<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Matt Tesauro is the OWASP IT director and serves in that role. I
    have admin access at the wikimedia level, but Matt is the primary
    POC for wiki issues.<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 2/11/16 10:24 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote
cite="mid:CACxry_0=aNm6p0EFkcnz_DZAGT9GnMD_Y_zEf4JfR7ivXRKENQ@mail.gmail.com"
      type="cite">Even when volunteers want to fix issues, we have no
      admin rights to the system to update and fix the wiki
      <div><br>
      </div>
      <div>Some weeks ago we set in montion an initiative so that staff
        creates an inventory of all portals/systems and who will be
        administrating this</div>
      <div><br>
      </div>
      <div>In case of the wiki, who is/are the admins?</div>
      <div><br>
        <br>
        On Friday, February 12, 2016, Jim Manico <<a
          moz-do-not-send="true" href="mailto:jim.manico@owasp.org"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
        wrote:<br>
        <blockquote class="gmail_quote" style="margin:0 0 0
          .8ex;border-left:1px #ccc solid;padding-left:1ex">
          <div bgcolor="#FFFFFF" text="#000000"> > we run around with
            our hands in the air when drama hits Twitter more than than
            normal.<br>
            <br>
            I would rephrase that as "some of us who actually give a
            sh%t go and fix the problem as best we can"<br>
            <br>
            - Jim<br>
            <br>
            <div>On 2/11/16 9:52 PM, Andrew van der Stock wrote:<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">I think this also comes down to the
                infrastructure transformation that I've asked Matt T to
                get ready for us since our last F2F at AppSec USA. We
                need to simplify our IT fleet, and really get it behind
                a proper enterprise architecture, rather than a rag tag
                collection of out of date stuff that we inherit. We only
                have so much Matt T time to maintain this stuff, and so
                pen testing it without also addressing the root cause:
                we have no idea where all our stuff is, who has admin,
                how it authenticates, we don't monitor it for attacks,
                and we don't have an IR plan and we run around with our
                hands in the air when drama hits Twitter more than than
                normal.
                <div><br>
                </div>
                <div>I want a transformation plan, where we have only
                  one of everything, and all the things we have is well
                  managed and monitored. This will reduce our IT costs,
                  and be better aligned with the resources we currently
                  allocate to this task. </div>
                <div><br>
                </div>
                <div>This is not rocket science. </div>
                <div><br>
                </div>
                <div>thanks,</div>
                <div>Andrew</div>
                <div><br>
                </div>
              </div>
              <div class="gmail_extra"><br>
                <div class="gmail_quote">On Fri, Feb 12, 2016 at 4:18
                  PM, Jim Manico <span dir="ltr"><<a
                      moz-do-not-send="true"
                      href="javascript:_e(%7B%7D,'cvml','jim.manico@owasp.org');"
                      target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                  wrote:<br>
                  <blockquote class="gmail_quote" style="margin:0 0 0
                    .8ex;border-left:1px #ccc solid;padding-left:1ex">
                    <div bgcolor="#FFFFFF" text="#000000"> +1 Thank you
                      wall for security researchers who have helped us
                      find bugs!<br>
                      <br>
                      Good stuff Tom, thanks for getting this started.
                      I'm sure Josh will be especially interested in
                      this.<br>
                      <br>
                      Aloha,<br>
                      Jim
                      <div>
                        <div><br>
                          <br>
                          <br>
                          <div>On 2/11/16 9:13 AM, Tom Brennan - OWASP
                            wrote:<br>
                          </div>
                          <blockquote type="cite">Post mortem of fixes
                            would be nice to have and a wall of thank
                            you should be established yes?
