[Owasp-leaders] Security Researcher Challenges

Munir Njiru munir.njiru at owasp.org
Tue Feb 21 06:24:38 UTC 2017


I thought I was making it easier for them asking a letter of recommendation
:D the letter would only cost them the management signature but I guess its
the pain of a security researcher. Coz if they had gone that way Im still a
potential customer to buy the license at their whooping price of $5,950.


On Tue, Feb 21, 2017 at 9:19 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> I expirience this many times munir,
>
> It depends on the companies policy and management if they will allow those
> conditions, since they have bounty or anything but to offer a license to
> you.
>
> Most of the time they need to get an approval from the management :)
>
> On 21 Feb 2017 1:59 pm, "Munir Njiru" <munir.njiru at owasp.org> wrote:
>
>> Hi Leaders,
>>
>> I was wondering what are the challenges you face when you find bugs in
>> systems without bug bounty programs. I recently came across one and did my
>> bit on responsible disclosure; the issue was with the licensing system
>> which allowed me to create a perpetual license that never expires. After
>> reporting I sought to get a recommendation that would actually work to
>> build my research portfolio they turned down my offers and opted for giving
>> me a license instead. What i proposed to them were a few options:
>>
>>
>>    - A badge showing that a bug was found by the security researcher
>>    (not giving details of the bug)
>>    - They do a hall of fame listing for researchers
>>    - A recommendation letter saying that the researcher found a bug that
>>    they have fixed after responsible disclosure
>>
>> The above would really work well to a security researcher's portfolio;
>> but they are against it. Why I don't know;have any of you come across
>> similar challenges and how did you overcome them in turn ?
>>
>> They ended up giving me this and going cold turkey.
>>
>> [image: Inline image 2]
>>
>>
>> A one year license as OWASP Kenya ; when i could create a perpetual one
>> this becomes a very low value additive to research don't you think?.
>>
>> Kind Regards,
>> --
>> Munir Njenga,
>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>> Developer
>> Mob   (KE) +254 (0) 734960670 <+254%20734%20960670>
>>
>> =============================
>> Chapter Page: www.owasp.org/index.php/Kenya
>> Email: munir.njiru at owasp.org
>> Facebook: https://www.facebook.com/OWASP.Kenya
>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>


-- 
Munir Njenga,
OWASP Chapter Leader (Kenya) || Information Security Consultant || Developer
Mob   (KE) +254 (0) 734960670

=============================
Chapter Page: www.owasp.org/index.php/Kenya
Email: munir.njiru at owasp.org
Facebook: https://www.facebook.com/OWASP.Kenya
Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170221/8f2ce351/attachment.html>


More information about the OWASP-Leaders mailing list