[Owasp-board] Working with Bug Crowd on responsible reporting metrics

Andrew van der Stock vanderaj at owasp.org
Wed Nov 22 22:56:22 UTC 2017


They are going to tweet soon, so please reach out to them when that happens. 

I’ll send you Casey’s email under separate cover. 

Thanks
Andrew 

> On Nov 22, 2017, at 14:52, Tiffany Long <tiffany.long at owasp.org> wrote:
> 
> Perhaps say should be added to our Twitter team during this time so they can do that support?
> 
> 
>> On Wed, 22 Nov 2017, 14:54 Andrew van der Stock, <vanderaj at owasp.org> wrote:
>> Casey is doing the media. I'm not sure when the articles come out, but I will find out when the article comes out and share it with you. 
>> 
>> thanks,
>> Andrew
>> 
>>> On Wed, Nov 22, 2017 at 12:34 PM, Tiffany Long <tiffany.long at owasp.org> wrote:
>>> This is awesome. I assume you will be giving many of the interviews? If so, will we have advanced notice as the articles come out?
>>> 
>>> Best,
>>> Tiffany
>>> 
>>> 
>>> On 22 Nov 2017 2:21 pm, "Andrew van der Stock" <vanderaj at owasp.org> wrote:
>>> Hi there,
>>> 
>>> I spoke with Casey Ellis from Bug Crowd this morning. Bug Crowd is going to be working on establishing industry neutral responsible reporting metrics to cover off the gray area between breaches and discovering the potential for a breach, which is the underpinning of trust for both pen tests and bug bounties.
>>> 
>>> There will be media articles soon discussing OWASP's involvement in this community project, especially as a reaction to the Uber attack, where the previous CISO passed off the breach as a bug bounty payout. Which it wasn't. We previously established the OWASP Vulnerabililty Reporting project for this purpose.
>>> 
>>> The OWASP Vulnerability Reporting project, currently has Casey and myself as co-leaders.
>>> 
>>> https://github.com/OWASP/Vulnerability-Reporting-Project
>>> 
>>> They will be working with the industry and pulling in comments from their own testers, and will work with anyone in the industry to achieve consensus on what it means to test for breaches in a responsible / safe way that still demonstrates impact. They are donating this effort to OWASP. 
>>> 
>>> thanks,
>>> Andrew
>>> 
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20171122/986d5f8f/attachment.html>


More information about the Owasp-board mailing list