skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.

[Guide] Getting Started with OWASP’s Bug Bounties

[Guide] Getting Started With OWASP’s Bug Bounties

“Be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.” In keeping with their mission statement, OWASP has adopted the bug bounty model, tapping into the broader community of global security researchers to secure their defender libraries and open source projects. Since June of this year, they have launched bug bounty programs for four OWASP open source projects:

In order to further encourage security testing on these programs, OWASP has put together an official OWASP Bug Bounty Startup Guide. Whether you have been bug hunting for years or are just getting into security research, this guide will help you get started with the OWASP bounty projects. These bounty programs are unique in that they are not available as deployed web applications online–you need to download the applications and deploy or install them on your computer. In this guide, bug hunters can… 

  1. Learn about each of these bug bounty programs including scope
  2. Watch step-by-step videos to download necessary assets
  3. Have all up-to-date resources at hand to start finding bugs in OWASP’s four bounty programs

If you have additional questions, feel free to reach out to support@bugcrowd or visit the Bugcrowd Forum thread on OWASP bug bounties.


Why bug bounties for OWASP?

“Many developers and companies looking to improve their application security are turning towards OWASP to use defender libraries. They implement these libraries to secure their critical applications.There is a certain level of implied trust in OWASP, and many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.”

– Johanna Curiel, volunteer for the technical setup of the OWASP bounty projects

View the full interview here.


Going to AppSecUSA?

Join Bugcrowd and OWASP for a session on the OWASP bounty projects on Thursday, October 13.  Attendees will have the opportunity to hear from Johanna Curiel, the OWASP bounty project leader, and some OWASP project leaders about how to get started on OWASP bounty projects. New to bug hunting? Bugcrowd’s technical team will give a brief presentation on how to get started in bug hunting, and basic tips to being successful.

We look forward to seeing you!


Back To Top