OWASP supports many volunteers efforts to produce security libraries which at the same time are used by many companies and developers, in order to secure their applications. This bounty program for CRSFGuard run by OWASP is to determine the protection level claimed by the library and verify that indeed the protected application is not vulnerable to CRSF attacks when using the library.
OWASP may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is reputational points.
The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.
This program only awards points for VRT based submissions.
Target name | Type
<https://github.com/OWASP/OWASPBugBounty/tree/master/CRSFGuard> | Other
When submitting a bug be sure to specify the version of the application you are using, the client the vulnerability was found on, and other unique information that might be helpful for us to reproduce the vulnerability.
The program focuses on finding CSRF attacks ONLY of the following form:
*JS token injector not properly injecting into the dom 
 Excluding CSRF attacks with the help of XSS.
The CSRFGuard library purpose is to protect against CRSF attacks - therefore any other kind of vulnerability is excluded from this program
The following issues are outside the scope of our vulnerability rewards
program (either ineligible or false positives):
Attacks requiring physical access to a user's device
Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
Invalid or missing SPF (Sender Policy Framework) records
Content spoofing / text injection
Issues related to software or protocols not under OWASP control
Bypass of URL malware detection
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
Social engineering of OWASP staff or contractors
Any physical attempts against OWASP property or server
Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
We are happy to thank everyone who submits valid reports which help us improve
the security of OWASP! However, only those that meet the following eligibility
requirements may receive a monetary reward:
You must be the first reporter of a vulnerability.
The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
You may not publicly disclose the vulnerability prior to our resolution.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Contact us if you want more information.