[Owasp-board] Working with Bug Crowd on responsible reporting metrics

Andrew van der Stock vanderaj at owasp.org
Wed Nov 22 20:20:37 UTC 2017


Hi there,

I spoke with Casey Ellis from Bug Crowd this morning. Bug Crowd is going to
be working on establishing industry neutral responsible reporting metrics
to cover off the gray area between breaches and discovering the potential
for a breach, which is the underpinning of trust for both pen tests and bug
bounties.

There will be media articles soon discussing OWASP's involvement in this
community project, especially as a reaction to the Uber attack, where the
previous CISO passed off the breach as a bug bounty payout. Which it
wasn't. We previously established the OWASP Vulnerabililty Reporting
project for this purpose.

The OWASP Vulnerability Reporting project, currently has Casey and myself
as co-leaders.

https://github.com/OWASP/Vulnerability-Reporting-Project

They will be working with the industry and pulling in comments from their
own testers, and will work with anyone in the industry to achieve consensus
on what it means to test for breaches in a responsible / safe way that
still demonstrates impact. They are donating this effort to OWASP.

thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20171122/057819a3/attachment.html>


More information about the Owasp-board mailing list