[Owasp-leaders] Kickoff: Bug Bounty Infra for OWASP

John Patrick Lita john.patrick.lita at owasp.org
Tue Jun 21 06:10:01 UTC 2016


This is one of a great project we have, it help us to make our Wiki more
secure, my question is

Do we have a response team that can handle specific bug report?
The team who will handle this Project will receive a bunch of report in a
day, how can we handle this stuff?
we can also start 100 USD minimum in bug, and the other reward amount can
depend on the impact and severity the bug.

we need to set scope's of the testing environment so that we can control
and easy to identify the problem.


*John Patrick Lita *
Manager for cyber security and IT services
OWASP Manila chapter chairman
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
*https://www.owasp.org/index.php/Manila
<https://www.owasp.org/index.php/Manila>*
<https://lists.owasp.org/mailman/listinfo/owasp-manila>

On Tue, Jun 21, 2016 at 11:52 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Johanna,
>
> The Bug Bounty program for OWASP Infrastructure has been intentionally put
> on hold for the time being.  The reason is that we have known issues that
> need to be remediated, but Matt hasn't had the time to do it given his
> limited cycles.  The Board has made a couple of changes that should impact
> this over the next month or so and hopefully move this project in the right
> direction.  Once we have a better handle on the current (known) issues,
> then we can start exploring the Bug Bounty to find the unknown issues.
>
> ~josh
>
> On Mon, Jun 20, 2016 at 9:41 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>> Hi Frank, Josh
>>
>> I spoke today with BugCrowd team (Hunter + Jonathan Cran) regarding the
>> Bug bounty program for OWASP.
>>
>> As you known, I'm working on the projects , however not so much traction
>> has been done regarding the Bug Bounty for infra.
>>
>> I mentioned to Bugcrowd that the important piece for a bounty for infra
>> is to have mirror setup of Wiki+mailman since we do not want attacks on the
>> production environment.
>>
>> I think the first step is to make sure we are able to replicate the
>> environment  checking with Matt Tesauro how can we do this and what is
>> needed and make a budget of the costs involved . Once the budget is in
>> place, then we can take a look of the organizations that volunteered to
>> help us with this part.
>>
>> For those who volunteered in the past, please contact us to see how can
>> we kickoff the Bounty for OWASP infra.
>>
>> Cheers
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/30e83e31/attachment-0001.html>


More information about the OWASP-Leaders mailing list