[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org
Kevin W. Wall
kevin.w.wall at gmail.com
Thu Feb 11 06:14:10 UTC 2016
And to add to Timo's thoughts...if we have an RFP to redo the OWASP site,
if we do put out a bug bounty, perhaps we should wait until that effort is
finished, otherwise we may end up fixing things twice.
On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org> wrote:
> "But in the meantime, here are a few resources to report your findings to
> if you run into security issues (and I use "run into" with intention
> because you would never just start actively testing a website for security
> without permission in some way, right? Because doing so is a major criminal
> act in most countries, right?)"
> Depends. I've found bugs on sites before, unintentionally just by clicking
> On the idea of a bug bounty project for OWASP. The idea is good, but I
> don't think that OWASP has the resources to deal with a bug bounty program
> and the flood of reports that will becoming in. Researchers get very
> annoyed if you don't respond promptly and take them seriously. Just
> something to consider.
> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> A few OWASP researchers have found bugs on OWASP's wiki and decided to
>> disclose them in public over twitter before reporting to OWASP.
>> Can you please disclose to me or Matt Tesauro or use the contact form or
>> do anything other than disclose in public before discussing this with OWASP
>> IT staff and support?
>> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty
>> program and will provide a more formal method for disclosure in the near
>> But in the meantime, here are a few resources to report your findings to
>> if you run into security issues (and I use "run into" with intention
>> because you would never just start actively testing a website for security
>> without permission in some way, right? Because doing so is a major criminal
>> act in most countries, right?)
>> Thanks all.
>> - Matt Tesauro: matt.tesauro at owasp.org
>> - Jim Manico: jim at owasp.org
>> - Contact Form: https://www.tfaforms.com/308703
>> Jim Manico
>> OWASP Global Board Member
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders