• Points – $1,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 29
  • Validation within 38 minutes 75% of submissions are accepted or rejected within 38 minutes

Latest hall of famers

Recently joined this program

60 total

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It's also a great tool for experienced pen testers to use for manual security testing.

OWASP supports many volunteers efforts to produce security tools which are used by many companies and developers in order to secure their applications. This bounty program run by OWASP is to ensure that these tools cannot be used as vectors to attack anyone who uses them.
OWASP is a registered trademark of the OWASP Foundation, Inc.

OWASP Bug Bounty


Remote Code Execution for this program will be rewarded at $1000. Happy hunting!

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.