[Owasp-leaders] Security Researcher Challenges

John Patrick Lita john.patrick.lita at owasp.org
Thu Feb 23 08:40:00 UTC 2017


Well with my expirience i dont receive anything from then even a reply
saying thanks for reporting.

On 21 Feb 2017 2:24 pm, "Munir Njiru" <munir.njiru at owasp.org> wrote:

> I thought I was making it easier for them asking a letter of
> recommendation :D the letter would only cost them the management signature
> but I guess its the pain of a security researcher. Coz if they had gone
> that way Im still a potential customer to buy the license at their whooping
> price of $5,950.
>
>
> On Tue, Feb 21, 2017 at 9:19 AM, John Patrick Lita <
> john.patrick.lita at owasp.org> wrote:
>
>> I expirience this many times munir,
>>
>> It depends on the companies policy and management if they will allow
>> those conditions, since they have bounty or anything but to offer a license
>> to you.
>>
>> Most of the time they need to get an approval from the management :)
>>
>> On 21 Feb 2017 1:59 pm, "Munir Njiru" <munir.njiru at owasp.org> wrote:
>>
>>> Hi Leaders,
>>>
>>> I was wondering what are the challenges you face when you find bugs in
>>> systems without bug bounty programs. I recently came across one and did my
>>> bit on responsible disclosure; the issue was with the licensing system
>>> which allowed me to create a perpetual license that never expires. After
>>> reporting I sought to get a recommendation that would actually work to
>>> build my research portfolio they turned down my offers and opted for giving
>>> me a license instead. What i proposed to them were a few options:
>>>
>>>
>>>    - A badge showing that a bug was found by the security researcher
>>>    (not giving details of the bug)
>>>    - They do a hall of fame listing for researchers
>>>    - A recommendation letter saying that the researcher found a bug
>>>    that they have fixed after responsible disclosure
>>>
>>> The above would really work well to a security researcher's portfolio;
>>> but they are against it. Why I don't know;have any of you come across
>>> similar challenges and how did you overcome them in turn ?
>>>
>>> They ended up giving me this and going cold turkey.
>>>
>>> [image: Inline image 2]
>>>
>>>
>>> A one year license as OWASP Kenya ; when i could create a perpetual one
>>> this becomes a very low value additive to research don't you think?.
>>>
>>> Kind Regards,
>>> --
>>> Munir Njenga,
>>> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
>>> Developer
>>> Mob   (KE) +254 (0) 734960670 <+254%20734%20960670>
>>>
>>> =============================
>>> Chapter Page: www.owasp.org/index.php/Kenya
>>> Email: munir.njiru at owasp.org
>>> Facebook: https://www.facebook.com/OWASP.Kenya
>>> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>
>
> --
> Munir Njenga,
> OWASP Chapter Leader (Kenya) || Information Security Consultant ||
> Developer
> Mob   (KE) +254 (0) 734960670 <+254%20734%20960670>
>
> =============================
> Chapter Page: www.owasp.org/index.php/Kenya
> Email: munir.njiru at owasp.org
> Facebook: https://www.facebook.com/OWASP.Kenya
> Mailing List: https://lists.owasp.org/mailman/listinfo/owasp-Kenya
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170223/ed7650e0/attachment.html>


More information about the OWASP-Leaders mailing list