• Points per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

0 vulnerabilities rewarded

Latest hall of famers

The hall of fame is empty.

Recently joined this program

2 total

OWASP supports many volunteers efforts to produce security libraries which at the same time are used by many companies and developers, in order to secure their applications. This bounty program for CRSFGuard run by OWASP is to determine the protection level claimed by the library and verify that indeed the protected application is not vulnerable to CRSF attacks when using the library.


OWASP may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is reputational points.


The OWASP CSRFGuard library is integrated through the use of a JavaEE Filter and exposes various automated and manual ways to integrate per-session or pseudo-per-request tokens into HTML.

  • OWASP CSRFGuard implements a variant of the synchronizer token pattern to mitigate the risk of CSRF attacks. In order to implement this pattern, CSRFGuard must offer the capability to place the CSRF prevention token within the HTML produced by the protected web application. CSRFGuard 3 provides developers more fine grain control over the injection of the token. Developers can inject the token in their HTML using either dynamic JavaScript DOM manipulation or a JSP tag library. CSRFGuard no longer intercepts and modifies the HttpServletResponse object as was done in previous releases. The currently available token injection strategies are designed to make the integration of CSRFGuard more feasible and scalable within current enterprise web applications. Developers are encouraged to make use of both the JavaScript DOM Manipulation and the JSP tag library strategies for a complete token injection strategy. The JavaScript DOM Manipulation strategy is ideal as it is automated and requires minimal effort on behalf of the developer. In the event the JavaScript solution is insufficient within a particular application context, developers should leverage the JSP tag library. The purpose of this article is to describe the token injection strategies offered by OWASP CSRFGuard 3.

Getting Started Guide

This program only awards points for VRT based submissions.


In scope

Access & Reporting

When submitting a bug be sure to specify the version of the application you are using, the client the vulnerability was found on, and other unique information that might be helpful for us to reproduce the vulnerability.

Focus Areas

The program focuses on finding CSRF attacks ONLY of the following form:

*JS token injector not properly injecting into the dom [1]

  • Token with weak crypto [1]
  • Server side not enforcing the token properly on POST Request [1]

[1] Excluding CSRF attacks with the help of XSS.


The CSRFGuard library purpose is to protect against CRSF attacks - therefore any other kind of vulnerability is excluded from this program

Non-Qualifying Vulnerabilities

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
*Attacks requiring physical access to a user's device
*Forms missing CSRF tokens (we require evidence of actual CSRF vulnerability)
*Invalid or missing SPF (Sender Policy Framework) records
*Content spoofing / text injection
*Issues related to software or protocols not under OWASP control
*Bypass of URL malware detection
*Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
*Social engineering of OWASP staff or contractors
*Any physical attempts against OWASP property or server
*Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages

Report Template

Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.

  • What type of issue are you reporting? Does it align to the scoped issue?
  • How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
  • What is the impact of your issue?
  • What are some scenarios where an attacker would be able to leverage this vulnerability?
  • What would be your suggested fix?

Eligibility and Responsible Disclosure

We are happy to thank everyone who submits valid reports which help us improve the security of OWASP! However, only those that meet the following eligibility requirements may receive a monetary reward:
*You must be the first reporter of a vulnerability.
*The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
*We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
*You may not publicly disclose the vulnerability prior to our resolution.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.