This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Research page on Web Security Ratings and Disclosure Policies
From OWASP
Revision as of 13:52, 12 January 2010 by Craig Ingram (talk | contribs)
This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.
New OWASP Project details
see How to Start an OWASP Project
Project ideas & brainstorming:
Create an OWASP project around:
- Idea for Owasp Standard for public rating of an website's security profile
- Comment on OWASP testing and disclosure levels
Other relevant OWASP projects
Research link
Public Disclosure Policies (by Commercial websites)
- Paypal Site Security Researchers
- Facebook Report a Possible Security Vulnerability
- Salesforce.com Vulnerability Reporting Policy
- Wesabe Contacting Security - We want to hear from you ([email protected], GPG key
- Microsoft Report a Vulnerability
- 37signals Security Response
Other Links
- Security Disclosure Policies That Remove Chilling Effects
- Some Comments on PayPal's Security Vulnerability Disclosure Policy
- Communicating a Site Security Policy
- An ethical framework for information security research
- Disclosure policies – what constitutes “responsible” disclosure, vs irresponsible disclosure?
- Disclosure Samsara The Endless Responsible Vulnerability Disclosure Debate (Slides 32-34 have responsible disclosure recommendations for organizations)
Questions to answer
Question: What types of vulnerability testing is implicitly allowed? (XSS, SQLi,,XSRF)
