[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Rahim Jina rahim.jina at owasp.org
Thu Feb 11 17:31:44 UTC 2016


Hi Owen,

For automated testing, It's pretty easy to just use exclude lists. Most tools have such functionality built-in.

Cheers
Rahim

Sent from my iPhone

> On 11 Feb 2016, at 16:30, Owen Pendlebury <owen.pendlebury at owasp.org> wrote:
> 
> Hi Jim/ all,
> 
> I'd be happy to spend some time pentesting the platform. I don't think we should allow vulnerability scanners to wildly alter data on the WIKI, putting us in an even worse predicament as we are now (WIKI wise). Should be completely manual testing with relevant proof of concepts. 
> 
> I'm sure there are many of us in this community that would also give up some time to ensure we practice what we preach. Maybe we can build a team to do this. 
> 
> Also think the bug bounty is a good idea. There are a number of them out there including Bugcrowd that give reputation and/ or money for bugs found. In this way we can choose the scope of testing and do it in a controlled manor. 
> 
> Do we have someone that can fix the bugs once identified. 
> 
> Owen
> 
> Owen Pendlebury
> OWASP Ireland-Dublin Chapter Lead
> https://www.owasp.org/index.php/Ireland-Dublin
> 
>> On 11 February 2016 at 04:15, Jim Manico <jim.manico at owasp.org> wrote:
>> Folks,
>> 
>> A few OWASP researchers have found bugs on OWASP's wiki and decided to disclose them in public over twitter before reporting to OWASP.
>> 
>> Can you please disclose to me or Matt Tesauro or use the contact form or do anything other than disclose in public before discussing this with OWASP IT staff and support?
>> 
>> Also, Josh Sokol is in the middle of ramping up a more formal bug bounty program and will provide a more formal method for disclosure in the near future.
>> 
>> But in the meantime, here are a few resources to report your findings to if you run into security issues (and I use "run into" with intention because you would never just start actively testing a website for security without permission in some way, right? Because doing so is a major criminal act in most countries, right?)
>> 
>> Thanks all.
>> Matt Tesauro: matt.tesauro at owasp.org
>> Jim Manico:  jim at owasp.org
>> Contact Form: https://www.tfaforms.com/308703
>> Aloha,
>> Jim Manico
>> OWASP Global Board Member
>> 
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-community
> 
> _______________________________________________
> Owasp-community mailing list
> Owasp-community at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/ff672955/attachment-0001.html>


More information about the OWASP-Leaders mailing list