Research page on Web Security Ratings and Disclosure Policies

New OWASP Project details
see How to Start an OWASP Project

Project ideas & brainstorming:
Create an OWASP project around:
 * Idea for Owasp Standard for public rating of an website's security profile
 * Comment on OWASP testing and disclosure levels

Other relevant OWASP projects

 * OWASP Positive Security Project

Public Disclosure Policies (by Commercial websites)

 * Paypal Site Security Researchers
 * Facebook Report a Possible Security Vulnerability
 * Salesforce.com Vulnerability Reporting Policy
 * Wesabe Contacting Security - We want to hear from you (security@wesabe.com, GPG key
 * Microsoft Report a Vulnerability
 * 37signals Security Response
 * Mozilla Bug Bounty Program

Other Links

 * Security Disclosure Policies That Remove Chilling Effects
 * Some Comments on PayPal's Security Vulnerability Disclosure Policy
 * Communicating a Site Security Policy
 * An ethical framework for information security research
 * Disclosure policies – what constitutes “responsible” disclosure, vs irresponsible disclosure?
 * Disclosure Samsara The Endless Responsible Vulnerability Disclosure Debate (Slides 32-34 have responsible disclosure recommendations for organizations)

Questions to answer
Question: What types of vulnerability testing is implicitly allowed? (XSS, SQLi,,XSRF)