<div dir="ltr">Jim<div><br></div><div>OWASP needs some technical resources urgently, that is clear. This is getting out of hand.</div><div><br></div><div>Outside OWASP community , people expect that we practice what we preach. I have been seen a trend in here with rants on twitter about Security issues in OWASP projects and also on the wiki page. They poke fun at us. These issues were reported back in December.</div><div><br></div><div>The fact that we have poor resources to manage this makes OWASP vulnerable. I should add this to any 'Top risk-list' OWASP projects are working on 😝:</div><div><i>If your company has no resources to fix the security issues, this constitute a high risk to your enterprise.</i></div><div><br></div><div>We are a bunch of security 'experts' peeps preaching security but not executing it,  we have XSS on the same wiki site where we preach 'XSS' security.It is really funny when you look at it.<br></div><div><br></div><div>Agree on Timo that a bug hunting wont help fix issues. We need resources, people working on fixing things.</div><div>Agree on Kevin that we need a cohesive approach on this issue and not  loosely couple actions that leads nowhere.</div><div><br></div><div>I think management needs to make this a priority. </div><div><br></div><div>Cheers</div><div><br></div><div>Johanna</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Feb 11, 2016 at 2:48 AM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Right, but two OWASP researchers posted live bugs over Twitter
    today. We have to deal with it Kevin. I'd rather we know than not
    know, sooner than later. One of the bugs noted I fixed earlier
    today. <br>
    <br>
    Knowing is half the battle.<br>
    <br>
    Aloha,<br>
    Jim<div><div class="h5"><br>
    <br>
    <div>On 2/10/16 10:14 PM, Kevin W. Wall
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_default" style="font-family:monospace,monospace">And to add to Timo's
          thoughts...if we have an RFP to redo the OWASP site, if we do
          put out a bug bounty, perhaps we should wait until that effort
          is finished, otherwise we may end up fixing things twice.<br>
          <br>
        </div>
        <div class="gmail_default" style="font-family:monospace,monospace">-kevin<br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Feb 11, 2016 at 1:04 AM, Timo
          Goosen <span dir="ltr"><<a href="mailto:timo.goosen@owasp.org" target="_blank">timo.goosen@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr"><span>"<span style="font-size:12.8px">But in the meantime, here are
                  a few resources to report your findings to if you run
                  into security issues (and I use "run into" with
                  intention because you would never just start actively
                  testing a website for security without permission in
                  some way, right? Because doing so is a major criminal
                  act in most countries, right?)"</span></span>
              <div><span style="font-size:12.8px">Depends. I've found
                  bugs on sites before, unintentionally just by clicking
                  around.  </span></div>
              <div><span style="font-size:12.8px"><br>
                </span></div>
              <div><span style="font-size:12.8px">On the idea of a bug
                  bounty project for OWASP. The idea is good, but I
                  don't think that OWASP has the resources to deal with
                  a bug bounty program and the flood of reports that
                  will becoming in. Researchers get very annoyed if you
                  don't respond promptly and take them seriously. Just
                  something to consider.</span></div>
              <div><span style="font-size:12.8px"><br>
                </span></div>
              <div><span style="font-size:12.8px">Regards.</span></div>
              <div><span style="font-size:12.8px">Timo</span></div>
            </div>
            <div class="gmail_extra"><br>
              <div class="gmail_quote">
                <div>
                  <div>On Thu, Feb 11, 2016 at 6:15 AM, Jim
                    Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                    wrote:<br>
                  </div>
                </div>
                <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                  <div>
                    <div>
                      <div bgcolor="#FFFFFF" text="#000000"> Folks,<br>
                        <br>
                        A few OWASP researchers have found bugs on
                        OWASP's wiki and decided to disclose them in
                        public over twitter before reporting to OWASP.<br>
                        <br>
                        Can you please disclose to me or Matt Tesauro or
                        use the contact form or do anything other than
                        disclose in public before discussing this with
                        OWASP IT staff and support?<br>
                        <br>
                        Also, Josh Sokol is in the middle of ramping up
                        a more formal bug bounty program and will
                        provide a more formal method for disclosure in
                        the near future.<br>
                        <br>
                        But in the meantime, here are a few resources to
                        report your findings to if you run into security
                        issues (and I use "run into" with intention
                        because you would never just start actively
                        testing a website for security without
                        permission in some way, right? Because doing so
                        is a major criminal act in most countries,
                        right?)<br>
                        <br>
                        Thanks all.<br>
                        <ul>
                          <li>Matt Tesauro: <a href="mailto:matt.tesauro@owasp.org" target="_blank">matt.tesauro@owasp.org</a></li>
                          <li>Jim Manico:  <a href="mailto:jim@owasp.org" target="_blank">jim@owasp.org</a></li>
                          <li>Contact Form: <a href="https://www.tfaforms.com/308703" target="_blank">https://www.tfaforms.com/308703</a></li>
                        </ul>
                        Aloha,<br>
                        Jim Manico<br>
                        OWASP Global Board Member<br>
                      </div>
                      <br>
                    </div>
                  </div>
                  _______________________________________________<br>
                  OWASP-Leaders mailing list<br>
                  <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                  <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                  <br>
                </blockquote>
              </div>
              <br>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-community mailing list<br>
            <a href="mailto:Owasp-community@lists.owasp.org" target="_blank">Owasp-community@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-community" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <br>
        -- <br>
        <div>
          <div dir="ltr">
            <div>Blog: <a href="http://off-the-wall-security.blogspot.com/" target="_blank">http://off-the-wall-security.blogspot.com/</a>   
              | Twitter: @KevinWWall<br>
              NSA: All your crypto bit are belong to us.</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
Owasp-community mailing list<br>
<a href="mailto:Owasp-community@lists.owasp.org">Owasp-community@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-community" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-community</a><br>
<br></blockquote></div><br></div>