[Owasp-leaders] Bug Hunting at OWASP.org

Jim Manico jim.manico at owasp.org
Thu Feb 11 06:45:02 UTC 2016


Fair points, Timo.

Because of our limited resources, OWASP is looking to use a bug bounty 
*service* (an open call to vendors was was made) to manage this for us 
so all bugs are properly tracked in a CMS in a way that leads to 
remediation. Again, Josh has the lead here but I think this is a good 
effort for the foundation.

Aloha,
Jim



On 2/10/16 10:04 PM, Timo Goosen wrote:
> "But in the meantime, here are a few resources to report your findings 
> to if you run into security issues (and I use "run into" with 
> intention because you would never just start actively testing a 
> website for security without permission in some way, right? Because 
> doing so is a major criminal act in most countries, right?)"
> Depends. I've found bugs on sites before, unintentionally just by 
> clicking around.
>
> On the idea of a bug bounty project for OWASP. The idea is good, but I 
> don't think that OWASP has the resources to deal with a bug bounty 
> program and the flood of reports that will becoming in. Researchers 
> get very annoyed if you don't respond promptly and take them 
> seriously. Just something to consider.
>
> Regards.
> Timo
>
> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Folks,
>
>     A few OWASP researchers have found bugs on OWASP's wiki and
>     decided to disclose them in public over twitter before reporting
>     to OWASP.
>
>     Can you please disclose to me or Matt Tesauro or use the contact
>     form or do anything other than disclose in public before
>     discussing this with OWASP IT staff and support?
>
>     Also, Josh Sokol is in the middle of ramping up a more formal bug
>     bounty program and will provide a more formal method for
>     disclosure in the near future.
>
>     But in the meantime, here are a few resources to report your
>     findings to if you run into security issues (and I use "run into"
>     with intention because you would never just start actively testing
>     a website for security without permission in some way, right?
>     Because doing so is a major criminal act in most countries, right?)
>
>     Thanks all.
>
>       * Matt Tesauro: matt.tesauro at owasp.org
>         <mailto:matt.tesauro at owasp.org>
>       * Jim Manico: jim at owasp.org <mailto:jim at owasp.org>
>       * Contact Form: https://www.tfaforms.com/308703
>
>     Aloha,
>     Jim Manico
>     OWASP Global Board Member
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160210/3de8cbc7/attachment.html>


More information about the OWASP-Leaders mailing list