A few weeks ago we launched a very exciting program, and now that it’s well underway, wanted to give a huge shout out to the awesome organization making it happen. The Open Web Application Security Project (OWASP) is not only the authority on most things application security but a phenomenal open source organization that is constantly trying new things, evolving and innovating the application security landscape.

They have tons of active projects that are used by thousands of developers and companies looking to implement better security controls, and recently launched their bounty program for one of those projects, the Zed Attack Proxy (ZAP).

To some, this program comes at a surprise, to others it makes sense that such an innovative, open source organization would employ the power of crowdsourcing for additional security controls. They put a ton of thought into creating a framework to utilize bug bounties for those projects and have published that framework, and answered some of our questions.

Q&A with Johanna Curiel, from OWASP

Johanna is an OWASP volunteer for the technical setup of the OWASP bounty projects, helping to define clear bounty scopes and working with the project leaders to make this a reality.

What unique appsec challenges do open source projects like OWASP face?

One of our constant challenges is to get people to review and verify the quality of our projects, especially to verify the security of them. As you know, OWASP is a non-profit foundation and has limited resources regarding these activities.


As the authority on appsec, what does that mean for people using your projects?

Many developers and companies looking to improve their application security are turning towards OWASP to use defender libraries. They implement these libraries to secure their critical applications.There is a certain level of implied trust in OWASP, and many users of these projects might forget or not be aware that many of them are Open Source and lack an expected security assurance review, which at the moment is not done by OWASP.


How can a bug bounty help alleviate that?

Testing web applications for security can be a challenging task. But testing that security control libraries are robust in the face of attack is an even more difficult challenge for even the most sophisticated assessment professionals. A while ago I proposed the idea of launching a bug bounty for defender libraries to test those security controls. That idea grew to encompass projects, such as ZAP, which that are being installed on clients.


How did you go about implementing that idea?

As an open source organization, we turned to our community of volunteers, and some project leaders to set the guidelines for OWASP bug bounties, including the project qualifications and scope. We went through the process of looking into different service providers at the beginning of this year. After that process, Bugcrowd was selected as the platform to be utilized for stable and mature defender projects as a form of quality assurance.


It’s always awesome for the security research community, and for Bugcrowd specifically, to see more and more organizations tapping into the vast global security research community to improve security controls. We are thrilled to be working with OWASP, collaborating with the security community for the security community.

For additional inquiries about the OWASP Bug Bounty program, contact support@bugcrowd.com.