                            <div><br>
                            </div>
                            <div>*draft*<span></span></div>
                            <div><a moz-do-not-send="true"
                                href="https://www.owasp.org/index.php/About_OWASP/Bug_Bounty"
                                target="_blank">https://www.owasp.org/index.php/About_OWASP/Bug_Bounty</a><br>
                              <br>
                              Tom Brennan<br>
                              Global Board of Directors<br>
                              (d) <a moz-do-not-send="true"
                                href="tel:973-506-9304"
                                value="+19735069304" target="_blank">973-506-9304</a><br>
                              <br>
                              OWASP Foundation | <a
                                moz-do-not-send="true"
                                href="http://www.owasp.org"
                                target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.owasp.org">www.owasp.org</a></a><br>
                              <br>
                              <br>
                              On Thu, Feb 11, 2016 at 1:48 AM, Jim
                              Manico <<a moz-do-not-send="true"
                                href="javascript:_e(%7B%7D,'cvml','jim.manico@owasp.org');"
                                target="_blank">jim.manico@owasp.org</a>>

                              wrote:<br>
                              > Right, but two OWASP researchers
                              posted live bugs over Twitter today. We<br>
                              > have to deal with it Kevin. I'd
                              rather we know than not know, sooner than<br>
                              > later. One of the bugs noted I fixed
                              earlier today.<br>
                              ><br>
                              > Knowing is half the battle.<br>
                              ><br>
                              > Aloha,<br>
                              > Jim<br>
                              ><br>
                              ><br>
                              > On 2/10/16 10:14 PM, Kevin W. Wall
                              wrote:<br>
                              ><br>
                              > And to add to Timo's thoughts...if we
                              have an RFP to redo the OWASP site, if<br>
                              > we do put out a bug bounty, perhaps
                              we should wait until that effort is<br>
                              > finished, otherwise we may end up
                              fixing things twice.<br>
                              ><br>
                              > -kevin<br>
                              ><br>
                              > On Thu, Feb 11, 2016 at 1:04 AM, Timo
                              Goosen <<a moz-do-not-send="true"
                                href="javascript:_e(%7B%7D,'cvml','timo.goosen@owasp.org');"
                                target="_blank">timo.goosen@owasp.org</a>>

                              wrote:<br>
                              >><br>
                              >> "But in the meantime, here are a
                              few resources to report your findings to<br>
                              >> if you run into security issues
                              (and I use "run into" with intention
                              because<br>
                              >> you would never just start
                              actively testing a website for security
                              without<br>
                              >> permission in some way, right?
                              Because doing so is a major criminal act
                              in<br>
                              >> most countries, right?)"<br>
                              >> Depends. I've found bugs on sites
                              before, unintentionally just by clicking<br>
                              >> around.<br>
                              >><br>
                              >> On the idea of a bug bounty
                              project for OWASP. The idea is good, but I<br>
                              >> don't think that OWASP has the
                              resources to deal with a bug bounty
                              program<br>
                              >> and the flood of reports that
                              will becoming in. Researchers get very
                              annoyed<br>
                              >> if you don't respond promptly and
                              take them seriously. Just something to<br>
                              >> consider.<br>
                              >><br>
                              >> Regards.<br>
                              >> Timo<br>
                              >><br>
                              >> On Thu, Feb 11, 2016 at 6:15 AM,
                              Jim Manico <<a moz-do-not-send="true"
                                href="javascript:_e(%7B%7D,'cvml','jim.manico@owasp.org');"
                                target="_blank">jim.manico@owasp.org</a>>

                              wrote:<br>
                              >>><br>
                              >>> Folks,<br>
                              >>><br>
                              >>> A few OWASP researchers have
                              found bugs on OWASP's wiki and decided to<br>
                              >>> disclose them in public over
                              twitter before reporting to OWASP.<br>
                              >>><br>
                              >>> Can you please disclose to me
                              or Matt Tesauro or use the contact form or<br>
                              >>> do anything other than
                              disclose in public before discussing this
                              with OWASP<br>
                              >>> IT staff and support?<br>
                              >>><br>
                              >>> Also, Josh Sokol is in the
                              middle of ramping up a more formal bug
                              bounty<br>
                              >>> program and will provide a
                              more formal method for disclosure in the
                              near<br>
                              >>> future.<br>
                              >>><br>
                              >>> But in the meantime, here are
                              a few resources to report your findings to<br>
                              >>> if you run into security
                              issues (and I use "run into" with
                              intention because<br>
