[Owasp-board] 2016 ideas

Josh Sokol josh.sokol at owasp.org
Sun Nov 22 17:57:09 UTC 2015


I like the concept, but have some questions before the Board were to
approve something like this:

   1. Is there an actual proposal to fund a Bug Bounty?  If so, what is the
   dollar amount that the Board would be authorizing here?
   2. A bug bounty program is more than just a dollar amount, it's a
   process.  Have we created a process for handling any submissions that come
   in for bugs?
   3. Once you have a submission, are we just throwing it in a database
   somewhere or is there an expectation that someone will fix it?  Who is
   responsible for that?
   4. If the answer to #3 is the project team, then what happens if they do
   not fix it in a timely manner?  Is the project demoted?  If the bug is
   serious enough, do we halt all downloads of the project until it is fixed?
   Do we attempt to warn users?

In short, I think it's great to say "We want a bug bounty program like
Hackerone", but there are way more details that need to be hashed out
here.  I recommend putting together a team to assess how this would work as
part of an actual process for OWASP.  I wouldn't be comfortable authorizing
any funds until I had that information.

~josh

On Sun, Nov 22, 2015 at 12:12 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> To run a programma like hackerone we will need to verify the bugs found
> We could start with a pilot For CRSFGuard and Dependency Check projects
> I volunteer to manage the programma For these projects
> I can set a plan to determine the scope of the program with The project
> leaders and make sure we verify the
> veracity of the reported bugs
>
> What does The board need from me in order to approve my proposal?
>
>
> On Saturday, November 21, 2015, Michael Coates <michael.coates at owasp.org>
> wrote:
>
>> "I would say that for the existing Flagship & LABS (libraries or code)
>> we should run a program through Hackerone or Bugbounty.(off course insecure
>> applications as WebGoat are out of scope ;-))"
>>
>> Yes. This would generate awareness, generate opportunities for new
>> volunteers and put a better control around our prominent code.
>>
>>
>> --
>> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
>> OWASP Global Board
>>
>>
>>
>>
>>
>> On Sat, Nov 21, 2015 at 8:34 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Jim & Board
>>>
>>> 'Developers come to us'... is indeed a moderate approach. I just
>>> finalised a security project reviews developed by very serious companies in
>>> EU and it amazes me that they were using CRSFGuard and even ESAPI.
>>>
>>> There is a dependency and the reason why the PHPSEC users were angry at
>>> OWASP, they were using the project for some serious development of
>>> financial applications and counting on OWASP to secure them.
>>>
>>> Since OWASP cannot offer a QA process review of its own projects, we
>>> should be careful here and indeed, the approach to help improve existing
>>> frameworks is more realistic and has less risks associated with reputation
>>> issues to OWASP image
>>>
>>> I would say that for the existing Flagship & LABS (libraries or code) we
>>> should run a program through Hackerone or Bugbounty.(off course insecure
>>> applications as WebGoat are out of scope ;-))
>>>
>>> Again, maybe the focus should stop in trying to create libraries as Tim
>>> said but focus the efforts into working on existing frameworks.
>>>
>>> The reality is that creating security libraries is VERY hard and it has
>>> a lot of consequences for OWASP image if serious issues are found as the
>>> case of PHPSEC
>>>
>>> regards
>>>
>>> Johanna
>>>
>>> On Sat, Nov 21, 2015 at 11:55 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> Folks,
>>>>
>>>> I'm feeling a bit more clarity on suggesting technical resource hires
>>>> for 2016. Paul, these are just ideas to trigger strategic planning
>>>> discussions and ideas. I agree that the final decisions around these hires
>>>> is "all you".  I hope this email is taken in the spirt of "ideas to
>>>> consider".
>>>>
>>>> 1) Wiki experts (previously discussed)
>>>> 2) Web design expert (previously discussed)
>>>> 3) Technical contractor or bounties to help augment the security of
>>>> common software frameworks (big potential here)
>>>> 4) Security assurance contractors or bounties to help review OWASP
>>>> defensive projects
>>>>
>>>> The whole "developers, come to us" is only modestly effective.
>>>> "Developers, we want to help and go to you" is a much more effective
>>>> movement, IMO.
>>>>
>>>> Thinking a bit out of box here... If we spent significant funds in
>>>> helping improve common software frameworks for security - we could really
>>>> have a massive impact on the world at large. I'd love to see serious
>>>> investment in this area....
>>>>
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151122/06d06e54/attachment.html>


More information about the Owasp-board mailing list