[Owasp-leaders] [Owasp-community] Bug Hunting at OWASP.org

johanna curiel curiel johanna.curiel at owasp.org
Fri Feb 12 12:09:02 UTC 2016


A little update folks

We have identified this management issue of portals/services as already
pointed by Andrew. A suggestion I did during a discussion last month
regarding the same subject,is it to put together a list and make sure it is
clear who is managing what.

This is a list the staff is putting together to have an overview of all the
services/portals used by OWASP,  available to leaders and who is the main
contact:

https://docs.google.com/spreadsheets/d/1Moln7kSQgAxqEvkSRxrRSlkMAXm-fcMyQIe1PV3VO3w/edit?usp=sharing

@Claudia: Wiki does not appear here, please update this info on the sheet
you are managing since I made a copy of the one you shared with me

Update Regarding Bug Hunting:

Josh Sokol, Kelly, Claudia and I are trying to get barter deal offers from
Bugcrowd, Hackerone among others to run and manage a bug hunting program
for OWASP for some applications(such as the wiki) and projects.

Minur is right regarding the 'kudos program'; however, we need to pay high
fee$ for the management part of the bounty if we would like to pay one,
Bugcrowd was the first to offer a barter deal.

Jim has contacted other services providers and fwd them to us. We are now
in the process of trying to get from these different service providers ,
specific barter deal offers. So far BugCrowd has made a concrete offer, we
are awaiting from other companies. Kelly is leading this effort.



On Fri, Feb 12, 2016 at 2:56 AM, Munir Njiru <munir.njiru at owasp.org> wrote:

