[Owasp-board] 2016 ideas

johanna curiel curiel johanna.curiel at owasp.org
Sun Nov 22 18:15:01 UTC 2015


Indeed Josh

Im busy creating a proposal that will answer these questions
in progress right now:

https://docs.google.com/a/owasp.org/document/d/1Br4I8jKc0tyzdBCq4ohO1LcDNL861xldMBlkA_z6v34/edit?usp=sharing

here my quick answers, just consider then also as in progress as we need
more people to feed back on this

*Is there an actual proposal to fund a Bug Bounty?  If so, what is the
dollar amount that the Board would be authorising here?*

Proposal is to start with a pilot for 3 projects , with a budget of
USD1,000- for each defender library
and USD1000,- through bountysource.com to help fix the issue (3 x $USD2,000)

*A bug bounty program is more than just a dollar amount, it's a process.
Have we created a process for handling any submissions that come in for
bugs?*

Yes, through hackerone.com we can and I volunteer to manage the process
pilot for these 3 projects. We can run the program for a short period (3
months) dependent on how fast the big issues are found. If a hacker founds
a big issue in the first week, well I guess we don't need to keep running
the program for that project then, until is fixed. As a pilot we then can
review later the results and decide if it was successful to run the program
or not.

*Once you have a submission, are we just throwing it in a database
somewhere or is there an expectation that someone will fix it?  Who is
responsible for th*at?

I will be responsible for handling and confirming the bug. I'll communicate
this to the project leader and log the bug into his Github issue page. The
project leader can indeed feedback with us if he is able to fix the issue
or not dependent on the grade of difficulty.

*If the answer to #3 is the project team, then what happens if they do not
fix it in a timely manner?  Is the project demoted?  If the bug is serious
enough, do we halt all downloads of the project until it is fixed?  Do we
attempt to warn users?*

I think if for example, depending on the complexity of the attack and
severity (an attack easy to carry on and bypass the CRSFguard token-  thus
high severity ) OWASP has  responsibility to decide to halt or not. If
CRSGguard is supposed to protect against these attacks and can be easily
bypassed (for example) I think there is a sense of responsibility to warn
users about the issue and try to avoid them use it until is fix.

If the project leader cannot fix the issue, we then  provide a bounty to
fix the issue, this can be done through other bounty program as
boutysource.com, in this way we help the leader fix the issue.


On Sun, Nov 22, 2015 at 1:57 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> I like the concept, but have some questions before the Board were to
> approve something like this:
>
>    1. Is there an actual proposal to fund a Bug Bounty?  If so, what is
>    the dollar amount that the Board would be authorizing here?
>    2. A bug bounty program is more than just a dollar amount, it's a
>    process.  Have we created a process for handling any submissions that come
>    in for bugs?
>    3. Once you have a submission, are we just throwing it in a database
>    somewhere or is there an expectation that someone will fix it?  Who is
>    responsible for that?
>    4. If the answer to #3 is the project team, then what happens if they
>    do not fix it in a timely manner?  Is the project demoted?  If the bug is
>    serious enough, do we halt all downloads of the project until it is fixed?
>    Do we attempt to warn users?
>
> In short, I think it's great to say "We want a bug bounty program like
> Hackerone", but there are way more details that need to be hashed out
> here.  I recommend putting together a team to assess how this would work as
> part of an actual process for OWASP.  I wouldn't be comfortable authorizing
> any funds until I had that information.
>
> ~josh
>
> On Sun, Nov 22, 2015 at 12:12 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> To run a programma like hackerone we will need to verify the bugs found
>> We could start with a pilot For CRSFGuard and Dependency Check projects
>> I volunteer to manage the programma For these projects
>> I can set a plan to determine the scope of the program with The project
>> leaders and make sure we verify the
>> veracity of the reported bugs
>>
>> What does The board need from me in order to approve my proposal?
>>
>>
>> On Saturday, November 21, 2015, Michael Coates <michael.coates at owasp.org>
>> wrote:
>>
>>> "I would say that for the existing Flagship & LABS (libraries or code)
>>> we should run a program through Hackerone or Bugbounty.(off course insecure
>>> applications as WebGoat are out of scope ;-))"
>>>
>>> Yes. This would generate awareness, generate opportunities for new
>>> volunteers and put a better control around our prominent code.
>>>
>>>
>>> --
>>> Michael Coates | @_mwc
>>> <https://twitter.com/intent/user?screen_name=_mwc>
>>> OWASP Global Board
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Nov 21, 2015 at 8:34 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Jim & Board
>>>>
>>>> 'Developers come to us'... is indeed a moderate approach. I just
>>>> finalised a security project reviews developed by very serious companies in
>>>> EU and it amazes me that they were using CRSFGuard and even ESAPI.
>>>>
>>>> There is a dependency and the reason why the PHPSEC users were angry at
>>>> OWASP, they were using the project for some serious development of
>>>> financial applications and counting on OWASP to secure them.
>>>>
>>>> Since OWASP cannot offer a QA process review of its own projects, we
>>>> should be careful here and indeed, the approach to help improve existing
>>>> frameworks is more realistic and has less risks associated with reputation
>>>> issues to OWASP image
>>>>
>>>> I would say that for the existing Flagship & LABS (libraries or code)
>>>> we should run a program through Hackerone or Bugbounty.(off course insecure
>>>> applications as WebGoat are out of scope ;-))
>>>>
>>>> Again, maybe the focus should stop in trying to create libraries as Tim
>>>> said but focus the efforts into working on existing frameworks.
>>>>
>>>> The reality is that creating security libraries is VERY hard and it has
>>>> a lot of consequences for OWASP image if serious issues are found as the
>>>> case of PHPSEC
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>> On Sat, Nov 21, 2015 at 11:55 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> Folks,
>>>>>
>>>>> I'm feeling a bit more clarity on suggesting technical resource hires
>>>>> for 2016. Paul, these are just ideas to trigger strategic planning
>>>>> discussions and ideas. I agree that the final decisions around these hires
>>>>> is "all you".  I hope this email is taken in the spirt of "ideas to
>>>>> consider".
>>>>>
>>>>> 1) Wiki experts (previously discussed)
>>>>> 2) Web design expert (previously discussed)
>>>>> 3) Technical contractor or bounties to help augment the security of
>>>>> common software frameworks (big potential here)
>>>>> 4) Security assurance contractors or bounties to help review OWASP
>>>>> defensive projects
>>>>>
>>>>> The whole "developers, come to us" is only modestly effective.
>>>>> "Developers, we want to help and go to you" is a much more effective
>>>>> movement, IMO.
>>>>>
>>>>> Thinking a bit out of box here... If we spent significant funds in
>>>>> helping improve common software frameworks for security - we could really
>>>>> have a massive impact on the world at large. I'd love to see serious
>>>>> investment in this area....
>>>>>
>>>>> Aloha,
>>>>> --
>>>>> Jim Manico
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> https://www.owasp.org
>>>>> Join me in Rome for AppSecEU 2016!
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151122/a2fb2c94/attachment-0001.html>


More information about the Owasp-board mailing list