[Owasp-leaders] Kickoff: Bug Bounty Infra for OWASP

johanna curiel curiel johanna.curiel at owasp.org
Tue Jun 21 11:31:37 UTC 2016


John,

To clarify your questions:

*>>Do we have a response team that can handle specific bug report?*

Yes, that will be BugCrowd team, who is helping us with setting up the Bug
Bounty for OWASP projects and hopefully the infrastructure in the future:
https://www.owasp.org/index.php/Bug_Bounty_Projects

*>>The team who will handle this Project will receive a bunch of report in
a day, how can we handle this stuff?*

BugCrowd team will do that, but there are some members that have
volunteered for that part too, check this out:
https://www.owasp.org/index.php/Help_Secure_Owasp_assests

*>>we can also start 100 USD minimum in bug, and the other reward amount
can depend on the impact and severity the bug.*

No , this is about hacking for Charity ;-) and fame.

*>>we need to set scope's of the testing environment so that we can control
and easy to identify the problem.*

Thats the part Matt who knows the system can help provide but is going to
cost. Ideally we need to setup a mirror environment to avoid attacks on the
infra for this reason. Josh answered part of this already

On Tue, Jun 21, 2016 at 4:00 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> yes sir i already read that :)
> just my thought if this project will go through :)
>
> *John Patrick Lita *
> Manager for cyber security and IT services
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
> On Tue, Jun 21, 2016 at 2:30 PM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>
>> John
>>
>> I don't know if you read Josh's reply, but he clearly stated that this is
>> NOT happening right now.
>>
>> As Josh stated -
>>
>> "The Bug Bounty program for OWASP Infrastructure has been intentionally
>> put on hold for the time being.  The reason is that we have known issues
>> that need to be remediated, but Matt hasn't had the time to do it given his
>> limited cycles.  The Board has made a couple of changes that should impact
>> this over the next month or so and hopefully move this project in the right
>> direction.  Once we have a better handle on the current (known) issues,
>> then we can start exploring the Bug Bounty to find the unknown issues."
>>
>> What will happen if you go ahead without permission is that zillions of
>> folks will run content discovery, spidering, and active scans on our stuff,
>> and the only result is that the systems go offline for them for about a day
>> or more as they are blacklisted by our automated attack response
>> mechanisms, but not before our infrastructure goes offline for all.  We
>> know we have issues, let's get those sorted before we open it up to high
>> hanging fruit rewards.
>>
>> We have announcements in this area after another announcement that is due
>> at the F2F in Rome. Please wait. It's only like a week now.
>>
>> thanks,
>> Andrew
>>
>>
>> On Tue, Jun 21, 2016 at 4:10 PM, John Patrick Lita <
>> john.patrick.lita at owasp.org> wrote:
>>
>>> This is one of a great project we have, it help us to make our Wiki more
>>> secure, my question is
>>>
>>> Do we have a response team that can handle specific bug report?
>>> The team who will handle this Project will receive a bunch of report in
>>> a day, how can we handle this stuff?
>>> we can also start 100 USD minimum in bug, and the other reward amount
>>> can depend on the impact and severity the bug.
>>>
>>> we need to set scope's of the testing environment so that we can control
>>> and easy to identify the problem.
>>>
>>>
>>> *John Patrick Lita *
>>> Manager for cyber security and IT services
>>> OWASP Manila chapter chairman
>>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>>> *https://www.owasp.org/index.php/Manila
>>> <https://www.owasp.org/index.php/Manila>*
>>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>>
>>> On Tue, Jun 21, 2016 at 11:52 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Johanna,
>>>>
>>>> The Bug Bounty program for OWASP Infrastructure has been intentionally
>>>> put on hold for the time being.  The reason is that we have known issues
>>>> that need to be remediated, but Matt hasn't had the time to do it given his
>>>> limited cycles.  The Board has made a couple of changes that should impact
>>>> this over the next month or so and hopefully move this project in the right
>>>> direction.  Once we have a better handle on the current (known) issues,
>>>> then we can start exploring the Bug Bounty to find the unknown issues.
>>>>
>>>> ~josh
>>>>
>>>> On Mon, Jun 20, 2016 at 9:41 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Frank, Josh
>>>>>
>>>>> I spoke today with BugCrowd team (Hunter + Jonathan Cran) regarding
>>>>> the Bug bounty program for OWASP.
>>>>>
>>>>> As you known, I'm working on the projects , however not so
>>>>> much traction has been done regarding the Bug Bounty for infra.
>>>>>
>>>>> I mentioned to Bugcrowd that the important piece for a bounty for
>>>>> infra is to have mirror setup of Wiki+mailman since we do not want attacks
>>>>> on the production environment.
>>>>>
>>>>> I think the first step is to make sure we are able to replicate the
>>>>> environment  checking with Matt Tesauro how can we do this and what is
>>>>> needed and make a budget of the costs involved . Once the budget is in
>>>>> place, then we can take a look of the organizations that volunteered to
>>>>> help us with this part.
>>>>>
>>>>> For those who volunteered in the past, please contact us to see how
>>>>> can we kickoff the Bounty for OWASP infra.
>>>>>
>>>>> Cheers
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160621/b835e19b/attachment-0001.html>


More information about the OWASP-Leaders mailing list