Hi Anthony I take it from your questions that you're asking from the tester angle and not the app owner angle... Correct me if I got that wrong. An overall comment - This and other POC bounties that we are running are "open", as in anyone can participate... Once the service gets further along Beta we'll move to invite only testing with vetter testers, and the testing will be carried out via our infrastructure.
On Friday, November 23, 2012 3:10:26 PM UTC+11, Anthony Richardson wrote: > Umm, the target link appears to point to a production system. That is correct for this particular bounty. We own and run this system, so it's a calculated risk... plus we wanted to "eat our own dogfood" so to speak. The plan is to release the results and compare them to results from some automated scanning tools, which is something we wouldn't do for an actual client. Is the intent to have hackers attack the production site to find bugs? > s/attack/test. An important distinction. In this case, yes it is. As you know though, it'd be just as valuable an exercise from an appsec review standpoint to test a dev/UAT/staging version of the app. If so, that isn't something I would feel comfortable doing. Understood. It's good to mention though... We've been monitoring the impact of the testing on the application and so far it is *far less* than the impact of automated scanning. Those testing it (almost 80 so far going off the logs) are both skilled and well behaved. > Also how would I know that I'm correctly authorised to attack the site? Do you mean as a tester? For these open POC bounties it's "because we said so". We own and run the target site so it's all covered from a permission standpoint. You do raise a good point about making sure that this is clear to the crowd... As the service moves along through Beta we will be implementing user registration and auth systems, so at that stage you will know it's OK because you have a tester account with us. > Could I submit a competitor production site to the crowd? To attack your competitor? Wow, you're a bit evil aren't you... :) No. We'd validate who you were before we allowed a bounty to proceed. > I quite like the concept, > Thank you! > but have some real concerns I would want alleviated as a white hat hacker > before I felt comfortable attacking some arbitrary web site/app. > Understood, and I greatly appreciate you raising them. To be honest most of the "concern-handling" has been focussed on the client side, so it's good to be getting questions like these from the tester side of things. > > Cheers, > > Anthony Richardson > -- You received this message because you are subscribed to the Silicon Beach Australia mailing list. Vist http://siliconbeachaustralia.org for more Forum rules 1) No lurkers! It is expected that you introduce yourself. 2) No jobs postings. You can use http://siliconbeachaustralia.org/jobs To post to this group, send email to silicon-beach-australia@googlegroups.com To unsubscribe from this group, send email to silicon-beach-australia+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/silicon-beach-australia?hl=en?hl=en
