[Owasp-leaders] Bug Bounty page

johanna curiel curiel johanna.curiel at owasp.org
Tue Jun 21 13:07:29 UTC 2016


I won't be in Rome but maybe we can set a short call and I can explain, it
will be much easier

On Tue, Jun 21, 2016 at 9:01 AM, Tiffany Long <tiffany.long at owasp.org>
wrote:

> I would love to, but I am unclear on what is happening.  could you get me
> the schedule of what is launching when?  either through email or in Rome is
> good for me.
> -Tiffany
>
> On Tue, Jun 21, 2016 at 5:57 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Tifanny,,
>>
>> Indeed :-)
>>
>> It's going to be a big launch with all these projects.
>>
>> Could you help us providing proper text on this, to communicate it
>> properly ?
>>
>> On Tue, Jun 21, 2016 at 8:45 AM, Tiffany Long <tiffany.long at owasp.org>
>> wrote:
>>
>>> Johanna,
>>>
>>> I read this as saying that we have not decided on our next launch:
>>> "At the moment we have a bounty for projects, starting with ZAP and
>>> next week we will make a bigger launch for projects like:
>>> OWASP CRSFGuard
>>> Java Sanitizer
>>> Anti Samy
>>> App sensor
>>> ESAPI java
>>> ModSecurity CRS rule"
>>>
>>> If we are going with all of these for sure next week we should remove
>>> "projects like."  If we have yet to choose we should clarify that either by
>>> ending the sentence after "bigger launch" or expand it to say that these
>>> projects are in the running for the next expansion. That should help with
>>> clarity and save time addressing questions.
>>>
>>> -Tiffany
>>>
>>> On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> I would re-write a little the text in here. To clarify this.
>>>>
>>>> At the moment we have a bounty for projects, starting with ZAP and next
>>>> week we will make a bigger launch for projects like:
>>>> OWASP CRSFGuard
>>>> Java Sanitizer
>>>> Anti Samy
>>>> App sensor
>>>> ESAPI java
>>>> ModSecurity CRS rule
>>>>
>>>>
>>>> For this Bounty there is a page and a website hosting the apps
>>>> protected by some of these libraries
>>>> https://www.owasp.org/index.php/Bug_Bounty_Projects
>>>>
>>>> which is hosted here:
>>>> http://bounty-crsfguard.info
>>>> http://bounty-crsfguard.info:8080
>>>>
>>>> I have requested Claudia to create a repo under OWASP Github to host
>>>> the apps such as this:
>>>> https://github.com/owaspjocur/Apache-Shiro-CSRFGuard
>>>>
>>>> In order to make things much easier for us, we will provide the example
>>>> web apps with the protected libraries (Like Apache-Shiro example app
>>>> protected with CRSFGuard) for the researchers to test with a clear setup ,
>>>> example OWASP Webgoat protected by Appsensor. We have our environment for
>>>> own validation.
>>>>
>>>>
>>>> We have to take that page out because there are Bug Bunters that have
>>>> submitted issues under ZAP that are for the Wiki and not ZAP.
>>>>
>>>> We have to make clear OWASP is not running at this moment any bug
>>>> bounty on the infrastructure.
>>>>
>>>> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>
>>>>> Even as draft, can you please make it clear it only applies to OWASP
>>>>> Zap at this stage, and not our infrastructure, which remains off limits.
>>>>>
>>>>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for
>>>>> bugs they find on their own systems. Not GitHub's, not ours.
>>>>>
>>>>> https://bugcrowd.com/owaspzap
>>>>>
>>>>> So get kudos for finding Zap bugs. Go nuts!
>>>>>
>>>>> thanks,
>>>>> Andrew
>>>>>
>>>>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> Wiki editors
>>>>>>
>>>>>> I have set this page as draft cuz is confusing peeps about OWASP
>>>>>> running a bug bounty
>>>>>>
>>>>>> cheers
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/d9d96c62/attachment-0001.html>


More information about the OWASP-Leaders mailing list