[Owasp-leaders] Kickoff: Bug Bounty Infra for OWASP

Andrew van der Stock vanderaj at owasp.org
Tue Jun 21 06:30:44 UTC 2016


John

I don't know if you read Josh's reply, but he clearly stated that this is
NOT happening right now.

As Josh stated -

"The Bug Bounty program for OWASP Infrastructure has been intentionally put
on hold for the time being.  The reason is that we have known issues that
need to be remediated, but Matt hasn't had the time to do it given his
limited cycles.  The Board has made a couple of changes that should impact
this over the next month or so and hopefully move this project in the right
direction.  Once we have a better handle on the current (known) issues,
then we can start exploring the Bug Bounty to find the unknown issues."

What will happen if you go ahead without permission is that zillions of
folks will run content discovery, spidering, and active scans on our stuff,
and the only result is that the systems go offline for them for about a day
or more as they are blacklisted by our automated attack response
mechanisms, but not before our infrastructure goes offline for all.  We
know we have issues, let's get those sorted before we open it up to high
hanging fruit rewards.

We have announcements in this area after another announcement that is due
at the F2F in Rome. Please wait. It's only like a week now.

thanks,
Andrew


On Tue, Jun 21, 2016 at 4:10 PM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> This is one of a great project we have, it help us to make our Wiki more
> secure, my question is
>
> Do we have a response team that can handle specific bug report?
> The team who will handle this Project will receive a bunch of report in a
> day, how can we handle this stuff?
> we can also start 100 USD minimum in bug, and the other reward amount can
> depend on the impact and severity the bug.
>
> we need to set scope's of the testing environment so that we can control
> and easy to identify the problem.
>
>
> *John Patrick Lita *
> Manager for cyber security and IT services
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
> On Tue, Jun 21, 2016 at 11:52 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Johanna,
>>
>> The Bug Bounty program for OWASP Infrastructure has been intentionally
>> put on hold for the time being.  The reason is that we have known issues
>> that need to be remediated, but Matt hasn't had the time to do it given his
>> limited cycles.  The Board has made a couple of changes that should impact
>> this over the next month or so and hopefully move this project in the right
>> direction.  Once we have a better handle on the current (known) issues,
>> then we can start exploring the Bug Bounty to find the unknown issues.
>>
>> ~josh
>>
>> On Mon, Jun 20, 2016 at 9:41 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> Hi Frank, Josh
>>>
>>> I spoke today with BugCrowd team (Hunter + Jonathan Cran) regarding the
>>> Bug bounty program for OWASP.
>>>
>>> As you known, I'm working on the projects , however not so much traction
>>> has been done regarding the Bug Bounty for infra.
>>>
>>> I mentioned to Bugcrowd that the important piece for a bounty for infra
>>> is to have mirror setup of Wiki+mailman since we do not want attacks on the
>>> production environment.
>>>
>>> I think the first step is to make sure we are able to replicate the
>>> environment  checking with Matt Tesauro how can we do this and what is
>>> needed and make a budget of the costs involved . Once the budget is in
>>> place, then we can take a look of the organizations that volunteered to
>>> help us with this part.
>>>
>>> For those who volunteered in the past, please contact us to see how can
>>> we kickoff the Bounty for OWASP infra.
>>>
>>> Cheers
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/602c7df8/attachment.html>


More information about the OWASP-Leaders mailing list