[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

Munir Njiru munir.njiru at owasp.org
Fri Feb 12 06:56:17 UTC 2016


I agree on this but also if you look at it the bug bounty program does not
have to necessarily happen in cash like a system i use is bug crowd some
guys just reward with a kudos or some merchandise that's pre exisitng if
such a budget is not in place. Thing is though the responsible disclosure
is what needs to be encouraged.

Kind Regards,

Munir Njenga,
OWASP Chapter Leader (Kenya) || Information Security Consultant || Developer
Mob   (KE) +254 (0) 734960670

=============================
Chapter Page: www.owasp.org/index.php/Kenya
Project Site:
http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
Email: munir.njiru at owasp.org
Facebook: https://www.facebook.com/OWASP.Kenya
Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya


On Fri, Feb 12, 2016 at 9:31 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Matt Tesauro is the OWASP IT director and serves in that role. I have
> admin access at the wikimedia level, but Matt is the primary POC for wiki
> issues.
>
> Aloha,
> Jim
>
>
>
> On 2/11/16 10:24 PM, johanna curiel curiel wrote:
>
> Even when volunteers want to fix issues, we have no admin rights to the
> system to update and fix the wiki
>
> Some weeks ago we set in montion an initiative so that staff creates an
> inventory of all portals/systems and who will be administrating this
>
> In case of the wiki, who is/are the admins?
>
>
> On Friday, February 12, 2016, Jim Manico < <jim.manico at owasp.org>
> jim.manico at owasp.org> wrote:
>
>> > we run around with our hands in the air when drama hits Twitter more
>> than than normal.
>>
>> I would rephrase that as "some of us who actually give a sh%t go and fix
>> the problem as best we can"
>>
>> - Jim
>>
>> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>
>> I think this also comes down to the infrastructure transformation that
>> I've asked Matt T to get ready for us since our last F2F at AppSec USA. We
>> need to simplify our IT fleet, and really get it behind a proper enterprise
>> architecture, rather than a rag tag collection of out of date stuff that we
>> inherit. We only have so much Matt T time to maintain this stuff, and so
>> pen testing it without also addressing the root cause: we have no idea
>> where all our stuff is, who has admin, how it authenticates, we don't
>> monitor it for attacks, and we don't have an IR plan and we run around with
>> our hands in the air when drama hits Twitter more than than normal.
>>
>> I want a transformation plan, where we have only one of everything, and
>> all the things we have is well managed and monitored. This will reduce our
>> IT costs, and be better aligned with the resources we currently allocate to
>> this task.
>>
>> This is not rocket science.
>>
>> thanks,
>> Andrew
>>
>>
>> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> +1 Thank you wall for security researchers who have helped us find bugs!
>>>
>>> Good stuff Tom, thanks for getting this started. I'm sure Josh will be
>>> especially interested in this.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>
>>> Post mortem of fixes would be nice to have and a wall of thank you
>>> should be established yes?
>>>
>>> *draft*
>>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>
>>> Tom Brennan
>>> Global Board of Directors
>>> (d) 973-506-9304
>>>
>>> OWASP Foundation | <http://www.owasp.org>www.owasp.org
>>>
>>>
>>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>> > Right, but two OWASP researchers posted live bugs over Twitter today.
>>> We
>>> > have to deal with it Kevin. I'd rather we know than not know, sooner
>>> than
>>> > later. One of the bugs noted I fixed earlier today.
>>> >
>>> > Knowing is half the battle.
>>> >
>>> > Aloha,
>>> > Jim
>>> >
>>> >
>>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>> >
>>> > And to add to Timo's thoughts...if we have an RFP to redo the OWASP
>>> site, if
>>> > we do put out a bug bounty, perhaps we should wait until that effort is
>>> > finished, otherwise we may end up fixing things twice.
>>> >
>>> > -kevin
>>> >
>>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org>
>>> wrote:
>>> >>
>>> >> "But in the meantime, here are a few resources to report your
>>> findings to
>>> >> if you run into security issues (and I use "run into" with intention
>>> because
>>> >> you would never just start actively testing a website for security
>>> without
>>> >> permission in some way, right? Because doing so is a major criminal
>>> act in
>>> >> most countries, right?)"
>>> >> Depends. I've found bugs on sites before, unintentionally just by
>>> clicking
>>> >> around.
>>> >>
>>> >> On the idea of a bug bounty project for OWASP. The idea is good, but I
>>> >> don't think that OWASP has the resources to deal with a bug bounty
>>> program
>>> >> and the flood of reports that will becoming in. Researchers get very
>>> annoyed
>>> >> if you don't respond promptly and take them seriously. Just something
>>> to
>>> >> consider.
>>> >>
>>> >> Regards.
>>> >> Timo
>>> >>
>>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>> >>>
>>> >>> Folks,
>>> >>>
>>> >>> A few OWASP researchers have found bugs on OWASP's wiki and decided
>>> to
>>> >>> disclose them in public over twitter before reporting to OWASP.
>>> >>>
>>> >>> Can you please disclose to me or Matt Tesauro or use the contact
>>> form or
>>> >>> do anything other than disclose in public before discussing this
>>> with OWASP
>>> >>> IT staff and support?
>>> >>>
>>> >>> Also, Josh Sokol is in the middle of ramping up a more formal bug
>>> bounty
>>> >>> program and will provide a more formal method for disclosure in the
>>> near
>>> >>> future.
>>> >>>
>>> >>> But in the meantime, here are a few resources to report your
>>> findings to
>>> >>> if you run into security issues (and I use "run into" with intention
>>> because
>>> >>> you would never just start actively testing a website for security
>>> without
>>> >>> permission in some way, right? Because doing so is a major criminal
>>> act in
>>> >>> most countries, right?)
>>> >>>
>>> >>> Thanks all.
>>> >>>
>>> >>> Matt Tesauro: matt.tesauro at owasp.org
>>> >>> Jim Manico:  jim at owasp.org
>>> >>> Contact Form: <https://www.tfaforms.com/308703>
>>> https://www.tfaforms.com/308703
>>> >>>
>>> >>> Aloha,
>>> >>> Jim Manico
>>> >>> OWASP Global Board Member
>>> >>>
>>> >>> _______________________________________________
>>> >>> OWASP-Leaders mailing list
>>> >>> OWASP-Leaders at lists.owasp.org
>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> >>>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Owasp-community mailing list
>>> >> Owasp-community at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>> @KevinWWall
>>> > NSA: All your crypto bit are belong to us.
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Owasp-community mailing list
>>> > Owasp-community at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>> >
>>>
>>>
>>>
>>> --
>>>
>>> Tom Brennan
>>> Global Board of Directors
>>> NYC/NJ Metro Chapter Leader
>>> (d) 973-506-9304
>>>
>>> OWASP Foundation | <http://www.owasp.org>www.owasp.org
>>>
>>> The information contained in this message and any attachments may be
>>> privileged, confidential, proprietary or otherwise protected from
>>> disclosure. If you, the reader of this message, are not the intended
>>> recipient, you are hereby notified that any dissemination, distribution,
>>> copying or use of this message and any attachment is strictly prohibited.
>>> If you have received this message in error, please notify the sender
>>> immediately by replying to the message, permanently delete it from your
>>> computer and destroy any printout.
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/0dc57c56/attachment-0001.html>


More information about the OWASP-Leaders mailing list