<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"
xmlns:ns6="http://schemas.microsoft.com/office/2004/12/omml">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--a:link
        {mso-style-priority:99;}
span.MSOHYPERLINK
        {mso-style-priority:99;}
a:visited
        {mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
        {mso-style-priority:99;}
p.MSOACETATE
        {mso-style-priority:99;}
li.MSOACETATE
        {mso-style-priority:99;}
div.MSOACETATE
        {mso-style-priority:99;}
p.MSOLISTPARAGRAPH
        {mso-style-priority:34;}
li.MSOLISTPARAGRAPH
        {mso-style-priority:34;}
div.MSOLISTPARAGRAPH
        {mso-style-priority:34;}
span.BALLOONTEXTCHAR
        {mso-style-priority:99;}

 /* Font Definitions */
 @font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:Calibri;}
a:link, span.MsoHyperlink
        {color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:Tahoma;}
span.BalloonTextChar
        {font-family:Tahoma;}
p.msolistparagraph, li.msolistparagraph, div.msolistparagraph
        {margin-top:0in;
        margin-right:0in;
        margin-bottom:0in;
        margin-left:.5in;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:Calibri;}
span.EmailStyle20
        {mso-style-type:personal;
        font-family:Calibri;
        color:windowtext;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:Calibri;
        color:#1F497D;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:Calibri;
        color:#1F497D;}
span.EmailStyle23
        {mso-style-type:personal-reply;
        font-family:Arial;
        color:blue;
        font-weight:normal;
        font-style:normal;
        text-decoration:none none;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
        {page:Section1;}
 /* List Definitions */
 @list l0
        {mso-list-id:557202907;
        mso-list-type:hybrid;
        mso-list-template-ids:1058989902 1828865572 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
        {mso-level-start-at:20;
        mso-level-number-format:bullet;
        mso-level-text:\F0B7;
        mso-level-tab-stop:none;
        mso-level-number-position:left;
        text-indent:-.25in;
        font-family:Symbol;
        mso-fareast-font-family:Calibri;
        mso-bidi-font-family:"Times New Roman";}
@list l0:level2
        {mso-level-tab-stop:1.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level3
        {mso-level-tab-stop:1.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level4
        {mso-level-tab-stop:2.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level5
        {mso-level-tab-stop:2.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level6
        {mso-level-tab-stop:3.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level7
        {mso-level-tab-stop:3.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level8
        {mso-level-tab-stop:4.0in;
        mso-level-number-position:left;
        text-indent:-.25in;}
@list l0:level9
        {mso-level-tab-stop:4.5in;
        mso-level-number-position:left;
        text-indent:-.25in;}
ol
        {margin-bottom:0in;}
ul
        {margin-bottom:0in;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'>Jeff<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'>It&#8217;s an interesting idea. The question
I have is what&#8217;s in it for the companies? In other words, if they sign up
for full disclosure, how does that help them? Most of the commercial software
vendors like Microsoft, Oracle, and others want privately disclosed so they
have time to fix it. Analysts like Gartner also talk about Responsible
Vulnerability Disclosure policies. And, does it mean that any one can scan
their Web sites using injection attacks to find vulnerabilities? There are all
kinds of issues associated with that. <o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'>Thanks<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'>Mandeep Khera<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color=blue face=Arial><span style='font-size:
11.0pt;font-family:Arial;color:blue'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt;font-family:"Times New Roman"'>

<hr size=2 width="100%" align=center tabindex=-1>

</span></font></div>

<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b><span style='font-weight:
bold'>On Behalf Of </span></b>Jeff Williams<br>
<b><span style='font-weight:bold'>Sent:</span></b> Monday, December 21, 2009
7:55 AM<br>
<b><span style='font-weight:bold'>To:</span></b> owasp-leaders@lists.owasp.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Owasp-leaders] OWASP
testing and disclosure levels</span></font><font size=3 face="Times New Roman"><span
style='font-size:12.0pt;font-family:"Times New Roman"'><o:p></o:p></span></font></p>

</div>

<p class=MsoNormal><font size=2 face=Calibri><span style='font-size:11.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>I saw some twittering about this sort of
thing over the weekend&#8230;<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>The basic idea is that we could create
some OWASP standards around the way that companies allow their websites to be
tested/scanned/reviewed and how they want to handle disclosure of issues that
are discovered.&nbsp; Companies could choose the standard they want to follow
and it would encourage people to make that choice explicit and public
(visible).<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>We could do this pretty easily in the
OWASP Legal Project &#8211; the way that Creative Commons defined some IP
licenses and released them.&nbsp; I&#8217;m just not sure what the current
practices are.&nbsp; Has anyone catalogued a list of companies with either testing
or disclosure policies?&nbsp; See <a
href="http://www.microsoft.com/security/msrc/report/disclosure.aspx">Microsoft
policies</a>.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Just as an off the top of the head
brainstorm, what do you think of these?? Of course we&#8217;d have to specify
these carefully and fully.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Full Disclosure &#8211; disclose anything you find<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Responsible Disclosure &#8211; work with us please<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Private Disclosure &#8211; send it to us and pray<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>No Disclosure &#8211; we will hunt you down and kill you<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Fully Open &#8211; code review + test all you want<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Open Code Review &#8211; we&#8217;ll let you review the
source and test all you want**<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Open Test &#8211; test&nbsp; with your account all you
want<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>Staged Test&#8211;register and we&#8217;ll let you test
on a non-production system<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>No Testing &#8211; you are an evil hacker<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>** Note: I have already drafted an
&#8220;OWASP Open Code Review&#8221; license that grants people the rights they
need to do a source code review without giving up ownership or other legal
rights.<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>We could combine these into a few
interesting combinations&#8230;<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>OWASP Open Security Program &#8211; Fully open review +
full disclosure<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>OWASP Shared Security Program &#8211; Open testing +
responsible disclosure<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>OWASP Private Security Program &#8211; Staged Testing +
private disclosure<o:p></o:p></span></font></p>

<p class=msolistparagraph style='text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><font
size=2 color="#1f497d" face=Symbol><span style='font-size:11.0pt;font-family:
Symbol;color:#1F497D'><span style='mso-list:Ignore'>&middot;<font size=1
face="Times New Roman"><span style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><font color="#1f497d"><span
style='color:#1F497D'>OWASP &#8220;Trust Us&#8221; <u>Insecurity</u> Program
&#8211; No testing + no disclosure<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><img border=0 width=570 height=134
id="Picture_x005f_x0020_2" src="cid:image002.gif@01CA8242.9ED74180"><o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>Note that this is NOT a certification
program.&nbsp; This is a way for companies to *<b><span style='font-weight:
bold'>declare</span></b>* their approach to security.&nbsp; Your thoughts
welcome&#8230;<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'>--Jeff<o:p></o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal><font size=2 color="#1f497d" face=Calibri><span
style='font-size:11.0pt;color:#1F497D'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>