[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org
Jim Manico
jim.manico at owasp.org
Fri Feb 12 05:07:26 UTC 2016
unsubscribe
On 2/11/16 8:15 AM, Eoin Keary wrote:
> I would be happy to see if we can onboard the OWASP wiki into edgescan
> continuous vulnerability management if that helps?
>
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
>
>
>
> On 11 Feb 2016, at 14:49, johanna curiel curiel
> <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>
>> Jim
>>
>> OWASP needs some technical resources urgently, that is clear. This is
>> getting out of hand.
>>
>> Outside OWASP community , people expect that we practice what we
>> preach. I have been seen a trend in here with rants on twitter about
>> Security issues in OWASP projects and also on the wiki page. They
>> poke fun at us. These issues were reported back in December.
>>
>> The fact that we have poor resources to manage this makes OWASP
>> vulnerable. I should add this to any 'Top risk-list' OWASP projects
>> are working on 😝:
>> /If your company has no resources to fix the security issues, this
>> constitute a high risk to your enterprise./
>>
>> We are a bunch of security 'experts' peeps preaching security but not
>> executing it, we have XSS on the same wiki site where we preach
>> 'XSS' security.It is really funny when you look at it.
>>
>> Agree on Timo that a bug hunting wont help fix issues. We need
>> resources, people working on fixing things.
>> Agree on Kevin that we need a cohesive approach on this issue and not
>> loosely couple actions that leads nowhere.
>>
>> I think management needs to make this a priority.
>>
>> Cheers
>>
>> Johanna
>>
>> On Thu, Feb 11, 2016 at 2:48 AM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>> Right, but two OWASP researchers posted live bugs over Twitter
>> today. We have to deal with it Kevin. I'd rather we know than not
>> know, sooner than later. One of the bugs noted I fixed earlier
>> today.
>>
>> Knowing is half the battle.
>>
>> Aloha,
>> Jim
>>
>>
>> On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>> And to add to Timo's thoughts...if we have an RFP to redo the
>>> OWASP site, if we do put out a bug bounty, perhaps we should
>>> wait until that effort is finished, otherwise we may end up
>>> fixing things twice.
>>>
>>> -kevin
>>>
>>> On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen
>>> <timo.goosen at owasp.org <mailto:timo.goosen at owasp.org>> wrote:
>>>
>>> "But in the meantime, here are a few resources to report
>>> your findings to if you run into security issues (and I use
>>> "run into" with intention because you would never just start
>>> actively testing a website for security without permission
>>> in some way, right? Because doing so is a major criminal act
>>> in most countries, right?)"
>>> Depends. I've found bugs on sites before, unintentionally
>>> just by clicking around.
>>>
>>> On the idea of a bug bounty project for OWASP. The idea is
>>> good, but I don't think that OWASP has the resources to deal
>>> with a bug bounty program and the flood of reports that will
>>> becoming in. Researchers get very annoyed if you don't
>>> respond promptly and take them seriously. Just something to
>>> consider.
>>>
>>> Regards.
>>> Timo
>>>
>>> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico
>>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>> Folks,
>>>
>>> A few OWASP researchers have found bugs on OWASP's wiki
>>> and decided to disclose them in public over twitter
>>> before reporting to OWASP.
>>>
>>> Can you please disclose to me or Matt Tesauro or use the
>>> contact form or do anything other than disclose in
>>> public before discussing this with OWASP IT staff and
>>> support?
>>>
>>> Also, Josh Sokol is in the middle of ramping up a more
>>> formal bug bounty program and will provide a more formal
>>> method for disclosure in the near future.
>>>
>>> But in the meantime, here are a few resources to report
>>> your findings to if you run into security issues (and I
>>> use "run into" with intention because you would never
>>> just start actively testing a website for security
>>> without permission in some way, right? Because doing so
>>> is a major criminal act in most countries, right?)
>>>
>>> Thanks all.
>>>
>>> * Matt Tesauro: matt.tesauro at owasp.org
>>> <mailto:matt.tesauro at owasp.org>
>>> * Jim Manico: jim at owasp.org <mailto:jim at owasp.org>
>>> * Contact Form: https://www.tfaforms.com/308703
>>>
>>> Aloha,
>>> Jim Manico
>>> OWASP Global Board Member
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> <mailto:OWASP-Leaders at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-community mailing list
>>> Owasp-community at lists.owasp.org
>>> <mailto:Owasp-community at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>
>>>
>>>
>>>
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/ | Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org
>> <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community
>>
>>
>> _______________________________________________
>> Owasp-community mailing list
>> Owasp-community at lists.owasp.org <mailto:Owasp-community at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/e2ff7a8e/attachment-0001.html>
More information about the OWASP-Leaders
mailing list