[Owasp-board] BugCroud

Jim Manico jim.manico at owasp.org
Tue Dec 23 19:55:16 UTC 2014


Matt,

We were reactive in /*describing*/ this, but no one went to the 
conference team and told them or forced them to make any changes.

The goal here is to...

1) Spot a potential problem
2) Set a new policy if necessary
3) Lead by that policy

I feel that some vendors have been rather sneaky in getting around our 
vendor rules (and frankly, that is there /job/ in marketing groups) so I 
think it's important that we bring these issues up as soon as possible 
to discuss and set better policy.

And I feel the policy needs to be something like, "Anytime a commercial 
information security vendor wishes to conduct an event at a OWASP 
conference that is not a standard vendor marketing/advertising option, 
that request will need to be approved by the board (or follow certain 
rules).

Matt, if we let one vendor conduct an OWASP conference event, at no 
cost, in a way that lets them advertise outside of their normal vendor 
marketing options,  they both undermine the vendor neutrality rules of 
play in our bylaws, and we undermine Kelly efforts to sell vendor 
marketing at our conferences.

Last note, it's important to give conference teams freedom. But that 
freedom is a responsibility, not just a right. If conference teams 
purposefully or accidentally glorify one vendor outside of the normal 
vendor marketing rules, then the board should step and fix the issue 
(AFTER a new policy is clearly set).

Aloha,
- Jim

On 12/23/14 3:38 AM, Matt Konda wrote:
> This process of having attendees select presenters can work really 
> well.  The Chicago BSides organizers have been doing this for years 
> and it is really neat to attend (and speak at) a conference that 
> everybody feels invested in.
>
> There are some obvious pitfalls:
> 1.  Your selection process (voting) has to be solid and above scrutiny.
> 2.  You may lose the ability to recruit top notch keynotes.
> 3.  It can still be a popularity contest and favor ridiculous 
> hyperbole in titles and abstracts.
> 4.  Generally I get anxious about handling it at scale.
>
> Overall, while I like this process and hope to encourage using it for 
> local Chicago events, I think the board may be over-extending to try 
> to manage how local teams organize conferences and conference activities.
>
> On the larger question - I think our immediate direction on this whole 
> BugCrowd item could be a simpler path:  communicate with staff and 
> conference leadership teams and re-emphasize the concern that our 
> conferences and collaborations are intended to be open and should not 
> be vendor platforms in disguise.
>
> We were reactive in this case, we should make it clear that we want to 
> support staff and volunteers in navigating a vendor neutral path when 
> needed.  We should come up with a simple process for escalating a 
> question.  But I don't think we should let ourselves get bogged down 
> into the problem or complicated policy / procedure changes intended to 
> address it.  In the big picture, I think OWASP continues to do an 
> awesome job producing open content, tools and leadership for the 
> application security community.  We should focus on that and 
> continuing to adapt in a positive way.  If we focus too much on the 
> flaws in the armor, that's what we project to the community. Just my 2 
> cents.
>
> Happy holidays!
> Matt
>
>
>
>
>
>
>
> On Mon, Dec 22, 2014 at 10:07 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Thanks for pointing this out, Tom. There is a trend here. The
>     Hack-In-The-Box series is experimenting with the same thing.
>
>     1) Speakers submit talks as normal
>     2) Attendees are tasked to register early
>     3) Paid attendees use voting system to pick talks
>     4) Conference becomes 100% attendee driven
>
>     This changes focus on security conferences dramatically. The
>     number of "toasters getting hacked" talks drops off, and frankly
>     the number of "elite only" talks drops off. The conference becomes
>     more educational in nature; and more community driven.
>
>     I would love to experiment with this at OWASP.
>
>     - Jim
>
>
>     On 12/22/14 5:01 PM, Tom Brennan wrote:
>
>         Related more to CFP but this is cool let the attendees pick
>         the agenda
>
>         https://www.syscan.org/index.php/sg/cfp/vote/
>
>         Now that's transparency
>
>         Tom Brennan
>         973-202-0122 <tel:973-202-0122>
>
>             On Dec 22, 2014, at 6:25 PM, Eoin Keary
>             <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>
>             +1
>
>             Sent from my iPhone
>
>                 On 20 Dec 2014, at 02:07, Michael Coates
>                 <michael.coates at owasp.org
>                 <mailto:michael.coates at owasp.org>> wrote:
>
>                 Hey Jim
>
>                 As someone who go is planning appsecusa 2015 here are
>                 my thoughts.
>
>                 1. Open call for activities. So bugcrowd and anyone
>                 else can submit a proposal for activity x.
>
>                 2. Making it clear that this is an add on activity
>                 coordinated by vendor x (e.g along the lines you
>                 mentioned if specifically vendor not Owasp)
>
>                 And don't get me wrong, these companies are all great.
>                 But it's about clearly delineating Owasp vs vendor
>                 items and making an open playing field for all to submit.
>
>
>
>                     On Dec 19, 2014, at 4:56 PM, Jim Manico
>                     <jim.manico at owasp.org
>                     <mailto:jim.manico at owasp.org>> wrote:
>
>                     Board,
>
>                     BugCroud has been setting up events at OWASP
>                     conferences that concearn me. They are doing
>                     "bugbashes" which are CTF's that use the BugCroud
>                     closed-source commercial platform. These CTF's go
>                     after public websites that have open bug bounties,
>                     but still, it uses the BugCroud platform to track
>                     these efforts. Since this is a commercial
>                     platform, this falls under a vendor sponsorship
>                     program as opposed to an event they can host at
>                     our conference "for free".
>
>                     So I suggest we charge for vendor sponsorship fees
>                     and move the BugBash program to the vendor area so
>                     it's clear this is not an official OWASP program.
>
>                     If OWASP wants to do a "public conference" CTF in
>                     a more premium area of the conference, I'd like to
>                     see us using a platform that is open source like
>                     the OWASP CTF project. If a vendor wants to use
>                     their commercial platform to do a CTF at an
>                     official OWASP conference, that sounds like a
>                     vendor sponsorship event/opportunity.
>
>                     Aloha,
>                     Jim
>
>                     _______________________________________________
>                     Owasp-board mailing list
>                     Owasp-board at lists.owasp.org
>                     <mailto:Owasp-board at lists.owasp.org>
>                     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>                 _______________________________________________
>                 Owasp-board mailing list
>                 Owasp-board at lists.owasp.org
>                 <mailto:Owasp-board at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>
>             _______________________________________________
>             Owasp-board mailing list
>             Owasp-board at lists.owasp.org
>             <mailto:Owasp-board at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-board
>
>         _______________________________________________
>         Owasp-board mailing list
>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141223/e05260cc/attachment-0001.html>


More information about the Owasp-board mailing list