Research page on Web Security Ratings and Disclosure Policies

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.

New OWASP Project details

see How to Start an OWASP Project

Project ideas & brainstorming:

Create an OWASP project around:

• Idea for Owasp Standard for public rating of an website's security profile
• Comment on OWASP testing and disclosure levels

Other relevant OWASP projects

• OWASP Positive Security Project

Research link

Public Disclosure Policies (by Commercial websites)

• Paypal Site Security Researchers
• Facebook Report a Possible Security Vulnerability
• Salesforce.com Vulnerability Reporting Policy
• Wesabe Contacting Security - We want to hear from you (security@wesabe.com, GPG key
• Microsoft Report a Vulnerability
• 37signals Security Response
• Mozilla Mozilla Bug Bounty Program

Other Links

• Security Disclosure Policies That Remove Chilling Effects
• Some Comments on PayPal's Security Vulnerability Disclosure Policy
• Communicating a Site Security Policy
• An ethical framework for information security research
• Disclosure policies – what constitutes “responsible” disclosure, vs irresponsible disclosure?
• Disclosure Samsara The Endless Responsible Vulnerability Disclosure Debate (Slides 32-34 have responsible disclosure recommendations for organizations)

Questions to answer

Question: What types of vulnerability testing is implicitly allowed? (XSS, SQLi,,XSRF)