                              >>> you would never just start
                              actively testing a website for security
                              without<br>
                              >>> permission in some way,
                              right? Because doing so is a major
                              criminal act in<br>
                              >>> most countries, right?)<br>
                              >>><br>
                              >>> Thanks all.<br>
                              >>><br>
                              >>> Matt Tesauro: <a
                                moz-do-not-send="true"
                                href="javascript:_e(%7B%7D,'cvml','matt.tesauro@owasp.org');"
                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.tesauro@owasp.org">matt.tesauro@owasp.org</a></a><br>
                              >>> Jim Manico:  <a
                                moz-do-not-send="true"
                                href="javascript:_e(%7B%7D,'cvml','jim@owasp.org');"
                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim@owasp.org">jim@owasp.org</a></a><br>
                              >>> Contact Form: <a
                                moz-do-not-send="true"
                                href="https://www.tfaforms.com/308703"
                                target="_blank"><a class="moz-txt-link-freetext" href="https://www.tfaforms.com/308703">https://www.tfaforms.com/308703</a></a><br>
                              >>><br>
                              >>> Aloha,<br>
                              >>> Jim Manico<br>
                              >>> OWASP Global Board Member<br>
                              >>><br>
                              >>>
                              _______________________________________________<br>
                              >>> OWASP-Leaders mailing list<br>
                              >>> <a moz-do-not-send="true">OWASP-Leaders@lists.owasp.org</a><br>
                              >>> <a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                              >>><br>
                              >><br>
                              >><br>
                              >>
                              _______________________________________________<br>
                              >> Owasp-community mailing list<br>
                              >> <a moz-do-not-send="true">Owasp-community@lists.owasp.org</a><br>
                              >> <a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-community"
                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
                              >><br>
                              ><br>
                              ><br>
                              ><br>
                              > --<br>
                              > Blog: <a moz-do-not-send="true"
                                href="http://off-the-wall-security.blogspot.com/"
                                target="_blank">http://off-the-wall-security.blogspot.com/</a> 
                                | Twitter: @KevinWWall<br>
                              > NSA: All your crypto bit are belong
                              to us.<br>
                              ><br>
                              ><br>
                              ><br>
                              >
                              _______________________________________________<br>
                              > Owasp-community mailing list<br>
                              > <a moz-do-not-send="true">Owasp-community@lists.owasp.org</a><br>
                              > <a moz-do-not-send="true"
                                href="https://lists.owasp.org/mailman/listinfo/owasp-community"
                                target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
                              ><br>
                              <br>
                            </div>
                            <br>
                            <br>
                            -- <br>
                            <br>
                            Tom Brennan<br>
                            Global Board of Directors <br>
                            NYC/NJ Metro Chapter Leader<br>
                            (d) <a moz-do-not-send="true"
                              href="tel:973-506-9304"
                              value="+19735069304" target="_blank">973-506-9304</a><br>
                            <br>
                            OWASP Foundation | <a
                              moz-do-not-send="true"
                              href="http://www.owasp.org"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.owasp.org">www.owasp.org</a></a><br>
                            <br>
                            <font style="background-color:white"
                              color="#808080" size="2"><span>The
                                information contained in this message
                                and any attachments may be privileged,
                                confidential, proprietary or otherwise
                                protected from disclosure. If you, the
                                reader of this message, are not the
                                intended recipient, you are hereby
                                notified that any dissemination,
                                distribution, copying or use of this
                                message and any attachment is strictly
                                prohibited. If you have received this
                                message in error, please notify the
                                sender immediately by replying to the
                                message, permanently delete it from your
                                computer and destroy any printout.</span></font>
                          </blockquote>
                          <br>
                        </div>
                      </div>
                    </div>
                    <br>
                    _______________________________________________<br>
                    OWASP-Leaders mailing list<br>
                    <a moz-do-not-send="true"
                      href="javascript:_e(%7B%7D,'cvml','OWASP-Leaders@lists.owasp.org');"
                      target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                    <a moz-do-not-send="true"
                      href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
                      rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                    <br>
                  </blockquote>
                </div>
                <br>
              </div>
            </blockquote>
            <br>
          </div>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>