[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Jim Manico jim.manico at owasp.org
Fri Feb 12 05:07:26 UTC 2016


unsubscribe

On 2/11/16 8:15 AM, Eoin Keary wrote:
> I would be happy to see if we can onboard the OWASP wiki into edgescan 
> continuous vulnerability management if that helps?
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 11 Feb 2016, at 14:49, johanna curiel curiel 
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>
>> Jim
>>
>> OWASP needs some technical resources urgently, that is clear. This is 
>> getting out of hand.
>>
>> Outside OWASP community , people expect that we practice what we 
>> preach. I have been seen a trend in here with rants on twitter about 
>> Security issues in OWASP projects and also on the wiki page. They 
>> poke fun at us. These issues were reported back in December.
>>
>> The fact that we have poor resources to manage this makes OWASP 
>> vulnerable. I should add this to any 'Top risk-list' OWASP projects 
>> are working on 😝:
>> /If your company has no resources to fix the security issues, this 
>> constitute a high risk to your enterprise./
>>
>> We are a bunch of security 'experts' peeps preaching security but not 
>> executing it,  we have XSS on the same wiki site where we preach 
>> 'XSS' security.It is really funny when you look at it.
>>
>> Agree on Timo that a bug hunting wont help fix issues. We need 
>> resources, people working on fixing things.
>> Agree on Kevin that we need a cohesive approach on this issue and not 
>>  loosely couple actions that leads nowhere.
>>
>> I think management needs to make this a priority.
>>
>> Cheers
>>
>> Johanna
>>
>> On Thu, Feb 11, 2016 at 2:48 AM, Jim Manico <jim.manico at owasp.org 
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     Right, but two OWASP researchers posted live bugs over Twitter
>>     today. We have to deal with it Kevin. I'd rather we know than not
>>     know, sooner than later. One of the bugs noted I fixed earlier
>>     today.
>>
>>     Knowing is half the battle.
>>
>>     Aloha,
>>     Jim
>>
>>
>>     On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>     And to add to Timo's thoughts...if we have an RFP to redo the
>>>     OWASP site, if we do put out a bug bounty, perhaps we should
>>>     wait until that effort is finished, otherwise we may end up
>>>     fixing things twice.
>>>
>>>     -kevin
>>>
>>>     On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen
>>>     <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>> wrote:
>>>
>>>         "But in the meantime, here are a few resources to report
>>>         your findings to if you run into security issues (and I use
>>>         "run into" with intention because you would never just start
>>>         actively testing a website for security without permission
>>>         in some way, right? Because doing so is a major criminal act
>>>         in most countries, right?)"
>>>         Depends. I've found bugs on sites before, unintentionally
>>>         just by clicking around.
>>>
>>>         On the idea of a bug bounty project for OWASP. The idea is
>>>         good, but I don't think that OWASP has the resources to deal
>>>         with a bug bounty program and the flood of reports that will
>>>         becoming in. Researchers get very annoyed if you don't
>>>         respond promptly and take them seriously. Just something to
>>>         consider.
>>>
>>>         Regards.
>>>         Timo
>>>
>>>         On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             Folks,
>>>
>>>             A few OWASP researchers have found bugs on OWASP's wiki
>>>             and decided to disclose them in public over twitter
>>>             before reporting to OWASP.
>>>
>>>             Can you please disclose to me or Matt Tesauro or use the
>>>             contact form or do anything other than disclose in
>>>             public before discussing this with OWASP IT staff and
>>>             support?
>>>
>>>             Also, Josh Sokol is in the middle of ramping up a more
>>>             formal bug bounty program and will provide a more formal
>>>             method for disclosure in the near future.
>>>
>>>             But in the meantime, here are a few resources to report
>>>             your findings to if you run into security issues (and I
>>>             use "run into" with intention because you would never
>>>             just start actively testing a website for security
>>>             without permission in some way, right? Because doing so
>>>             is a major criminal act in most countries, right?)
>>>
>>>             Thanks all.
>>>
>>>               * Matt Tesauro: matt.tesauro at owasp.org
>>>                 <mailto:matt.tesauro at owasp.org>
>>>               * Jim Manico: jim at owasp.org <mailto:jim at owasp.org>
>>>               * Contact Form: https://www.tfaforms.com/308703
>>>
>>>             Aloha,
>>>             Jim Manico
>>>             OWASP Global Board Member
>>>
>>>             _______________________________________________
>>>             OWASP-Leaders mailing list
>>>             OWASP-Leaders at lists.owasp.org
>>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Owasp-community mailing list
>>>         Owasp-community at lists.owasp.org
>>>         <mailto:Owasp-community at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>>
>>>
>>>
>>>     -- 
>>>     Blog: http://off-the-wall-security.blogspot.com/ | Twitter:
>>>     @KevinWWall
>>>     NSA: All your crypto bit are belong to us.
>>
>>
>>     _______________________________________________
>>     Owasp-community mailing list
>>     Owasp-community at lists.owasp.org
>>     <mailto:Owasp-community at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/e2ff7a8e/attachment-0001.html>


More information about the OWASP-Leaders mailing list