This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "About OWASP/Bug Bounty"

From OWASP
Jump to: navigation, search
(Minor updates/corrections)
 
(27 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<h1> DRAFT Bug Bounty 11-Feb-2016</h1>
+
=UPDATE : 21 June, 2016=
Please note that is NOT a approved policy yet but DRAFT
 
  
Report a Security Bug [https://www.tfaforms.com/308703 Click Here]
+
The '''only''' Bounty program running right now is for OWASP PROJECTS.
  
'''OWASP Foundation White Hat Program
+
For more information check the following page:
Responsible Disclosure'''
+
https://www.owasp.org/index.php/Bug_Bounty_Projects
  
Security of user data and communication is of utmost importance to OWASP Foundation (OWASP). In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you may find in OWASP In order to encourage responsible disclosure, we will not pursue legal action against researchers who point out a problem provided they do follow principles of responsible disclosure which include, but are not limited to:
+
AT THIS MOMENT, OWASP IS NOT RUNNING A BUG BOUNTY ON ITS INFRASTRUCTURE.
 
 
Only access, expose, or modify your own customer data. Do not perform any attack that could harm the reliability or integrity of our services or data.
 
Avoid scanning techniques that are likely to cause degradation of service to other customers. (DoS, Spamming)
 
Keep within the guidelines of our Terms of Service.
 
Always keep details of vulnerabilities secret until OWASP has been notified and had a reasonable amount of time to fix the issue.
 
We may suspend your account and ban your IP if you do not respect these principles.
 
 
 
In order to be eligible for a bounty, your submission must be accepted as valid by OWASP. We use the following guidelines to determine the validity of requests and the reward compensation offered.
 
 
 
'''Reproducibility'''
 
 
 
Our volunteers and engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
 
 
 
'''Severity
 
'''
 
More severe bugs will be met with greater rewards. Any bug which has the potential for financial loss or data breach is of sufficient severity.
 
 
 
In general, vulnerabilities that may lead to lower rewards are those that do not cause one or several of the following results:
 
 
 
Partial/complete loss of funds
 
User information leak
 
Severe performance impact (other than DoS)
 
Loss of accuracy of exchange data
 
Some Examples of Qualifying Vulnerabilities
 
 
 
OWASP reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported.
 
 
 
Authentication bypass or privilege escalation
 
Clickjacking
 
Cross-site scripting (XSS)
 
Cross-site request forgery (CSRF/XSRF)
 
Mixed-content scripts
 
Server-side code execution
 
User data breach
 
Some Examples of Non-Qualifying Vulnerabilities
 
 
 
Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from OWASP.
 
 
 
Denial of Service vulnerabilities (DoS)
 
Possibilities to send malicious links to people you know
 
Security bugs in third-party websites that integrate with OWASP API
 
Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on OWASP website
 
Spamming
 
Usability issues, forms autocomplete
 
Insecure settings in non-sensitive cookies
 
Browser Cache vulnerabilities
 
Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible
 
Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
 
Vulnerabilities (including XSS) that affect only legacy browser/plugins
 
 
 
Disclaimer: the Blog is currently out of scope for the Bug Bounty Rewards
 
 
 
Only one bounty will be awarded per vulnerability.
 
 
 
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
 
We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
 
To receive a reward, you must reside in a country not on international sanctions lists. This is a discretionary program and OWASP reserves the right to cancel the program and/or decide if the minimum severity threshold is reached and if it was previously reported.
 
 
 
'''Contact and Vulnerability disclosure'''
 
 
 
Please [https://www.tfaforms.com/308703 Contact OWASP Click Here ] with any vulnerability reports or with any question about the program.
 
 
 
**THIS IS A DRAFT POLICY**
 
If you would like to make it better, please edit the wiki to do so as part of the community effort
 
 
 
##
 

Latest revision as of 22:56, 13 July 2018

UPDATE : 21 June, 2016

The only Bounty program running right now is for OWASP PROJECTS.

For more information check the following page: https://www.owasp.org/index.php/Bug_Bounty_Projects

AT THIS MOMENT, OWASP IS NOT RUNNING A BUG BOUNTY ON ITS INFRASTRUCTURE.