[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Andrew van der Stock vanderaj at owasp.org
Fri Feb 12 06:11:03 UTC 2016


Agreed.

Andrew

On Fri, Feb 12, 2016 at 4:54 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > we run around with our hands in the air when drama hits Twitter more
> than than normal.
>
> I would rephrase that as "some of us who actually give a sh%t go and fix
> the problem as best we can"
>
> - Jim
>
>
> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>
> I think this also comes down to the infrastructure transformation that
> I've asked Matt T to get ready for us since our last F2F at AppSec USA. We
> need to simplify our IT fleet, and really get it behind a proper enterprise
> architecture, rather than a rag tag collection of out of date stuff that we
> inherit. We only have so much Matt T time to maintain this stuff, and so
> pen testing it without also addressing the root cause: we have no idea
> where all our stuff is, who has admin, how it authenticates, we don't
> monitor it for attacks, and we don't have an IR plan and we run around with
> our hands in the air when drama hits Twitter more than than normal.
>
> I want a transformation plan, where we have only one of everything, and
> all the things we have is well managed and monitored. This will reduce our
> IT costs, and be better aligned with the resources we currently allocate to
> this task.
>
> This is not rocket science.
>
> thanks,
> Andrew
>
>
> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> +1 Thank you wall for security researchers who have helped us find bugs!
>>
>> Good stuff Tom, thanks for getting this started. I'm sure Josh will be
>> especially interested in this.
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>
>> Post mortem of fixes would be nice to have and a wall of thank you should
>> be established yes?
>>
>> *draft*
>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>
>> Tom Brennan
>> Global Board of Directors
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>>
>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>> > Right, but two OWASP researchers posted live bugs over Twitter today. We
>> > have to deal with it Kevin. I'd rather we know than not know, sooner
>> than
>> > later. One of the bugs noted I fixed earlier today.
>> >
>> > Knowing is half the battle.
>> >
>> > Aloha,
>> > Jim
>> >
>> >
>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>> >
>> > And to add to Timo's thoughts...if we have an RFP to redo the OWASP
>> site, if
>> > we do put out a bug bounty, perhaps we should wait until that effort is
>> > finished, otherwise we may end up fixing things twice.
>> >
>> > -kevin
>> >
>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org>
>> wrote:
>> >>
>> >> "But in the meantime, here are a few resources to report your findings
>> to
>> >> if you run into security issues (and I use "run into" with intention
>> because
>> >> you would never just start actively testing a website for security
>> without
>> >> permission in some way, right? Because doing so is a major criminal
>> act in
>> >> most countries, right?)"
>> >> Depends. I've found bugs on sites before, unintentionally just by
>> clicking
>> >> around.
>> >>
>> >> On the idea of a bug bounty project for OWASP. The idea is good, but I
>> >> don't think that OWASP has the resources to deal with a bug bounty
>> program
>> >> and the flood of reports that will becoming in. Researchers get very
>> annoyed
>> >> if you don't respond promptly and take them seriously. Just something
>> to
>> >> consider.
>> >>
>> >> Regards.
>> >> Timo
>> >>
>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >>>
>> >>> Folks,
>> >>>
>> >>> A few OWASP researchers have found bugs on OWASP's wiki and decided to
>> >>> disclose them in public over twitter before reporting to OWASP.
>> >>>
>> >>> Can you please disclose to me or Matt Tesauro or use the contact form
>> or
>> >>> do anything other than disclose in public before discussing this with
>> OWASP
>> >>> IT staff and support?
>> >>>
>> >>> Also, Josh Sokol is in the middle of ramping up a more formal bug
>> bounty
>> >>> program and will provide a more formal method for disclosure in the
>> near
>> >>> future.
>> >>>
>> >>> But in the meantime, here are a few resources to report your findings
>> to
>> >>> if you run into security issues (and I use "run into" with intention
>> because
>> >>> you would never just start actively testing a website for security
>> without
>> >>> permission in some way, right? Because doing so is a major criminal
>> act in
>> >>> most countries, right?)
>> >>>
>> >>> Thanks all.
>> >>>
>> >>> Matt Tesauro: matt.tesauro at owasp.org
>> >>> Jim Manico:  jim at owasp.org
>> >>> Contact Form: <https://www.tfaforms.com/308703>
>> https://www.tfaforms.com/308703
>> >>>
>> >>> Aloha,
>> >>> Jim Manico
>> >>> OWASP Global Board Member
>> >>>
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-community mailing list
>> >> Owasp-community at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>> >>
>> >
>> >
>> >
>> > --
>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>> @KevinWWall
>> > NSA: All your crypto bit are belong to us.
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-community mailing list
>> > Owasp-community at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>> >
>>
>>
>>
>> --
>>
>> Tom Brennan
>> Global Board of Directors
>> NYC/NJ Metro Chapter Leader
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/82db0ce3/attachment-0001.html>


More information about the OWASP-Leaders mailing list