As a side note, there's a few companies that follow bounty programs: http://computersecuritywithethicalhacking.blogspot.in/2012/09/web-product-vulnerabilty-bug-bounty.html (straight transfer of link from null mailing list; also apparently the guy lists a lot more via his twitter account)
Talking about testing against "test" systems, a number of companies don't have any issues with the public testing their "live" systems: eg. from: https://www.facebook.com/whitehat/bounty - Please use a test account <https://www.facebook.com/whitehat/accounts/> instead of a real account when investigating bugs. When you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing. Do not interact with other accounts without the consent of their owners. and very interestingly, FB don't say you "can't" do DOS etc, only that they don't recommend it! :) as in: The following bugs aren't eligible for a bounty (and we don't recommend testing for these): - Security bugs in third-party applications (e.g., http://apps.facebook.com/[app_name]) - Security bugs in third-party websites that integrate with Facebook - Denial of Service Vulnerabilities ... simran. On Mon, Nov 26, 2012 at 10:45 AM, Robert Shea <robert.s...@acm.org> wrote: > > I disagree with this type of testing full stop, so addressing specific > sub-points doesn't hold much value to me. > > However, I saw no reason to believe that 3rd party sites would merely be > pointed to, I would suspect a client provided VMI hosted by bugcrowd would > make more sense from a safety and assurance perspective. In my other > interactions with Casey, I can't image he, or any vaguely serious > professional would be cool with pointing hostile traffic willie-nillie > across unknown systems at a live server. > > Honestly, I wouldn't even consider touching the system (If I believed in > pen testing or just really needed money) unless every bit of pipe were > controlled (e.g. VPN access to the target VMI) by a participant. > > I do think this is getting wildly off list-topic through. > > Cheers, > > Rob > > > On 26/11/12 09:10, Anthony Richardson wrote: > > Hi Robert, > > To be clear, are you are disagreeing with the concerns and points I > raised? > > Cheers, > > Anthony Richardson > > On Fri, Nov 23, 2012 at 3:56 PM, Robert Shea <robert.s...@acm.org> wrote: > >> >> As a "white hat hacker" when actually looking at the target site, you'd >> quickly realise it is created, owned, and run by the same people as >> BugCrowd. >> >> Cheers >> >> >> >> On 23/11/12 15:10, Anthony Richardson wrote: >> >> Umm, the target link appears to point to a production system. Is the >> intent to have hackers attack the production site to find bugs? If so, that >> isn't something I would feel comfortable doing. Also how would I know that >> I'm correctly authorised to attack the site? Could I submit a competitor >> production site to the crowd? >> >> I quite like the concept, but have some real concerns I would want >> alleviated as a white hat hacker before I felt comfortable attacking some >> arbitrary web site/app. >> >> Cheers, >> >> Anthony Richardson >> >> >> On Fri, Nov 23, 2012 at 2:25 PM, caseyjohnellis < >> casey.el...@tallpoppygroup.com> wrote: >> >>> Hi beachers >>> >>> A quick note to let you all know about Bugcrowd, and invite you to >>> participate! >>> >>> Bugcrowd is crowdsourced security testing. We run managed bug bounty >>> programs <http://bugcrowd.com> for business. If you already know what >>> bug bounty program is, then waste no time and get ye hence to >>> http://bugcrowd.com. >>> >>> For the rest of you, some have been referring to it as Kaggle or >>> 99designs for security... Web or mobile application owner create a contest >>> and invite members of the Bugcrowd to find security holes in their app. The >>> Bugcrowd ninja who finds the best bugs gets get a placed (1st 2nd or 3rd) >>> reward and the rest get a smaller fixed reward. No bugs? No problem... (and >>> well done by the way... this NEVER happens) If the Bugcrowd don't find >>> anything the client get's their reward pool back. >>> >>> We're running an open timeboxed bounty as a proof of concept at the >>> moment. Details are over at >>> http://blog.bugcrowd.com/bounty-ready-set-go-our-first-bounty-program-begins-details-in-post. >>> If >>> you're a web or mobile app ninja, or ninja in training, we're really >>> interested to hear from you. Just make sure you sign up before you start >>> testing...! >>> >>> I'm also very keen to hear feedback, questions, comments from the >>> beach. Most of us in here are web and mobile application owners, many of us >>> have experienced or at least seen a breach before, and many of us are >>> nervous about the security of our stuff but don't quite know what to do. >>> >>> Cheers >>> caseyjohnellis >>> http://bugcrowd.com - Now taking on Beta clients! >>> >>> >>> >>> -- >>> You received this message because you are subscribed to the Silicon >>> Beach Australia mailing list. Vist http://siliconbeachaustralia.org for >>> more >>> >>> Forum rules >>> 1) No lurkers! It is expected that you introduce yourself. >>> 2) No jobs postings. You can use http://siliconbeachaustralia.org/jobs >>> >>> >>> To post to this group, send email to >>> silicon-beach-australia@googlegroups.com >>> To unsubscribe from this group, send email to >>> silicon-beach-australia+unsubscr...@googlegroups.com >>> For more options, visit this group at >>> http://groups.google.com/group/silicon-beach-australia?hl=en?hl=en >>> >> >> -- >> You received this message because you are subscribed to the Silicon Beach >> Australia mailing list. Vist http://siliconbeachaustralia.org for more >> >> Forum rules >> 1) No lurkers! It is expected that you introduce yourself. >> 2) No jobs postings. You can use http://siliconbeachaustralia.org/jobs >> >> >> To post to this group, send email to >> silicon-beach-australia@googlegroups.com >> To unsubscribe from this group, send email to >> silicon-beach-australia+unsubscr...@googlegroups.com >> For more options, visit this group at >> http://groups.google.com/group/silicon-beach-australia?hl=en?hl=en >> >> >> > -- > You received this message because you are subscribed to the Silicon Beach > Australia mailing list. Vist http://siliconbeachaustralia.org for more > > Forum rules > 1) No lurkers! It is expected that you introduce yourself. > 2) No jobs postings. You can use http://siliconbeachaustralia.org/jobs > > > To post to this group, send email to > silicon-beach-australia@googlegroups.com > To unsubscribe from this group, send email to > silicon-beach-australia+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/silicon-beach-australia?hl=en?hl=en > > > -- You received this message because you are subscribed to the Silicon Beach Australia mailing list. Vist http://siliconbeachaustralia.org for more Forum rules 1) No lurkers! It is expected that you introduce yourself. 2) No jobs postings. You can use http://siliconbeachaustralia.org/jobs To post to this group, send email to silicon-beach-australia@googlegroups.com To unsubscribe from this group, send email to silicon-beach-australia+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/silicon-beach-australia?hl=en?hl=en
