[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org
johanna curiel curiel
johanna.curiel at owasp.org
Thu Feb 11 14:49:09 UTC 2016
OWASP needs some technical resources urgently, that is clear. This is
getting out of hand.
Outside OWASP community , people expect that we practice what we preach. I
have been seen a trend in here with rants on twitter about Security issues
in OWASP projects and also on the wiki page. They poke fun at us. These
issues were reported back in December.
The fact that we have poor resources to manage this makes OWASP vulnerable.
I should add this to any 'Top risk-list' OWASP projects are working on 😝:
*If your company has no resources to fix the security issues, this
constitute a high risk to your enterprise.*
We are a bunch of security 'experts' peeps preaching security but not
executing it, we have XSS on the same wiki site where we preach 'XSS'
security.It is really funny when you look at it.
Agree on Timo that a bug hunting wont help fix issues. We need resources,
people working on fixing things.
Agree on Kevin that we need a cohesive approach on this issue and not
loosely couple actions that leads nowhere.
I think management needs to make this a priority.
On Thu, Feb 11, 2016 at 2:48 AM, Jim Manico <jim.manico at owasp.org> wrote:
> Right, but two OWASP researchers posted live bugs over Twitter today. We
> have to deal with it Kevin. I'd rather we know than not know, sooner than
> later. One of the bugs noted I fixed earlier today.
> Knowing is half the battle.
> On 2/10/16 10:14 PM, Kevin W. Wall wrote:
> And to add to Timo's thoughts...if we have an RFP to redo the OWASP site,
> if we do put out a bug bounty, perhaps we should wait until that effort is
> finished, otherwise we may end up fixing things twice.
> On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org>
>> "But in the meantime, here are a few resources to report your findings
>> to if you run into security issues (and I use "run into" with intention
>> because you would never just start actively testing a website for security
>> without permission in some way, right? Because doing so is a major criminal
>> act in most countries, right?)"
>> Depends. I've found bugs on sites before, unintentionally just by
>> clicking around.
>> On the idea of a bug bounty project for OWASP. The idea is good, but I
>> don't think that OWASP has the resources to deal with a bug bounty program
>> and the flood of reports that will becoming in. Researchers get very
>> annoyed if you don't respond promptly and take them seriously. Just
>> something to consider.
>> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>> A few OWASP researchers have found bugs on OWASP's wiki and decided to
>>> disclose them in public over twitter before reporting to OWASP.
>>> Can you please disclose to me or Matt Tesauro or use the contact form or
>>> do anything other than disclose in public before discussing this with OWASP
>>> IT staff and support?
>>> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty
>>> program and will provide a more formal method for disclosure in the near
>>> But in the meantime, here are a few resources to report your findings to
>>> if you run into security issues (and I use "run into" with intention
>>> because you would never just start actively testing a website for security
>>> without permission in some way, right? Because doing so is a major criminal
>>> act in most countries, right?)
>>> Thanks all.
>>> - Matt Tesauro: matt.tesauro at owasp.org
>>> - Jim Manico: jim at owasp.org
>>> - Contact Form: https://www.tfaforms.com/308703
>>> Jim Manico
>>> OWASP Global Board Member
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
> Blog: http://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall
> NSA: All your crypto bit are belong to us.
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders