[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Owen Pendlebury owen.pendlebury at owasp.org
Thu Feb 11 16:30:01 UTC 2016


Hi Jim/ all,

I'd be happy to spend some time pentesting the platform. I don't think we
should allow vulnerability scanners to wildly alter data on the WIKI,
putting us in an even worse predicament as we are now (WIKI wise). Should
be completely manual testing with relevant proof of concepts.

I'm sure there are many of us in this community that would also give up
some time to ensure we practice what we preach. Maybe we can build a team
to do this.

Also think the bug bounty is a good idea. There are a number of them out
there including Bugcrowd that give reputation and/ or money for bugs found.
In this way we can choose the scope of testing and do it in a controlled
manor.

Do we have someone that can fix the bugs once identified.

Owen

Owen Pendlebury
OWASP Ireland-Dublin Chapter Lead
https://www.owasp.org/index.php/Ireland-Dublin

On 11 February 2016 at 04:15, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
>
> A few OWASP researchers have found bugs on OWASP's wiki and decided to
> disclose them in public over twitter before reporting to OWASP.
>
> Can you please disclose to me or Matt Tesauro or use the contact form or
> do anything other than disclose in public before discussing this with OWASP
> IT staff and support?
>
> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty
> program and will provide a more formal method for disclosure in the near
> future.
>
> But in the meantime, here are a few resources to report your findings to
> if you run into security issues (and I use "run into" with intention
> because you would never just start actively testing a website for security
> without permission in some way, right? Because doing so is a major criminal
> act in most countries, right?)
>
> Thanks all.
>
>    - Matt Tesauro: matt.tesauro at owasp.org
>    - Jim Manico:  jim at owasp.org
>    - Contact Form: https://www.tfaforms.com/308703
>
> Aloha,
> Jim Manico
> OWASP Global Board Member
>
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/d80ffd8c/attachment.html>


More information about the OWASP-Leaders mailing list