> I agree on this but also if you look at it the bug bounty program does not
> have to necessarily happen in cash like a system i use is bug crowd some
> guys just reward with a kudos or some merchandise that's pre exisitng if
> such a budget is not in place. Thing is though the responsible disclosure
> is what needs to be encouraged.
>
> Kind Regards,
>
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Project Site:
> http://alienwithin.github.io/OWASP-mth3l3m3nt-framework/
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
> On Fri, Feb 12, 2016 at 9:31 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Matt Tesauro is the OWASP IT director and serves in that role. I have
>> admin access at the wikimedia level, but Matt is the primary POC for wiki
>> issues.
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 2/11/16 10:24 PM, johanna curiel curiel wrote:
>>
>> Even when volunteers want to fix issues, we have no admin rights to the
>> system to update and fix the wiki
>>
>> Some weeks ago we set in montion an initiative so that staff creates an
>> inventory of all portals/systems and who will be administrating this
>>
>> In case of the wiki, who is/are the admins?
>>
>>
>> On Friday, February 12, 2016, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> > we run around with our hands in the air when drama hits Twitter more
>>> than than normal.
>>>
>>> I would rephrase that as "some of us who actually give a sh%t go and fix
>>> the problem as best we can"
>>>
>>> - Jim
>>>
>>> On 2/11/16 9:52 PM, Andrew van der Stock wrote:
>>>
>>> I think this also comes down to the infrastructure transformation that
>>> I've asked Matt T to get ready for us since our last F2F at AppSec USA. We
>>> need to simplify our IT fleet, and really get it behind a proper enterprise
>>> architecture, rather than a rag tag collection of out of date stuff that we
>>> inherit. We only have so much Matt T time to maintain this stuff, and so
>>> pen testing it without also addressing the root cause: we have no idea
>>> where all our stuff is, who has admin, how it authenticates, we don't
>>> monitor it for attacks, and we don't have an IR plan and we run around with
>>> our hands in the air when drama hits Twitter more than than normal.
>>>
>>> I want a transformation plan, where we have only one of everything, and
>>> all the things we have is well managed and monitored. This will reduce our
>>> IT costs, and be better aligned with the resources we currently allocate to
>>> this task.
>>>
>>> This is not rocket science.
>>>
>>> thanks,
>>> Andrew
>>>
>>>
>>> On Fri, Feb 12, 2016 at 4:18 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> +1 Thank you wall for security researchers who have helped us find bugs!
>>>>
>>>> Good stuff Tom, thanks for getting this started. I'm sure Josh will be
>>>> especially interested in this.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>> On 2/11/16 9:13 AM, Tom Brennan - OWASP wrote:
>>>>
>>>> Post mortem of fixes would be nice to have and a wall of thank you
>>>> should be established yes?
>>>>
>>>> *draft*
>>>> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>>>>
>>>> Tom Brennan
>>>> Global Board of Directors
>>>> (d) 973-506-9304
>>>>
>>>> OWASP Foundation | <http://www.owasp.org>www.owasp.org
>>>>
>>>>
>>>> On Thu, Feb 11, 2016 at 1:48 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>> > Right, but two OWASP researchers posted live bugs over Twitter today.
>>>> We
>>>> > have to deal with it Kevin. I'd rather we know than not know, sooner
>>>> than
>>>> > later. One of the bugs noted I fixed earlier today.
>>>> >
>>>> > Knowing is half the battle.
>>>> >
>>>> > Aloha,
>>>> > Jim
>>>> >
>>>> >
>>>> > On 2/10/16 10:14 PM, Kevin W. Wall wrote:
>>>> >
>>>> > And to add to Timo's thoughts...if we have an RFP to redo the OWASP
>>>> site, if
>>>> > we do put out a bug bounty, perhaps we should wait until that effort
>>>> is
>>>> > finished, otherwise we may end up fixing things twice.
>>>> >
>>>> > -kevin
>>>> >
>>>> > On Thu, Feb 11, 2016 at 1:04 AM, Timo Goosen <timo.goosen at owasp.org>
>>>> wrote:
>>>> >>
>>>> >> "But in the meantime, here are a few resources to report your
>>>> findings to
>>>> >> if you run into security issues (and I use "run into" with intention
>>>> because
>>>> >> you would never just start actively testing a website for security
>>>> without
>>>> >> permission in some way, right? Because doing so is a major criminal
>>>> act in
>>>> >> most countries, right?)"
>>>> >> Depends. I've found bugs on sites before, unintentionally just by
>>>> clicking
>>>> >> around.
>>>> >>
>>>> >> On the idea of a bug bounty project for OWASP. The idea is good, but
>>>> I
>>>> >> don't think that OWASP has the resources to deal with a bug bounty
>>>> program
>>>> >> and the flood of reports that will becoming in. Researchers get very
>>>> annoyed
>>>> >> if you don't respond promptly and take them seriously. Just
>>>> something to
>>>> >> consider.
>>>> >>
>>>> >> Regards.
>>>> >> Timo
>>>> >>
>>>> >> On Thu, Feb 11, 2016 at 6:15 AM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>> >>>
>>>> >>> Folks,
>>>> >>>
>>>> >>> A few OWASP researchers have found bugs on OWASP's wiki and decided
>>>> to
>>>> >>> disclose them in public over twitter before reporting to OWASP.
>>>> >>>
>>>> >>> Can you please disclose to me or Matt Tesauro or use the contact
>>>> form or
>>>> >>> do anything other than disclose in public before discussing this
>>>> with OWASP
>>>> >>> IT staff and support?
>>>> >>>
>>>> >>> Also, Josh Sokol is in the middle of ramping up a more formal bug
>>>> bounty
>>>> >>> program and will provide a more formal method for disclosure in the
>>>> near
>>>> >>> future.
>>>> >>>
>>>> >>> But in the meantime, here are a few resources to report your
>>>> findings to
>>>> >>> if you run into security issues (and I use "run into" with
>>>> intention because
>>>> >>> you would never just start actively testing a website for security
>>>> without
>>>> >>> permission in some way, right? Because doing so is a major criminal
>>>> act in
>>>> >>> most countries, right?)
>>>> >>>
>>>> >>> Thanks all.
>>>> >>>
>>>> >>> Matt Tesauro: matt.tesauro at owasp.org
>>>> >>> Jim Manico:  jim at owasp.org
>>>> >>> Contact Form: <https://www.tfaforms.com/308703>
>>>> https://www.tfaforms.com/308703
>>>> >>>
>>>> >>> Aloha,
>>>> >>> Jim Manico
>>>> >>> OWASP Global Board Member
>>>> >>>
>>>> >>> _______________________________________________
>>>> >>> OWASP-Leaders mailing list
>>>> >>> OWASP-Leaders at lists.owasp.org
>>>> >>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> >>>
>>>> >>
>>>> >>
>>>> >> _______________________________________________
>>>> >> Owasp-community mailing list
>>>> >> Owasp-community at lists.owasp.org
>>>> >> https://lists.owasp.org/mailman/listinfo/owasp-community
>>>> >>
>>>> >
>>>> >
>>>> >
>>>> > --
>>>> > Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>>> @KevinWWall
>>>> > NSA: All your crypto bit are belong to us.
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Owasp-community mailing list
>>>> > Owasp-community at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-community
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Tom Brennan
>>>> Global Board of Directors
>>>> NYC/NJ Metro Chapter Leader
>>>> (d) 973-506-9304
>>>>
>>>> OWASP Foundation | <http://www.owasp.org>www.owasp.org
>>>>
>>>> The information contained in this message and any attachments may be
>>>> privileged, confidential, proprietary or otherwise protected from
>>>> disclosure. If you, the reader of this message, are not the intended
>>>> recipient, you are hereby notified that any dissemination, distribution,
>>>> copying or use of this message and any attachment is strictly prohibited.
>>>> If you have received this message in error, please notify the sender
>>>> immediately by replying to the message, permanently delete it from your
>>>> computer and destroy any printout.
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160212/633469e9/attachment-0001.html>


More information about the OWASP-Leaders mailing list