OWASP Juice Shop is an intentionally vulnerable web application, but we still do not want to be suprised by zero day vulnerabilities which are not part of our hacking challenges. We are following the proposed Internet standard https://securitytxt.org so you can find our "security" policy in any running instance of the application at the expected location described in https://tools.ietf.org/html/draft-foudil-securitytxt-06. Finding it is actually one of our hacking challenges!
We provide security patches for the latest released minor version.
Reporting a Vulnerability
For vulnerabilities which are not part of any hacking challenge
please contact firstname.lastname@example.org. In all other cases please
contact our shop's "security team" at the address mentioned in our
Instead of fixing reported vulnerabilities we might turn them into hacking challenges! You might receive a reward for reporting a vulnerability that makes it into one of our challenges!