[Owasp-leaders] Kickoff: Bug Bounty Infra for OWASP

John Patrick Lita john.patrick.lita at owasp.org
Tue Jun 21 08:00:23 UTC 2016


yes sir i already read that :)
just my thought if this project will go through :)

*John Patrick Lita *
Manager for cyber security and IT services
OWASP Manila chapter chairman
FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
*https://www.owasp.org/index.php/Manila
<https://www.owasp.org/index.php/Manila>*
<https://lists.owasp.org/mailman/listinfo/owasp-manila>

On Tue, Jun 21, 2016 at 2:30 PM, Andrew van der Stock <vanderaj at owasp.org>
wrote:

> John
>
> I don't know if you read Josh's reply, but he clearly stated that this is
> NOT happening right now.
>
> As Josh stated -
>
> "The Bug Bounty program for OWASP Infrastructure has been intentionally
> put on hold for the time being.  The reason is that we have known issues
> that need to be remediated, but Matt hasn't had the time to do it given his
> limited cycles.  The Board has made a couple of changes that should impact
> this over the next month or so and hopefully move this project in the right
> direction.  Once we have a better handle on the current (known) issues,
> then we can start exploring the Bug Bounty to find the unknown issues."
>
> What will happen if you go ahead without permission is that zillions of
> folks will run content discovery, spidering, and active scans on our stuff,
> and the only result is that the systems go offline for them for about a day
> or more as they are blacklisted by our automated attack response
> mechanisms, but not before our infrastructure goes offline for all.  We
> know we have issues, let's get those sorted before we open it up to high
> hanging fruit rewards.
>
> We have announcements in this area after another announcement that is due
> at the F2F in Rome. Please wait. It's only like a week now.
>
> thanks,
> Andrew
>
>
> On Tue, Jun 21, 2016 at 4:10 PM, John Patrick Lita <
> john.patrick.lita at owasp.org> wrote:
>
>> This is one of a great project we have, it help us to make our Wiki more
>> secure, my question is
>>
>> Do we have a response team that can handle specific bug report?
>> The team who will handle this Project will receive a bunch of report in a
>> day, how can we handle this stuff?
>> we can also start 100 USD minimum in bug, and the other reward amount can
>> depend on the impact and severity the bug.
>>
>> we need to set scope's of the testing environment so that we can control
>> and easy to identify the problem.
>>
>>
>> *John Patrick Lita *
>> Manager for cyber security and IT services
>> OWASP Manila chapter chairman
>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>> *https://www.owasp.org/index.php/Manila
>> <https://www.owasp.org/index.php/Manila>*
>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>
>> On Tue, Jun 21, 2016 at 11:52 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>
>>> Johanna,
>>>
>>> The Bug Bounty program for OWASP Infrastructure has been intentionally
>>> put on hold for the time being.  The reason is that we have known issues
>>> that need to be remediated, but Matt hasn't had the time to do it given his
>>> limited cycles.  The Board has made a couple of changes that should impact
>>> this over the next month or so and hopefully move this project in the right
>>> direction.  Once we have a better handle on the current (known) issues,
>>> then we can start exploring the Bug Bounty to find the unknown issues.
>>>
>>> ~josh
>>>
>>> On Mon, Jun 20, 2016 at 9:41 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> Hi Frank, Josh
>>>>
>>>> I spoke today with BugCrowd team (Hunter + Jonathan Cran) regarding
>>>> the Bug bounty program for OWASP.
>>>>
>>>> As you known, I'm working on the projects , however not so
>>>> much traction has been done regarding the Bug Bounty for infra.
>>>>
>>>> I mentioned to Bugcrowd that the important piece for a bounty for infra
>>>> is to have mirror setup of Wiki+mailman since we do not want attacks on the
>>>> production environment.
>>>>
>>>> I think the first step is to make sure we are able to replicate the
>>>> environment  checking with Matt Tesauro how can we do this and what is
>>>> needed and make a budget of the costs involved . Once the budget is in
>>>> place, then we can take a look of the organizations that volunteered to
>>>> help us with this part.
>>>>
>>>> For those who volunteered in the past, please contact us to see how can
>>>> we kickoff the Bounty for OWASP infra.
>>>>
>>>> Cheers
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/388c3a37/attachment-0001.html>


More information about the OWASP-Leaders mailing list