[Owasp-board] Fwd: Bugcrowd / OWASP: Bughunt week

Fabio Cerullo fcerullo at owasp.org
Tue Oct 21 07:56:38 UTC 2014


Could you please review below and let me know your thoughts on running this
joint activity with Bugcrowd?

It is basically the same concept of a bug bounty used at recent Appsec
conferences but running on a global scale for a week.


---------- Forwarded message ----------
From: *Marisa Fagan* <marisa at bugcrowd.com>
Date: Tuesday, October 21, 2014
Subject: Bugcrowd / OWASP: Bughunt week
To: Fabio Cerullo <fcerullo at owasp.org>, Kelly Santalucia <
kelly.santalucia at owasp.org>
Cc: Casey Ellis <casey at bugcrowd.com>

*Proposal*:  **Bug Week 2015: ...and Bug Bounties for All**

*Description*: 7 days of online competition to see who can find the most
vulnerabilities in commercial software. Competitors are members of OWASP
and supporting non-members who participate in Bugcrowd-hosted bug bounty
programs. They're located all over the world and the competition field is
online. Bugcrowd will be the platform, where the targets are as real world
as it gets, with *30 companies putting their live software up for testing.
The best will rise to the top of the leaderboard. On the final day, a
special elite tournament for only the Top 10 will be held around the world
for 24 hours at 00:00 UTC.

In order to capture this energy and share in the learning, Bugcrowd will
host a Bug Bash on location in their San Francisco headquarters on Thursday
[date] to show the local community about what this is all about. Similarly,
on the US East coast, there's another Bug Bash hosted by OWASP committee
[to be arranged, maybe Boston chapter? They've expressed interest.] that
will run in tandem to share via Skype. There's also a Bug Bash party
running in [to be arranged, maybe Bangalore, India or Bogata, Colombia?] to
share in the fun.

OWASP is a strong supporter of the information security research community,
and has supported multiple crowdsourced security Bug Bash events. They also
[fill in here... for example... Adopted the Open Source Responsible
Disclosure Framework on their wiki resource and have multiple other
resources on how to run a bug bounty program].

*Number of companies on the Bugcrowd platform changes often. Will update
with true number closer to the date.

*Date*: Sunday November 16th midnight - Sunday November 23rd midnight
          This is a suggested date based on avoiding holidays, we're open
to another date if there's an overlap.

*Requested Requirements from OWASP*:
-- Marketing plan with PR team coordination (for in advance and week of
-- Mention in the next newsletter to OWASP members (When does this go out?)
-- Contribution of a First Place Prize (Suggestion: Trip to AppSecUSA 2015
with badge)
-- Access to OWASP Corporate Sponsors for collaboration with Bugcrowd
-- Connect to Local Chapter support for the local party event on Thursday
        -- Local advertising for event in local mailing list (SF and
        -- Hosting and planning and sponsoring 1 (East Coast Chapter) Bug
Bash party event with commitment to run it in tandem with the SF event
(Boston? 30 ppl max... can explain more details separately)
-- Connect to OWASP engineering/technology to coordinate on an OWASP Bug
Bounty program (pending OWASP approval)

*Deliverables From Bugcrowd:*
-- Coordinated marketing + advertising support (for in advance and during
the week of the event)
-- Technical support for the Bugcrowd platform during the event week (which
collects submissions, validates, and awards points for the leaderboard)
-- Online competition leaderboard website with content to explain the
competition (hosted on bugcrowd.com)
-- Coordination with OWASP Corporate Sponsors... to offer them a place on
the platform or other ways to collaborate
-- Hosting and organizing 1 local Bug Bash party evening event during the
Bug Week in SF (all OWASP SF members invited)

Kelly, what more would you like to see here for a proposal? What do you
think are the next steps? We're working with a short timeline... is that a

Thanks as always!


On Mon, Oct 6, 2014 at 3:38 PM, Fabio Cerullo <fcerullo at owasp.org
<javascript:_e(%7B%7D,'cvml','fcerullo at owasp.org');>> wrote:

> Casey
> Hope you are keeping well. Although we didn't have a chance to follow up
> on our conversation at AppSec USA, I met Marisa at Brucon last week. We
> discussed several ideas on how OWASP & Bugcrowd could work together and
> organise joint activities for the appsec community.
> The main idea we came up was to organise a Bug Hunt Week during 2015.
> The intention would be to organise a 1 week bug hunt as a global
> competition in 2015 (similar to the ones you are currently running at the
> AppSec conferences). Maybe we could organise this as a tournament where the
> top X winners get a ticket to a major OWASP Appsec conference (e.g. San
> Francisco 2015). And during that period, OWASP will actively promote the
> competition, and where possible, seek support from tech companies to have
> dedicated engineers working on fixing the bugs identified by researchers.
> What do you think? I'm open to your suggestions/ideas.. just wanted to
> keep the conversation flowing.
> Thanks
> Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141021/a663393c/attachment.html>

More information about the Owasp-board mailing list