[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Kevin W. Wall kevin.w.wall at gmail.com
Thu Feb 11 06:14:10 UTC 2016


And to add to Timo's thoughts...if we have an RFP to redo the OWASP site,
if we do put out a bug bounty, perhaps we should wait until that effort is
finished, otherwise we may end up fixing things twice.

-kevin

On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org> wrote:

> "But in the meantime, here are a few resources to report your findings to
> if you run into security issues (and I use "run into" with intention
> because you would never just start actively testing a website for security
> without permission in some way, right? Because doing so is a major criminal
> act in most countries, right?)"
> Depends. I've found bugs on sites before, unintentionally just by clicking
> around.
>
> On the idea of a bug bounty project for OWASP. The idea is good, but I
> don't think that OWASP has the resources to deal with a bug bounty program
> and the flood of reports that will becoming in. Researchers get very
> annoyed if you don't respond promptly and take them seriously. Just
> something to consider.
>
> Regards.
> Timo
>
> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Folks,
>>
>> A few OWASP researchers have found bugs on OWASP's wiki and decided to
>> disclose them in public over twitter before reporting to OWASP.
>>
>> Can you please disclose to me or Matt Tesauro or use the contact form or
>> do anything other than disclose in public before discussing this with OWASP
>> IT staff and support?
>>
>> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty
>> program and will provide a more formal method for disclosure in the near
>> future.
>>
>> But in the meantime, here are a few resources to report your findings to
>> if you run into security issues (and I use "run into" with intention
>> because you would never just start actively testing a website for security
>> without permission in some way, right? Because doing so is a major criminal
>> act in most countries, right?)
>>
>> Thanks all.
>>
>>    - Matt Tesauro: matt.tesauro at owasp.org
>>    - Jim Manico:  jim at owasp.org
>>    - Contact Form: https://www.tfaforms.com/308703
>>
>> Aloha,
>> Jim Manico
>> OWASP Global Board Member
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>


-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/33fa9526/attachment.html>


More information about the OWASP-Leaders mailing list