OWASP supports many volunteers efforts to produce security libraries which at the same time are used by many companies and developers, in order to secure their applications. This bounty program for Java HTML Sanitizer project run by OWASP is to determine the protection level claimed by the library and verify that indeed the protected application is not vulnerable to XSS attacks when using the library.
OWASP may provide rewards to eligible reporters of qualifying vulnerabilities. Our minimum reward is reputational points. The following table outlines the usual minimum rewards for specific classes of vulnerabilities for in-scope properties (see section on Scope).
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items:
- What type of issue are you reporting? Does it align to the scoped issue?
- How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- What is the impact of your issue?
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Eligibility and Responsible Disclosure
We are happy to thank everyone who submits valid reports which help us improve the security of OWASP! However, only those that meet the following eligibility requirements may receive a monetary reward:
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability (see below) associated with a site or application in scope (see above).
- We can’t be legally prohibited from rewarding you (for example, you can’t be a resident of or located within Cuba, Sudan, North Korea, Iran or Syria, a national of other certain countries, or on a denied parties or sanctions list).
- You may not publicly disclose the vulnerability prior to our resolution.
About the OWASP HTML Sanitizer Project
The OWASP HTML Sanitizer is a fast and easy to configure HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. The existing dependencies are on guava and JSR 305. The other jars are only needed by the test suite. The JSR 305 dependency is a compile-only dependency, only needed for annotations. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review. A great place to get started using the OWASP Java HTML Sanitizer is here: https://github.com/OWASP/java-html-sanitizer/blob/master/docs/getting_started.md.
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This bounty requires explicit permission to disclose the results of a submission.