[Owasp-leaders] Security Researcher Challenges

John Patrick Lita john.patrick.lita at owasp.org
Tue Feb 21 06:19:50 UTC 2017


I expirience this many times munir,

It depends on the companies policy and management if they will allow those
conditions, since they have bounty or anything but to offer a license to
you.

Most of the time they need to get an approval from the management :)

On 21 Feb 2017 1:59 pm, "Munir Njiru" <munir.njiru at owasp.org> wrote:

> Hi Leaders,
>
> I was wondering what are the challenges you face when you find bugs in
> systems without bug bounty programs. I recently came across one and did my
> bit on responsible disclosure; the issue was with the licensing system
> which allowed me to create a perpetual license that never expires. After
> reporting I sought to get a recommendation that would actually work to
> build my research portfolio they turned down my offers and opted for giving
> me a license instead. What i proposed to them were a few options:
>
>
>    - A badge showing that a bug was found by the security researcher (not
>    giving details of the bug)
>    - They do a hall of fame listing for researchers
>    - A recommendation letter saying that the researcher found a bug that
>    they have fixed after responsible disclosure
>
> The above would really work well to a security researcher's portfolio; but
> they are against it. Why I don't know;have any of you come across similar
> challenges and how did you overcome them in turn ?
>
> They ended up giving me this and going cold turkey.
>
> [image: Inline image 2]
>
>
> A one year license as OWASP Kenya ; when i could create a perpetual one
> this becomes a very low value additive to research don't you think?.
>
> Kind Regards,
> --
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670 <+254%20734%20960670>
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170221/34357fbe/attachment-0001.html>


More information about the OWASP-Leaders mailing list