[Owasp-leaders] Bug Bounty page

Tiffany Long tiffany.long at owasp.org
Tue Jun 21 13:01:14 UTC 2016


I would love to, but I am unclear on what is happening.  could you get me
the schedule of what is launching when?  either through email or in Rome is
good for me.
-Tiffany

On Tue, Jun 21, 2016 at 5:57 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Tifanny,,
>
> Indeed :-)
>
> It's going to be a big launch with all these projects.
>
> Could you help us providing proper text on this, to communicate it
> properly ?
>
> On Tue, Jun 21, 2016 at 8:45 AM, Tiffany Long <tiffany.long at owasp.org>
> wrote:
>
>> Johanna,
>>
>> I read this as saying that we have not decided on our next launch:
>> "At the moment we have a bounty for projects, starting with ZAP and next
>> week we will make a bigger launch for projects like:
>> OWASP CRSFGuard
>> Java Sanitizer
>> Anti Samy
>> App sensor
>> ESAPI java
>> ModSecurity CRS rule"
>>
>> If we are going with all of these for sure next week we should remove
>> "projects like."  If we have yet to choose we should clarify that either by
>> ending the sentence after "bigger launch" or expand it to say that these
>> projects are in the running for the next expansion. That should help with
>> clarity and save time addressing questions.
>>
>> -Tiffany
>>
>> On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> I would re-write a little the text in here. To clarify this.
>>>
>>> At the moment we have a bounty for projects, starting with ZAP and next
>>> week we will make a bigger launch for projects like:
>>> OWASP CRSFGuard
>>> Java Sanitizer
>>> Anti Samy
>>> App sensor
>>> ESAPI java
>>> ModSecurity CRS rule
>>>
>>>
>>> For this Bounty there is a page and a website hosting the apps protected
>>> by some of these libraries
>>> https://www.owasp.org/index.php/Bug_Bounty_Projects
>>>
>>> which is hosted here:
>>> http://bounty-crsfguard.info
>>> http://bounty-crsfguard.info:8080
>>>
>>> I have requested Claudia to create a repo under OWASP Github to host the
>>> apps such as this:
>>> https://github.com/owaspjocur/Apache-Shiro-CSRFGuard
>>>
>>> In order to make things much easier for us, we will provide the example
>>> web apps with the protected libraries (Like Apache-Shiro example app
>>> protected with CRSFGuard) for the researchers to test with a clear setup ,
>>> example OWASP Webgoat protected by Appsensor. We have our environment for
>>> own validation.
>>>
>>>
>>> We have to take that page out because there are Bug Bunters that have
>>> submitted issues under ZAP that are for the Wiki and not ZAP.
>>>
>>> We have to make clear OWASP is not running at this moment any bug bounty
>>> on the infrastructure.
>>>
>>> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <
>>> vanderaj at owasp.org> wrote:
>>>
>>>> Even as draft, can you please make it clear it only applies to OWASP
>>>> Zap at this stage, and not our infrastructure, which remains off limits.
>>>>
>>>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for
>>>> bugs they find on their own systems. Not GitHub's, not ours.
>>>>
>>>> https://bugcrowd.com/owaspzap
>>>>
>>>> So get kudos for finding Zap bugs. Go nuts!
>>>>
>>>> thanks,
>>>> Andrew
>>>>
>>>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Wiki editors
>>>>>
>>>>> I have set this page as draft cuz is confusing peeps about OWASP
>>>>> running a bug bounty
>>>>>
>>>>> cheers
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/09b45e41/attachment.html>


More information about the OWASP-Leaders mailing list