[Owasp-leaders] Hack OWASP.org as a pre/during Summit Competition

Michael Coates michael.coates at owasp.org
Wed Jan 26 13:08:38 EST 2011


Short summary: We should not do this before the summit.

Full email:

There is an overwhelming response from OWASP against this idea - not because it isn't a good idea, but because of the many potential outcomes. 

As someone very familiar with bug bounty programs, I'd like to throw out a few thoughts.

1. Bug bounty programs are great 
2. You better know what you are getting into

With both of those items said, I strongly advise that we do not launch a HACK OWASP project until we have thoroughly discussed the issue, and especially not in a 2 week window right before the summit.  Nothing should happen with lots of planning, consideration, virtual test servers, response resources, monitoring controls, available blocking and more.  I have plenty more to share and would be happy to do so during appropriate planning calls. However, this should be given the time and planning it deserves.  Attempting to launch a program in a matter of weeks will result in many bad outcomes.



Michael Coates
OWASP



On Jan 26, 2011, at 12:41 AM, dinis cruz wrote:

> Loredana has taken the lead on this one and created the page http://www.owasp.org/index.php/Summit_2011/Competition/Hack_OWASP.ORG with details about this competition (she will also be the main point of contact for this competition)
> 
> Before I submit this to the OWASP board for vote, can you please take a look and chip in with your ideas (for example I think that the scope should include offline MediaWiki exploits/vulns and the competition should also continue during the Summit (we are going to set up a 'hacking room' just like we did at the last Summit (we need to think about the prices for the vulns discovered during the Summit))
> 
> Dinis Cruz
> 
> 
> On 21 January 2011 11:02, Loredana Mancini <loredana.mancini at business-e.it> wrote:
> Hi all,
> 
>  
> I would like to pick up this task, and step forward to organise it if you think it still interesting, bye Loredana.
> 
> 
> -----Messaggio originale-----
> Da: owasp-leaders-bounces at lists.owasp.org
> [mailto:owasp-leaders-bounces at lists.owasp.org] Per conto di dinis cruz
> Inviato: mercoledì 19 gennaio 2011 17.05
> A: Vlatko Kosturjak
> Cc: owasp-leaders at lists.owasp.org
> Oggetto: Re: [Owasp-leaders] Javascript required for OWASP page?
> 
> I think we should have a competion to see who can hack the owasp.org
> website :)
> 
> The price would be a fully paid (travel+accomodation) ticket to the
> Summit
> 
> Extra kudos points would be given for gaining root on the owasp.org
> server
> 
> Anybody on this list have the cycles to organize this?
> 
> Dinis Cruz
> 
> On 19 Jan 2011, at 15:59, Vlatko Kosturjak <kost at linux.hr> wrote:
> 
> > On 01/19/2011 04:50 PM, dinis cruz wrote:
> >> It shows that owasp.org is in the same 'shape' as 90% of the websites
> >> out there.
> >>
> >> There is a O2 module that shows all the Javascript (files and inline)
> >> code that is loaded by an owasp.org page (it is quite a list)
> >>
> >> Maybe a good working session for the summit would be to consolidate
> >> all owasp.org javascripts and add CSP to it
> >>
> >> In fact we should have a 'hack owasp.org and mediawiki' competition
> >> at
> >> the Summit ....... :) :) :)
> >
> > Especially to find bugs like this (as mediawiki is in PHP):
> > http://gregorkopf.de/slides_berlinsides_2010.pdf
> >
> > Kost
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110126/7d2e71c7/attachment-0001.html 


More information about the OWASP-Leaders mailing list