[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Jim Manico jim.manico at owasp.org
Fri Feb 12 06:31:07 UTC 2016


Matt Tesauro is the OWASP IT director and serves in that role. I have 
admin access at the wikimedia level, but Matt is the primary POC for 
wiki issues.

Aloha,
Jim


On 2/11/16 10:24 PM, johanna curiel curiel wrote:
> Even when volunteers want to fix issues, we have no admin rights to 
> the system to update and fix the wiki
>
> Some weeks ago we set in montion an initiative so that staff creates 
> an inventory of all portals/systems and who will be administrating this
>
> In case of the wiki, who is/are the admins?
>
>
> On Friday, February 12, 2016, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     > we run around with our hands in the air when drama hits Twitter
>     more than than normal.
>
>     I would rephrase that as "some of us who actually give a sh%t go
>     and fix the problem as best we can"
>
>     - Jim
>
>     On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>     I think this also comes down to the infrastructure transformation
>>     that I've asked Matt T to get ready for us since our last F2F at
>>     AppSec USA. We need to simplify our IT fleet, and really get it
>>     behind a proper enterprise architecture, rather than a rag tag
>>     collection of out of date stuff that we inherit. We only have so
>>     much Matt T time to maintain this stuff, and so pen testing it
>>     without also addressing the root cause: we have no idea where all
>>     our stuff is, who has admin, how it authenticates, we don't
>>     monitor it for attacks, and we don't have an IR plan and we run
>>     around with our hands in the air when drama hits Twitter more
>>     than than normal.
>>
>>     I want a transformation plan, where we have only one of
>>     everything, and all the things we have is well managed and
>>     monitored. This will reduce our IT costs, and be better aligned
>>     with the resources we currently allocate to this task.
>>
>>     This is not rocket science.
>>
>>     thanks,
>>     Andrew
>>
>>
>>     On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org
>>     <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>
>>         +1 Thank you wall for security researchers who have helped us
>>         find bugs!
>>
>>         Good stuff Tom, thanks for getting this started. I'm sure
>>         Josh will be especially interested in this.
>>
>>         Aloha,
>>         Jim
>>
>>
>>
>>         On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>         Post mortem of fixes would be nice to have and a wall of
>>>         thank you should be established yes?
>>>
>>>         *draft*
>>>         https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>
>>>         Tom Brennan
>>>         Global Board of Directors
>>>         (d) 973-506-9304 <tel:973-506-9304>
>>>
>>>         OWASP Foundation | www.owasp.org <http://www.owasp.org>
>>>
>>>
>>>         On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico
>>>         <jim.manico at owasp.org
>>>         <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>         > Right, but two OWASP researchers posted live bugs over
>>>         Twitter today. We
>>>         > have to deal with it Kevin. I'd rather we know than not
>>>         know, sooner than
>>>         > later. One of the bugs noted I fixed earlier today.
>>>         >
>>>         > Knowing is half the battle.
>>>         >
>>>         > Aloha,
>>>         > Jim
>>>         >
>>>         >
>>>         > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>         >
>>>         > And to add to Timo's thoughts...if we have an RFP to redo
>>>         the OWASP site, if
>>>         > we do put out a bug bounty, perhaps we should wait until
>>>         that effort is
>>>         > finished, otherwise we may end up fixing things twice.
>>>         >
>>>         > -kevin
>>>         >
>>>         > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen
>>>         <timo.goosen at owasp.org
>>>         <javascript:_e(%7B%7D,'cvml','timo.goosen at owasp.org');>> wrote:
>>>         >>
>>>         >> "But in the meantime, here are a few resources to report
>>>         your findings to
>>>         >> if you run into security issues (and I use "run into"
>>>         with intention because
>>>         >> you would never just start actively testing a website for
>>>         security without
>>>         >> permission in some way, right? Because doing so is a
>>>         major criminal act in
>>>         >> most countries, right?)"
