[Owasp-leaders] Bug Bounty page

Tiffany Long tiffany.long at owasp.org
Wed Jun 22 06:02:23 UTC 2016


Wonderful Johanna,
I am in Rome currently and can call you at your convenience anytime this
week.  Let me know.
Tiffany

On Tue, Jun 21, 2016 at 6:07 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> I won't be in Rome but maybe we can set a short call and I can explain, it
> will be much easier
>
> On Tue, Jun 21, 2016 at 9:01 AM, Tiffany Long <tiffany.long at owasp.org>
> wrote:
>
>> I would love to, but I am unclear on what is happening.  could you get me
>> the schedule of what is launching when?  either through email or in Rome is
>> good for me.
>> -Tiffany
>>
>> On Tue, Jun 21, 2016 at 5:57 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Tifanny,,
>>>
>>> Indeed :-)
>>>
>>> It's going to be a big launch with all these projects.
>>>
>>> Could you help us providing proper text on this, to communicate it
>>> properly ?
>>>
>>> On Tue, Jun 21, 2016 at 8:45 AM, Tiffany Long <tiffany.long at owasp.org>
>>> wrote:
>>>
>>>> Johanna,
>>>>
>>>> I read this as saying that we have not decided on our next launch:
>>>> "At the moment we have a bounty for projects, starting with ZAP and
>>>> next week we will make a bigger launch for projects like:
>>>> OWASP CRSFGuard
>>>> Java Sanitizer
>>>> Anti Samy
>>>> App sensor
>>>> ESAPI java
>>>> ModSecurity CRS rule"
>>>>
>>>> If we are going with all of these for sure next week we should remove
>>>> "projects like."  If we have yet to choose we should clarify that either by
>>>> ending the sentence after "bigger launch" or expand it to say that these
>>>> projects are in the running for the next expansion. That should help with
>>>> clarity and save time addressing questions.
>>>>
>>>> -Tiffany
>>>>
>>>> On Tue, Jun 21, 2016 at 4:06 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> I would re-write a little the text in here. To clarify this.
>>>>>
>>>>> At the moment we have a bounty for projects, starting with ZAP and
>>>>> next week we will make a bigger launch for projects like:
>>>>> OWASP CRSFGuard
>>>>> Java Sanitizer
>>>>> Anti Samy
>>>>> App sensor
>>>>> ESAPI java
>>>>> ModSecurity CRS rule
>>>>>
>>>>>
>>>>> For this Bounty there is a page and a website hosting the apps
>>>>> protected by some of these libraries
>>>>> https://www.owasp.org/index.php/Bug_Bounty_Projects
>>>>>
>>>>> which is hosted here:
>>>>> http://bounty-crsfguard.info
>>>>> http://bounty-crsfguard.info:8080
>>>>>
>>>>> I have requested Claudia to create a repo under OWASP Github to host
>>>>> the apps such as this:
>>>>> https://github.com/owaspjocur/Apache-Shiro-CSRFGuard
>>>>>
>>>>> In order to make things much easier for us, we will provide the
>>>>> example web apps with the protected libraries (Like Apache-Shiro example
>>>>> app protected with CRSFGuard) for the researchers to test with a clear
>>>>> setup , example OWASP Webgoat protected by Appsensor. We have our
>>>>> environment for own validation.
>>>>>
>>>>>
>>>>> We have to take that page out because there are Bug Bunters that have
>>>>> submitted issues under ZAP that are for the Wiki and not ZAP.
>>>>>
>>>>> We have to make clear OWASP is not running at this moment any bug
>>>>> bounty on the infrastructure.
>>>>>
>>>>> On Tue, Jun 21, 2016 at 2:35 AM, Andrew van der Stock <
>>>>> vanderaj at owasp.org> wrote:
>>>>>
>>>>>> Even as draft, can you please make it clear it only applies to OWASP
>>>>>> Zap at this stage, and not our infrastructure, which remains off limits.
>>>>>>
>>>>>> Folks only get rewarded for Zap bugs as per the Bug Bounty rules for
>>>>>> bugs they find on their own systems. Not GitHub's, not ours.
>>>>>>
>>>>>> https://bugcrowd.com/owaspzap
>>>>>>
>>>>>> So get kudos for finding Zap bugs. Go nuts!
>>>>>>
>>>>>> thanks,
>>>>>> Andrew
>>>>>>
>>>>>> On Tue, Jun 21, 2016 at 12:51 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>>> Wiki editors
>>>>>>>
>>>>>>> I have set this page as draft cuz is confusing peeps about OWASP
>>>>>>> running a bug bounty
>>>>>>>
>>>>>>> cheers
>>>>>>>
>>>>>>> --
>>>>>>> Johanna Curiel
>>>>>>> OWASP Volunteer
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/bd8bdcbd/attachment.html>


More information about the OWASP-Leaders mailing list