[Owasp-leaders] Bug Hunting at OWASP.org

Timo Goosen timo.goosen at owasp.org
Thu Feb 11 06:04:40 UTC 2016


"But in the meantime, here are a few resources to report your findings to
if you run into security issues (and I use "run into" with intention
because you would never just start actively testing a website for security
without permission in some way, right? Because doing so is a major criminal
act in most countries, right?)"
Depends. I've found bugs on sites before, unintentionally just by clicking
around.

On the idea of a bug bounty project for OWASP. The idea is good, but I
don't think that OWASP has the resources to deal with a bug bounty program
and the flood of reports that will becoming in. Researchers get very
annoyed if you don't respond promptly and take them seriously. Just
something to consider.

Regards.
Timo

On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
>
> A few OWASP researchers have found bugs on OWASP's wiki and decided to
> disclose them in public over twitter before reporting to OWASP.
>
> Can you please disclose to me or Matt Tesauro or use the contact form or
> do anything other than disclose in public before discussing this with OWASP
> IT staff and support?
>
> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty
> program and will provide a more formal method for disclosure in the near
> future.
>
> But in the meantime, here are a few resources to report your findings to
> if you run into security issues (and I use "run into" with intention
> because you would never just start actively testing a website for security
> without permission in some way, right? Because doing so is a major criminal
> act in most countries, right?)
>
> Thanks all.
>
>    - Matt Tesauro: matt.tesauro at owasp.org
>    - Jim Manico:  jim at owasp.org
>    - Contact Form: https://www.tfaforms.com/308703
>
> Aloha,
> Jim Manico
> OWASP Global Board Member
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/300b4835/attachment-0001.html>


More information about the OWASP-Leaders mailing list