|
|
(2 intermediate revisions by one other user not shown) |
Line 1: |
Line 1: |
| + | =UPDATE : 21 June, 2016= |
| | | |
| + | The '''only''' Bounty program running right now is for OWASP PROJECTS. |
| | | |
− | <h1> DRAFT OWASP Foundation Bug Bounty Program 11-Feb-2016</h1>
| + | For more information check the following page: |
− | Please note that is NOT a approved policy yet just a DRAFT due to a recent vulnerability in the OWASP Infrastructure.
| + | https://www.owasp.org/index.php/Bug_Bounty_Projects |
| | | |
− | No technology is perfect, and OWASP Foundation believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
| + | AT THIS MOMENT, OWASP IS NOT RUNNING A BUG BOUNTY ON ITS INFRASTRUCTURE. |
− | | |
− | | |
− | =Disclosure Policy=
| |
− | | |
− | Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
| |
− | Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
| |
− | Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
| |
− | Bounty Program
| |
− | | |
− | To show our appreciation of responsible security researchers, OWASP Foundation offers a swag bounty and wall of fame for reports of qualifying security vulnerabilities. Reward amounts will vary based upon the severity of the reported vulnerability, and eligibility is at our sole discretion.
| |
− | | |
− | =Exclusions=
| |
− | | |
− | While researching, we'd like to ask you to refrain from:
| |
− | | |
− | Denial of service
| |
− | | |
− | Spamming
| |
− | | |
− | Social engineering (including phishing) of OWASP Foundation staff or contractors
| |
− | | |
− | Any physical attempts against OWASP Foundation property or data centers
| |
− | | |
− | Thank you for helping keep OWASP Foundation and our users safe!
| |
− | | |
− | =Reproducibility=
| |
− | | |
− | Our volunteers and engineers must be able to reproduce the security flaw from your report.
| |
− | | |
− | Reports that are too vague or unclear are not eligible for a reward.
| |
− | | |
− | Reports that include clearly written explanations and working code are more likely to garner rewards.
| |
− | | |
− | =Severity=
| |
− | More severe bugs will be met with greater rewards. Any bug which has the potential for financial loss or data breach is of sufficient severity.
| |
− | | |
− | In general, vulnerabilities that may lead to lower rewards are those that do not cause one or several of the following results:
| |
− | | |
− | Partial/complete loss of funds
| |
− | User information leak
| |
− | Severe performance impact (other than DoS)
| |
− | Loss of accuracy of exchange data
| |
− | Some Examples of Qualifying Vulnerabilities
| |
− | | |
− | OWASP reserves the right to decide if the minimum severity qualification threshold is met and whether it was already reported. | |
− | | |
− | Authentication bypass or privilege escalation
| |
− | Clickjacking
| |
− | Cross-site scripting (XSS)
| |
− | Cross-site request forgery (CSRF/XSRF)
| |
− | Mixed-content scripts
| |
− | Server-side code execution
| |
− | User data breach
| |
− | Some Examples of Non-Qualifying Vulnerabilities
| |
− | | |
− | Reporting the following vulnerabilities is appreciated but will not lead to systematic reward from OWASP.
| |
− | | |
− | Denial of Service vulnerabilities (DoS)
| |
− | Possibilities to send malicious links to people you know
| |
− | Security bugs in third-party websites that integrate with OWASP products/services
| |
− | Vulnerabilities related to 3rd-party software (e.g. Java, plugins, extensions) or website unless they lead to vulnerability on OWASP website
| |
− | Spamming
| |
− | Usability issues, forms autocomplete
| |
− | Insecure settings in non-sensitive cookies
| |
− | Browser Cache vulnerabilities
| |
− | Vulnerabilities (including XSS) that require a potential victim to install non-standard software or otherwise take very unlikely active steps to make themselves be susceptible
| |
− | Non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure
| |
− | Vulnerabilities (including XSS) that affect only legacy browser/plugins
| |
− | | |
− | Disclaimer: the Blog is currently out of scope for the Bug Bounty Rewards
| |
− | | |
− | Only one bounty will be awarded per vulnerability.
| |
− | | |
− | If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
| |
− | We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
| |
− | To receive a reward, you must reside in a country not on international sanctions lists. This is a discretionary program and OWASP reserves the right to cancel the program and/or decide if the minimum severity threshold is reached and if it was previously reported.
| |
− | | |
− | =Contact and Vulnerability disclosure=
| |
− | | |
− | To Report a Security Bug directly to OWASP Operations [https://www.tfaforms.com/308703 Click Here]
| |
− | | |
− | To Report a Vulnerabilty using HackerONE [https://www.hackerone.com/owasp Click Here] *testing*
| |
− | | |
− | To Report a Vulnerability using BugCrowd [https://bugcrowd.com/owaspfoundation Click Here] *testing*
| |
− | | |
− | Want to help OWASP by donation of your product or service [https://www.tfaforms.com/308703 Click Here] and tell us more.
| |
− | | |
− | =WALL OF FAME=
| |
− | [https://www.owasp.org/index.php/About_OWASP/Bug_Bounty/WOF Wall of Fame]
| |
− | | |
− | ==THIS IS A DRAFT POLICY==
| |
− | If you would like to make this policy better, simple.. edit the wiki as part of the community effort, that is why we are awesome no red tape ;) - T.Brennan
| |
AT THIS MOMENT, OWASP IS NOT RUNNING A BUG BOUNTY ON ITS INFRASTRUCTURE.