Difference between revisions of "Research page on Web Security Ratings and Disclosure Policies"

From OWASP
Jump to: navigation, search
(Created page with '==Project idea:== ==Research Links== * [http://www.thesecuritypractice.com/the_security_practice/2008/03/communicating-a.html Communicating a Site Security Policy] * [http://ww…')
 
Line 1: Line 1:
==Project idea:==
+
===Project idea:===
  
==Research Links==
+
===Public Disclosure Policies (by Commercial websites)===
 +
* [https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/ReportingSecurityIssues-outside Paypal] Site Security Researchers
 +
* [http://www.facebook.com/security?v=app_6009294086 Facebook] Report a Possible Security Vulnerability
 +
* [http://www.salesforce.com/company/disclosure.jsp Salesforce.com] Vulnerability Reporting Policy
 +
* [https://www.wesabe.com/page/security-contact Wesabe] Contacting Security - We want to hear from you
 +
* Microsoft (link?)
  
 +
===Research Links===
 +
* [http://securityretentive.blogspot.com/2009/12/security-disclosure-policies-that.html Security Disclosure Policies That Remove Chilling Effects]
 +
* [http://securityretentive.blogspot.com/2007/11/some-comments-on-paypals-security.html Some Comments on PayPal's Security Vulnerability Disclosure Policy]
 
* [http://www.thesecuritypractice.com/the_security_practice/2008/03/communicating-a.html Communicating a Site Security Policy]
 
* [http://www.thesecuritypractice.com/the_security_practice/2008/03/communicating-a.html Communicating a Site Security Policy]
 
* [http://www.thesecuritypractice.com/the_security_practice/2009/10/an-ethical-framework-for-information-security-research.html An ethical framework for information security research]
 
* [http://www.thesecuritypractice.com/the_security_practice/2009/10/an-ethical-framework-for-information-security-research.html An ethical framework for information security research]
 
* [http://www.thesecuritypractice.com/the_security_practice/2008/02/disclosure-poli.html Disclosure policies – what constitutes “responsible” disclosure, vs irresponsible disclosure?]
 
* [http://www.thesecuritypractice.com/the_security_practice/2008/02/disclosure-poli.html Disclosure policies – what constitutes “responsible” disclosure, vs irresponsible disclosure?]
 +
 +
===Questions to answer===
 +
Question: What types of vulnerability testing is implicitly allowed? (XSS, SQLi,,XSRF)

Revision as of 07:14, 8 January 2010

Contents

Project idea:

Public Disclosure Policies (by Commercial websites)

  • Paypal Site Security Researchers
  • Facebook Report a Possible Security Vulnerability
  • Salesforce.com Vulnerability Reporting Policy
  • Wesabe Contacting Security - We want to hear from you
  • Microsoft (link?)

Research Links

Questions to answer

Question: What types of vulnerability testing is implicitly allowed? (XSS, SQLi,,XSRF)