[Owasp-board] BugCroud

Matt Konda matt.konda at owasp.org
Tue Dec 23 13:38:31 UTC 2014


This process of having attendees select presenters can work really well.
The Chicago BSides organizers have been doing this for years and it is
really neat to attend (and speak at) a conference that everybody feels
invested in.

There are some obvious pitfalls:
1.  Your selection process (voting) has to be solid and above scrutiny.
2.  You may lose the ability to recruit top notch keynotes.
3.  It can still be a popularity contest and favor ridiculous hyperbole in
titles and abstracts.
4.  Generally I get anxious about handling it at scale.

Overall, while I like this process and hope to encourage using it for local
Chicago events, I think the board may be over-extending to try to manage
how local teams organize conferences and conference activities.

On the larger question - I think our immediate direction on this whole
BugCrowd item could be a simpler path:  communicate with staff and
conference leadership teams and re-emphasize the concern that our
conferences and collaborations are intended to be open and should not be
vendor platforms in disguise.

We were reactive in this case, we should make it clear that we want to
support staff and volunteers in navigating a vendor neutral path when
needed.  We should come up with a simple process for escalating a
question.  But I don't think we should let ourselves get bogged down into
the problem or complicated policy / procedure changes intended to address
it.  In the big picture, I think OWASP continues to do an awesome job
producing open content, tools and leadership for the application security
community.  We should focus on that and continuing to adapt in a positive
way.  If we focus too much on the flaws in the armor, that's what we
project to the community. Just my 2 cents.

Happy holidays!
Matt







On Mon, Dec 22, 2014 at 10:07 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
> Thanks for pointing this out, Tom. There is a trend here. The
> Hack-In-The-Box series is experimenting with the same thing.
>
> 1) Speakers submit talks as normal
> 2) Attendees are tasked to register early
> 3) Paid attendees use voting system to pick talks
> 4) Conference becomes 100% attendee driven
>
> This changes focus on security conferences dramatically. The number of
> "toasters getting hacked" talks drops off, and frankly the number of "elite
> only" talks drops off. The conference becomes more educational in nature;
> and more community driven.
>
> I would love to experiment with this at OWASP.
>
> - Jim
>
>
> On 12/22/14 5:01 PM, Tom Brennan wrote:
>
>> Related more to CFP but this is cool let the attendees pick the agenda
>>
>> https://www.syscan.org/index.php/sg/cfp/vote/
>>
>> Now that's transparency
>>
>> Tom Brennan
>> 973-202-0122
>>
>>  On Dec 22, 2014, at 6:25 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>>
>>> +1
>>>
>>> Sent from my iPhone
>>>
>>>  On 20 Dec 2014, at 02:07, Michael Coates <michael.coates at owasp.org>
>>>> wrote:
>>>>
>>>> Hey Jim
>>>>
>>>> As someone who go is planning appsecusa 2015 here are my thoughts.
>>>>
>>>> 1. Open call for activities. So bugcrowd and anyone else can submit a
>>>> proposal for activity x.
>>>>
>>>> 2. Making it clear that this is an add on activity coordinated by
>>>> vendor x (e.g along the lines you mentioned if specifically vendor not
>>>> Owasp)
>>>>
>>>> And don't get me wrong, these companies are all great. But it's about
>>>> clearly delineating Owasp vs vendor items and making an open playing field
>>>> for all to submit.
>>>>
>>>>
>>>>
>>>>  On Dec 19, 2014, at 4:56 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>
>>>>> Board,
>>>>>
>>>>> BugCroud has been setting up events at OWASP conferences that concearn
>>>>> me. They are doing "bugbashes" which are CTF's that use the BugCroud
>>>>> closed-source commercial platform. These CTF's go after public websites
>>>>> that have open bug bounties, but still, it uses the BugCroud platform to
>>>>> track these efforts. Since this is a commercial platform, this falls under
>>>>> a vendor sponsorship program as opposed to an event they can host at our
>>>>> conference "for free".
>>>>>
>>>>> So I suggest we charge for vendor sponsorship fees and move the
>>>>> BugBash program to the vendor area so it's clear this is not an official
>>>>> OWASP program.
>>>>>
>>>>> If OWASP wants to do a "public conference" CTF in a more premium area
>>>>> of the conference, I'd like to see us using a platform that is open source
>>>>> like the OWASP CTF project. If a vendor wants to use their commercial
>>>>> platform to do a CTF at an official OWASP conference, that sounds like a
>>>>> vendor sponsorship event/opportunity.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141223/18de9e66/attachment.html>


More information about the Owasp-board mailing list