help with
> clarity and save time addressing questions.
>
> -Tiffany
>
> On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> I would re-write a little the text in here. To clarify this.
>>
>> At the moment we have a bounty for projects, starting with ZAP and next
>> week we will make a bigger launch for projects like:
>> OWASP CRSFGuard
>> Java Sanitizer
>> Anti Samy
>> App sensor
>> ESAPI java
>> ModSecurity CRS rule
>>
>>
>> For this Bounty there is a page and a website hosting the apps protected
>> by some of these libraries
>> https://www.owasp.org/index.php/Bug_Bounty_Projects
>>
>> which is hosted here:
>> http://bounty-crsfguard.info
>> http://bounty-crsfguard.info:8080
>>
>> I have requested Claudia to create a repo under OWASP Github to host the
>> apps such as this:
>> https://github.com/owaspjocur/Apache-Shiro-CSRFGuard
>>
>> In order to make things much easier for us, we will provide the example
>> web apps with the protected libraries (Like Apache-Shiro example app
>> protected with CRSFGuard) for the researchers to test with a clear setup ,
>> example OWASP Webgoat protected by Appsensor. We have our environment for
>> own validation.
>>
>>
>> We have to take that page out because there are Bug Bunters that have
>> submitted issues under ZAP that are for the Wiki and not ZAP.
>>
>> We have to make clear OWASP is not running at this moment any bug bounty
>> on the infrastructure.
>>
>> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <vanderaj at owasp.org
>> > wrote:
>>
>>> Even as draft, can you please make it clear it only applies to OWASP Zap
>>> at this stage, and not our infrastructure, which remains off limits.
>>>
>>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for
>>> bugs they find on their own systems. Not GitHub's, not ours.
>>>
>>> https://bugcrowd.com/owaspzap
>>>
>>> So get kudos for finding Zap bugs. Go nuts!
>>>
>>> thanks,
>>> Andrew
>>>
>>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Wiki editors
>>>>
>>>> I have set this page as draft cuz is confusing peeps about OWASP
>>>> running a bug bounty
>>>>
>>>> cheers
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/6b81f578/attachment-0001.html>


More information about the OWASP-Leaders mailing list