The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
OWASP supports many volunteers efforts to produce security tools which are used by many companies and developers in order to secure their applications. This bounty program run by OWASP is to ensure that these tools cannot be used as vectors to attack anyone who uses them.
Remote Code Execution for this program will be rewarded at $1000. Happy hunting!
Target name | Type
Latest ZAP version (2.8.0) | Other
Any target/property not listed in the targets section is out of scope.
Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program, but in particular:
 Excluding scripts that the user has chosen to install, run, or where
they've chosen to disable the API key or any of the other ‘test’ API options
flagged as ‘insecure’.
API calls made as a result of normal HUD usage are considered to be authorised. However if a malicious site can completely control API access then this will be a qualifying vulnerability.
The following applications are in scope for this program:
The latest version of OWASP ZAP (currently 2.8.0) running in any of its supported configurations (command line, desktop, daemon and Heads Up Display)
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
Any design or implementation issue that is reproducible and substantially
affects the security of ZAP users is likely to be in scope for the program.
It should be safe to use ZAP on malicious web sites. If you are able to compromise the security of ZAP users using a site that ZAP is acting upon then you are likely to qualify for a bounty.
Depending on their impact, not all reported issues may qualify for a reward.
However all reports are reviewed on a case-by-case basis and any report that
results in a change being made will at a minimum receive Hall of Fame
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect OWASP users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
|Scope Type||Scope Name|
Latest ZAP version (2.8.0)
This program have been found on Bugcrowd on 2018-03-22.