[Owasp-board] Fwd: Bugcrowd / OWASP: Bughunt week

Tom Brennan tomb at owasp.org
Wed Dec 10 15:33:50 UTC 2014

Added to todays board agenda was a update on this effort from all sides.


On Tue, Oct 21, 2014 at 6:13 AM, Jim Manico <jim.manico at owasp.org> wrote:

> We are also supposed to avoid endorsing commercial vendors. I'm not saying
> no, I'm just saying this is a commercial security vendor and we should
> proceed with care regarding our vendor neutrality statements in our bylaws,
> etc.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Oct 21, 2014, at 4:36 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
> This is a proposal they are making to us, not the other way around.
> Also, I believe it ties quite nicely with the following strategic goal for
> 2014:
> *Mobilize OWASP volunteers to help address security issues in large
> software systems/applications/frameworks.*
> https://www.owasp.org/index.php/OWASP_Strategic_Goals
> So we could either accept it, amend it or reject it.
> Thanks for your feedback.
> Fabio
> On Tue, Oct 21, 2014 at 9:06 AM, Jim Manico <jim.manico at owasp.org> wrote:
>> Since this is a commercial company, vendor neutrality encourages us to,
>> at least, open a call to other vendors in the space.
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>> On Oct 21, 2014, at 3:57 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>> Hi
>> Could you please review below and let me know your thoughts on running
>> this joint activity with Bugcrowd?
>> It is basically the same concept of a bug bounty used at recent Appsec
>> conferences but running on a global scale for a week.
>> Thanks
>> Fabio
>> ---------- Forwarded message ----------
>> From: *Marisa Fagan* <marisa at bugcrowd.com>
>> Date: Tuesday, October 21, 2014
>> Subject: Bugcrowd / OWASP: Bughunt week
>> To: Fabio Cerullo <fcerullo at owasp.org>, Kelly Santalucia <
>> kelly.santalucia at owasp.org>
>> Cc: Casey Ellis <casey at bugcrowd.com>
>> *Proposal*:  **Bug Week 2015: ...and Bug Bounties for All**
>> *Description*: 7 days of online competition to see who can find the most
>> vulnerabilities in commercial software. Competitors are members of OWASP
>> and supporting non-members who participate in Bugcrowd-hosted bug bounty
>> programs. They're located all over the world and the competition field is
>> online. Bugcrowd will be the platform, where the targets are as real world
>> as it gets, with *30 companies putting their live software up for testing.
>> The best will rise to the top of the leaderboard. On the final day, a
>> special elite tournament for only the Top 10 will be held around the world
>> for 24 hours at 00:00 UTC.
>> In order to capture this energy and share in the learning, Bugcrowd will
>> host a Bug Bash on location in their San Francisco headquarters on Thursday
>> [date] to show the local community about what this is all about. Similarly,
>> on the US East coast, there's another Bug Bash hosted by OWASP committee
>> [to be arranged, maybe Boston chapter? They've expressed interest.] that
>> will run in tandem to share via Skype. There's also a Bug Bash party
>> running in [to be arranged, maybe Bangalore, India or Bogata, Colombia?] to
>> share in the fun.
>> OWASP is a strong supporter of the information security research
>> community, and has supported multiple crowdsourced security Bug Bash
>> events. They also [fill in here... for example... Adopted the Open Source
>> Responsible Disclosure Framework on their wiki resource and have multiple
>> other resources on how to run a bug bounty program].
>> *Number of companies on the Bugcrowd platform changes often. Will update
>> with true number closer to the date.
>> *Date*: Sunday November 16th midnight - Sunday November 23rd midnight
>>           This is a suggested date based on avoiding holidays, we're open
>> to another date if there's an overlap.
>> *Requested Requirements from OWASP*:
>> -- Marketing plan with PR team coordination (for in advance and week of
>> event)
>> -- Mention in the next newsletter to OWASP members (When does this go
>> out?)
>> -- Contribution of a First Place Prize (Suggestion: Trip to AppSecUSA
>> 2015 with badge)
>> -- Access to OWASP Corporate Sponsors for collaboration with Bugcrowd
>> -- Connect to Local Chapter support for the local party event on Thursday
>>         -- Local advertising for event in local mailing list (SF and
>> Boston?)
>>         -- Hosting and planning and sponsoring 1 (East Coast Chapter) Bug
>> Bash party event with commitment to run it in tandem with the SF event
>> (Boston? 30 ppl max... can explain more details separately)
>> -- Connect to OWASP engineering/technology to coordinate on an OWASP Bug
>> Bounty program (pending OWASP approval)
>> *Deliverables From Bugcrowd:*
>> -- Coordinated marketing + advertising support (for in advance and during
>> the week of the event)
>> -- Technical support for the Bugcrowd platform during the event week
>> (which collects submissions, validates, and awards points for the
>> leaderboard)
>> -- Online competition leaderboard website with content to explain the
>> competition (hosted on bugcrowd.com)
>> -- Coordination with OWASP Corporate Sponsors... to offer them a place on
>> the platform or other ways to collaborate
>> -- Hosting and organizing 1 local Bug Bash party evening event during the
>> Bug Week in SF (all OWASP SF members invited)
>> Kelly, what more would you like to see here for a proposal? What do you
>> think are the next steps? We're working with a short timeline... is that a
>> dealbreaker?
>> Thanks as always!
>> -Marisa
>> On Mon, Oct 6, 2014 at 3:38 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>>> Casey
>>> Hope you are keeping well. Although we didn't have a chance to follow up
>>> on our conversation at AppSec USA, I met Marisa at Brucon last week. We
>>> discussed several ideas on how OWASP & Bugcrowd could work together and
>>> organise joint activities for the appsec community.
>>> The main idea we came up was to organise a Bug Hunt Week during 2015.
>>> The intention would be to organise a 1 week bug hunt as a global
>>> competition in 2015 (similar to the ones you are currently running at the
>>> AppSec conferences). Maybe we could organise this as a tournament where the
>>> top X winners get a ticket to a major OWASP Appsec conference (e.g. San
>>> Francisco 2015). And during that period, OWASP will actively promote the
>>> competition, and where possible, seek support from tech companies to have
>>> dedicated engineers working on fixing the bugs identified by researchers.
>>> What do you think? I'm open to your suggestions/ideas.. just wanted to
>>> keep the conversation flowing.
>>> Thanks
>>> Fabio
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Tom Brennan
Global Board of Directors, Vice Chairman
NYC Metro Chapter, President
Direct: 973-202-0122

OWASP Foundation | www.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141210/fbc2cf00/attachment.html>

More information about the Owasp-board mailing list