[Esapi-user] [Esapi-dev] 2 ESAPI Bounties created on Bountysource

Kevin W. Wall kevin.w.wall at gmail.com
Thu Jan 29 05:13:14 UTC 2015

On Wed, Jan 28, 2015 at 7:46 AM, Magno Logan <magno.logan at owasp.org> wrote:
> Hi there,
> I have to agree with Jim on this one. I see no relevant point to limit the
> amount of users that can try and get the bounty. No one at OWASP has
> privileged information, everything is open and I think so should be the
> bounty. Why me as an OWASP leader wouldn't be eligible to get the bounty?
> That would, as Jim said, limit the amount of people that would be allowed to
> do it and evidently lead to a delay in the completion of this issue.

Mango and Jim,

First, thank you both for openly sharing your dissenting views in a
civil manner.
That's one of the things that I really like about the OWASP community. However,
I think there is some misunderstanding here. I was not proposing that
either of you,
as OWASP leaders should not be eligible for the ESAPI Bountysource bounties.
Nor do I believe that my proposal will significantly reduce the number of
potential participants.

What I am advocating was that the *ESAPI* project leaders (which would be
myself and Chris Schmidt) not be eligible to receive the bounties.
Fabio also suggested and I concur, that the OWASP *global* board also be

But perhaps more important than understanding _what_ I was advocating is
understanding _why_ I was suggesting this.

One vital piece of information that everyone may be missing--at least
in the specific case of these ESAPI bounties--is that I am set up as
the sole approver of awarding these bounties. Not only am I responsible for
determining which submission is the best, but I am also responsible
for determining which bugs get awarded some fixed amount of dollars.
(Note: I'd prefer something more like a vote by small committee to
do these things, but short story, that's just not the way things worked
themselves out. If someone else wishes to help run / judge this, drop
me an email off-list.)

I know that most of us on this list want OWASP to remain above reproach.
Since we are a non-profit, reputation is one of the very few things that
are really important to us all.

So, what would happen if a OWASP project leader who also
happened to approve bounties cherry picked some bugs
that maybe he or she was already working on or required such
expertise that only s/he could complete it. Then that person submits
their own bug fix and maybe after waiting awhile for other
submissions, approves their own fix for the bounty.

Do you really think that wouldn't raise some eyebrows, not
only within the OWASP community, but outside of it as well?

Note that I am *NOT* trying to say that any specific OWASP project
leaders would actually think of enriching themselves in
such a manner, but why open things up to temptation? At the VERY
LEAST I think we need to exclude anyone who approves the
bounties from participating in THOSE bounties. That is,
avoid even the *appearance* of any conflict of interest. Is
this not what we expect om how non-profits should operate?

Knowing how much we all care about protecting the OWASP brand
and OWASP's reputation, I went back and rethought this through
and realized that perhaps most of you didn't realize that it was
me who was approving the ESAPI Bountysource bounties. (If
it had been Fabio instead who had this responsibility, perhaps
that would be different.) But I just think it is a bad idea
if we allow OWASP members to be put into a situation where they
are tempted to compromise and thus tarnish OWASP's reputation.
This is at the essence of why we have separation of duties.
If we compromise here, do we allow people to approve their own
OWASP related expense vouchers? Where would it all end. IMO,
best to stay away from that slippery slope altogether.

I am not suggesting that Mango, as project leader of some other
OWASP project, should be ineligible for the ESAPI Bountysource
bounties. But if you were in the position that I find myself in, it would
would hardly surprise me if you also chose to recuse yourself
from being eligible for any bounties that you administer.

And unless there are a lot of project leaders on a given OWASP
project, what I have proposed does not significantly reduce the
number of people eligible to collect the bounties.

So I hope this explanation puts this discussion to bed and the
discussion can turn more toward answering questions about
the two issues for which bounties are being offered.

Best regards,
Blog: http://off-the-wall-security.blogspot.com/
NSA: All your crypto bit are belong to us.

More information about the Esapi-user mailing list