OWASP Juice Shop is an intentionally vulnerable web application, but we still do not want to be suprised by zero day vulnerabilities which are not part of our hacking challenges. We are following the proposed Internet standard https://securitytxt.org so you can find our "security" policy in any running instance of the application at the expected location described in https://tools.ietf.org/html/draft-foudil-securitytxt-06. Finding it is actually one of our hacking challenges!
We provide security patches for the latest released minor version.
Version | Supported |
---|---|
12.11.x | ✅ |
<12.11 | ❌ |
For vulnerabilities which are not part of any hacking challenge please contact [email protected]. In all
other cases please contact our shop's "security team" at the address mentioned in the
security.txt
accessible through the running application.
Instead of fixing reported vulnerabilities we might turn them into hacking challenges! You might receive a reward for reporting a vulnerability that makes it into one of our challenges!