[Owasp-leaders] Bug Hunting at OWASP.org
jim.manico at owasp.org
Thu Feb 11 06:45:02 UTC 2016
Fair points, Timo.
Because of our limited resources, OWASP is looking to use a bug bounty
*service* (an open call to vendors was was made) to manage this for us
so all bugs are properly tracked in a CMS in a way that leads to
remediation. Again, Josh has the lead here but I think this is a good
effort for the foundation.
On 2/10/16 10:04 PM, Timo Goosen wrote:
> "But in the meantime, here are a few resources to report your findings
> to if you run into security issues (and I use "run into" with
> intention because you would never just start actively testing a
> website for security without permission in some way, right? Because
> doing so is a major criminal act in most countries, right?)"
> Depends. I've found bugs on sites before, unintentionally just by
> clicking around.
> On the idea of a bug bounty project for OWASP. The idea is good, but I
> don't think that OWASP has the resources to deal with a bug bounty
> program and the flood of reports that will becoming in. Researchers
> get very annoyed if you don't respond promptly and take them
> seriously. Just something to consider.
> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> A few OWASP researchers have found bugs on OWASP's wiki and
> decided to disclose them in public over twitter before reporting
> to OWASP.
> Can you please disclose to me or Matt Tesauro or use the contact
> form or do anything other than disclose in public before
> discussing this with OWASP IT staff and support?
> Also, Josh Sokol is in the middle of ramping up a more formal bug
> bounty program and will provide a more formal method for
> disclosure in the near future.
> But in the meantime, here are a few resources to report your
> findings to if you run into security issues (and I use "run into"
> with intention because you would never just start actively testing
> a website for security without permission in some way, right?
> Because doing so is a major criminal act in most countries, right?)
> Thanks all.
> * Matt Tesauro: matt.tesauro at owasp.org
> <mailto:matt.tesauro at owasp.org>
> * Jim Manico: jim at owasp.org <mailto:jim at owasp.org>
> * Contact Form: https://www.tfaforms.com/308703
> Jim Manico
> OWASP Global Board Member
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders