The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing.
OWASP supports many volunteers efforts to produce security tools which are used by many companies and developers in order to secure their applications. This bounty program run by OWASP is to ensure that these tools cannot be used as vectors to attack anyone who uses them.
OWASP is a registered trademark of the OWASP Foundation, Inc.
Remote Code Execution for this program will be rewarded at $1000. Happy hunting!
Any target/property not listed in the targets section is out of scope.
Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program, but in particular:
- Remote code execution  ($1000)
- Unauthorized API actions 
 Excluding scripts that the user has chosen to install, run, or where they've chosen to disable the API key or any of the other ‘test’ API options flagged as ‘insecure’.
API calls made as a result of normal HUD usage are considered to be authorised. However if a malicious site can completely control API access then this will be a qualifying vulnerability.
The following applications are in scope for this program:
- The latest version of OWASP ZAP (currently 2.9.0) running in any of its supported configurations (command line, desktop, daemon and Heads Up Display)
- The OWASP ZAP Website: https://www.zaproxy.org
Please be aware that the quality of your report is critical to your submission. To ensure that we are able to understand what you are reporting and the potential impact, please make sure your report contains the following items. You might want to consider using this as a template or checklist when writing up your report.
- What type of issue are you reporting? Does it align to the scoped issue?
- How does a user reproduce your issue? (If this contains more than a few steps, please create a video so we can attempt to perform the same steps).
- What is the impact of your issue?
- What are some scenarios where an attacker would be able to leverage this vulnerability?
- What would be your suggested fix?
Qualifying Vulnerabilities for ZAP
Any design or implementation issue that is reproducible and substantially affects the security of ZAP users is likely to be in scope for the program.
It should be safe to use ZAP on malicious web sites. If you are able to compromise the security of ZAP users using a site that ZAP is acting upon then you are likely to qualify for a bounty.
Out of Scope Vulnerabilities for ZAP
Depending on their impact, not all reported issues may qualify for a reward. However all reports are reviewed on a case-by-case basis and any report that results in a change being made will at a minimum receive Hall of Fame recognition.
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect OWASP users (spam, denial of service), or sending reports from automated tools without verifying them.
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
- Attacks requiring physical access to a user's machine
- Attacks requiring the user to install a malicious script or add-on, unless achieved via the ZAP Marketplace or Community Scripts repo
- Attacks requiring the user to disable any of the controls flagged on the API Options page as “only for use in testing”
- Any vulnerabilities found on an operating system that is end-of-life are out-of-scope.
Qualifying Vulnerabilities for zaproxy.org
- XSS vulnerabilities
- Domain takeover
Out of Scope Vulnerabilities for zaproxy.org
https://www.zaproxy.org is a static site and does not provide any important functionality.
As a result following types are will be considered out of scope and will not qualify for bounty:
- Email spoofing
- Missing or incorrect SPF/DMARC/DKIM records of any kind