>>>         >> Depends. I've found bugs on sites before, unintentionally
>>>         just by clicking
>>>         >> around.
>>>         >>
>>>         >> On the idea of a bug bounty project for OWASP. The idea
>>>         is good, but I
>>>         >> don't think that OWASP has the resources to deal with a
>>>         bug bounty program
>>>         >> and the flood of reports that will becoming in.
>>>         Researchers get very annoyed
>>>         >> if you don't respond promptly and take them seriously.
>>>         Just something to
>>>         >> consider.
>>>         >>
>>>         >> Regards.
>>>         >> Timo
>>>         >>
>>>         >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico
>>>         <jim.manico at owasp.org
>>>         <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>         >>>
>>>         >>> Folks,
>>>         >>>
>>>         >>> A few OWASP researchers have found bugs on OWASP's wiki
>>>         and decided to
>>>         >>> disclose them in public over twitter before reporting to
>>>         OWASP.
>>>         >>>
>>>         >>> Can you please disclose to me or Matt Tesauro or use the
>>>         contact form or
>>>         >>> do anything other than disclose in public before
>>>         discussing this with OWASP
>>>         >>> IT staff and support?
>>>         >>>
>>>         >>> Also, Josh Sokol is in the middle of ramping up a more
>>>         formal bug bounty
>>>         >>> program and will provide a more formal method for
>>>         disclosure in the near
>>>         >>> future.
>>>         >>>
>>>         >>> But in the meantime, here are a few resources to report
>>>         your findings to
>>>         >>> if you run into security issues (and I use "run into"
>>>         with intention because
>>>         >>> you would never just start actively testing a website
>>>         for security without
>>>         >>> permission in some way, right? Because doing so is a
>>>         major criminal act in
>>>         >>> most countries, right?)
>>>         >>>
>>>         >>> Thanks all.
>>>         >>>
>>>         >>> Matt Tesauro: matt.tesauro at owasp.org
>>>         <javascript:_e(%7B%7D,'cvml','matt.tesauro at owasp.org');>
>>>         >>> Jim Manico: jim at owasp.org
>>>         <javascript:_e(%7B%7D,'cvml','jim at owasp.org');>
>>>         >>> Contact Form: https://www.tfaforms.com/308703
>>>         >>>
>>>         >>> Aloha,
>>>         >>> Jim Manico
>>>         >>> OWASP Global Board Member
>>>         >>>
>>>         >>> _______________________________________________
>>>         >>> OWASP-Leaders mailing list
>>>         >>> OWASP-Leaders at lists.owasp.org
>>>         >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>         >>>
>>>         >>
>>>         >>
>>>         >> _______________________________________________
>>>         >> Owasp-community mailing list
>>>         >> Owasp-community at lists.owasp.org
>>>         >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>         >>
>>>         >
>>>         >
>>>         >
>>>         > --
>>>         > Blog: http://off-the-wall-security.blogspot.com/   |
>>>         Twitter: @KevinWWall
>>>         > NSA: All your crypto bit are belong to us.
>>>         >
>>>         >
>>>         >
>>>         > _______________________________________________
>>>         > Owasp-community mailing list
>>>         > Owasp-community at lists.owasp.org
>>>         > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>         >
>>>
>>>
>>>
>>>         -- 
>>>
>>>         Tom Brennan
>>>         Global Board of Directors
>>>         NYC/NJ Metro Chapter Leader
>>>         (d) 973-506-9304 <tel:973-506-9304>
>>>
>>>         OWASP Foundation | www.owasp.org <http://www.owasp.org>
>>>
>>>         The information contained in this message and any
>>>         attachments may be privileged, confidential, proprietary or
>>>         otherwise protected from disclosure. If you, the reader of
>>>         this message, are not the intended recipient, you are hereby
>>>         notified that any dissemination, distribution, copying or
>>>         use of this message and any attachment is strictly
>>>         prohibited. If you have received this message in error,
>>>         please notify the sender immediately by replying to the
>>>         message, permanently delete it from your computer and
>>>         destroy any printout. 
>>
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org
>>         <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160211/8f27a74d/attachment-0001.html>


More information about the OWASP-Leaders mailing list