[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

johanna curiel curiel johanna.curiel at owasp.org
Fri Feb 12 06:24:47 UTC 2016


Even when volunteers want to fix issues, we have no admin rights to the
system to update and fix the wiki

Some weeks ago we set in montion an initiative so that staff creates an
inventory of all portals/systems and who will be administrating this

In case of the wiki, who is/are the admins?


On Friday, February 12, 2016, Jim Manico <jim.manico at owasp.org> wrote:

> > we run around with our hands in the air when drama hits Twitter more
> than than normal.
>
> I would rephrase that as "some of us who actually give a sh%t go and fix
> the problem as best we can"
>
> - Jim
>
> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>
> I think this also comes down to the infrastructure transformation that
> I've asked Matt T to get ready for us since our last F2F at AppSec USA. We
> need to simplify our IT fleet, and really get it behind a proper enterprise
> architecture, rather than a rag tag collection of out of date stuff that we
> inherit. We only have so much Matt T time to maintain this stuff, and so
> pen testing it without also addressing the root cause: we have no idea
> where all our stuff is, who has admin, how it authenticates, we don't
> monitor it for attacks, and we don't have an IR plan and we run around with
> our hands in the air when drama hits Twitter more than than normal.
>
> I want a transformation plan, where we have only one of everything, and
> all the things we have is well managed and monitored. This will reduce our
> IT costs, and be better aligned with the resources we currently allocate to
> this task.
>
> This is not rocket science.
>
> thanks,
> Andrew
>
>
> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org
> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>
>> +1 Thank you wall for security researchers who have helped us find bugs!
>>
>> Good stuff Tom, thanks for getting this started. I'm sure Josh will be
>> especially interested in this.
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>
>> Post mortem of fixes would be nice to have and a wall of thank you should
>> be established yes?
>>
>> *draft*
>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>
>> Tom Brennan
>> Global Board of Directors
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>>
>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>
>> jim.manico at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>> > Right, but two OWASP researchers posted live bugs over Twitter today. We
>> > have to deal with it Kevin. I'd rather we know than not know, sooner
>> than
>> > later. One of the bugs noted I fixed earlier today.
>> >
>> > Knowing is half the battle.
>> >
>> > Aloha,
>> > Jim
>> >
>> >
>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>> >
>> > And to add to Timo's thoughts...if we have an RFP to redo the OWASP
>> site, if
>> > we do put out a bug bounty, perhaps we should wait until that effort is
>> > finished, otherwise we may end up fixing things twice.
>> >
>> > -kevin
>> >
>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org
>> <javascript:_e(%7B%7D,'cvml','timo.goosen at owasp.org');>> wrote:
>> >>
>> >> "But in the meantime, here are a few resources to report your findings
>> to
>> >> if you run into security issues (and I use "run into" with intention
>> because
>> >> you would never just start actively testing a website for security
>> without
>> >> permission in some way, right? Because doing so is a major criminal
>> act in
>> >> most countries, right?)"
>> >> Depends. I've found bugs on sites before, unintentionally just by
>> clicking
>> >> around.
>> >>
>> >> On the idea of a bug bounty project for OWASP. The idea is good, but I
>> >> don't think that OWASP has the resources to deal with a bug bounty
>> program
>> >> and the flood of reports that will becoming in. Researchers get very
>> annoyed
>> >> if you don't respond promptly and take them seriously. Just something
>> to
>> >> consider.
>> >>
>> >> Regards.
>> >> Timo
>> >>
>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>> >>>
>> >>> Folks,
>> >>>
>> >>> A few OWASP researchers have found bugs on OWASP's wiki and decided to
>> >>> disclose them in public over twitter before reporting to OWASP.
>> >>>
>> >>> Can you please disclose to me or Matt Tesauro or use the contact form
>> or
>> >>> do anything other than disclose in public before discussing this with
>> OWASP
>> >>> IT staff and support?
>> >>>
>> >>> Also, Josh Sokol is in the middle of ramping up a more formal bug
>> bounty
>> >>> program and will provide a more formal method for disclosure in the
>> near
>> >>> future.
>> >>>
>> >>> But in the meantime, here are a few resources to report your findings
>> to
>> >>> if you run into security issues (and I use "run into" with intention
>> because
>> >>> you would never just start actively testing a website for security
>> without
>> >>> permission in some way, right? Because doing so is a major criminal
>> act in
>> >>> most countries, right?)
>> >>>
>> >>> Thanks all.
>> >>>
>> >>> Matt Tesauro: matt.tesauro at owasp.org
>> <javascript:_e(%7B%7D,'cvml','matt.tesauro at owasp.org');>
>> >>> Jim Manico:  jim at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim at owasp.org');>
>> >>> Contact Form: <https://www.tfaforms.com/308703>
>> https://www.tfaforms.com/308703
>> >>>
>> >>> Aloha,
>> >>> Jim Manico
>> >>> OWASP Global Board Member
>> >>>
>> >>> _______________________________________________
>> >>> OWASP-Leaders mailing list
>> >>> OWASP-Leaders at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>>
>> >>
>> >>
>> >> _______________________________________________
>> >> Owasp-community mailing list
>> >> Owasp-community at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>> >>
>> >
>> >
>> >
>> > --
>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>> @KevinWWall
>> > NSA: All your crypto bit are belong to us.
>> >
>> >
>> >
>> > _______________________________________________
>> > Owasp-community mailing list
>> > Owasp-community at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>> >
>>
>>
>>
>> --
>>
>> Tom Brennan
>> Global Board of Directors
>> NYC/NJ Metro Chapter Leader
>> (d) 973-506-9304
>>
>> OWASP Foundation | www.owasp.org
>>
>> The information contained in this message and any attachments may be
>> privileged, confidential, proprietary or otherwise protected from
>> disclosure. If you, the reader of this message, are not the intended
>> recipient, you are hereby notified that any dissemination, distribution,
>> copying or use of this message and any attachment is strictly prohibited.
>> If you have received this message in error, please notify the sender
>> immediately by replying to the message, permanently delete it from your
>> computer and destroy any printout.
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/fbb0a8a2/attachment-0001.html>


More information about the OWASP-Leaders mailing list