[Owasp-board] Fwd: Bugcrowd / OWASP: Bughunt week

Fabio Cerullo fcerullo at owasp.org
Tue Oct 21 08:36:09 UTC 2014

This is a proposal they are making to us, not the other way around.

Also, I believe it ties quite nicely with the following strategic goal for

*Mobilize OWASP volunteers to help address security issues in large
software systems/applications/frameworks.*


So we could either accept it, amend it or reject it.

Thanks for your feedback.


On Tue, Oct 21, 2014 at 9:06 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Since this is a commercial company, vendor neutrality encourages us to, at
> least, open a call to other vendors in the space.
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Oct 21, 2014, at 3:57 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
> Hi
> Could you please review below and let me know your thoughts on running
> this joint activity with Bugcrowd?
> It is basically the same concept of a bug bounty used at recent Appsec
> conferences but running on a global scale for a week.
> Thanks
> Fabio
> ---------- Forwarded message ----------
> From: *Marisa Fagan* <marisa at bugcrowd.com>
> Date: Tuesday, October 21, 2014
> Subject: Bugcrowd / OWASP: Bughunt week
> To: Fabio Cerullo <fcerullo at owasp.org>, Kelly Santalucia <
> kelly.santalucia at owasp.org>
> Cc: Casey Ellis <casey at bugcrowd.com>
> *Proposal*:  **Bug Week 2015: ...and Bug Bounties for All**
> *Description*: 7 days of online competition to see who can find the most
> vulnerabilities in commercial software. Competitors are members of OWASP
> and supporting non-members who participate in Bugcrowd-hosted bug bounty
> programs. They're located all over the world and the competition field is
> online. Bugcrowd will be the platform, where the targets are as real world
> as it gets, with *30 companies putting their live software up for testing.
> The best will rise to the top of the leaderboard. On the final day, a
> special elite tournament for only the Top 10 will be held around the world
> for 24 hours at 00:00 UTC.
> In order to capture this energy and share in the learning, Bugcrowd will
> host a Bug Bash on location in their San Francisco headquarters on Thursday
> [date] to show the local community about what this is all about. Similarly,
> on the US East coast, there's another Bug Bash hosted by OWASP committee
> [to be arranged, maybe Boston chapter? They've expressed interest.] that
> will run in tandem to share via Skype. There's also a Bug Bash party
> running in [to be arranged, maybe Bangalore, India or Bogata, Colombia?] to
> share in the fun.
> OWASP is a strong supporter of the information security research
> community, and has supported multiple crowdsourced security Bug Bash
> events. They also [fill in here... for example... Adopted the Open Source
> Responsible Disclosure Framework on their wiki resource and have multiple
> other resources on how to run a bug bounty program].
> *Number of companies on the Bugcrowd platform changes often. Will update
> with true number closer to the date.
> *Date*: Sunday November 16th midnight - Sunday November 23rd midnight
>           This is a suggested date based on avoiding holidays, we're open
> to another date if there's an overlap.
> *Requested Requirements from OWASP*:
> -- Marketing plan with PR team coordination (for in advance and week of
> event)
> -- Mention in the next newsletter to OWASP members (When does this go out?)
> -- Contribution of a First Place Prize (Suggestion: Trip to AppSecUSA 2015
> with badge)
> -- Access to OWASP Corporate Sponsors for collaboration with Bugcrowd
> -- Connect to Local Chapter support for the local party event on Thursday
>         -- Local advertising for event in local mailing list (SF and
> Boston?)
>         -- Hosting and planning and sponsoring 1 (East Coast Chapter) Bug
> Bash party event with commitment to run it in tandem with the SF event
> (Boston? 30 ppl max... can explain more details separately)
> -- Connect to OWASP engineering/technology to coordinate on an OWASP Bug
> Bounty program (pending OWASP approval)
> *Deliverables From Bugcrowd:*
> -- Coordinated marketing + advertising support (for in advance and during
> the week of the event)
> -- Technical support for the Bugcrowd platform during the event week
> (which collects submissions, validates, and awards points for the
> leaderboard)
> -- Online competition leaderboard website with content to explain the
> competition (hosted on bugcrowd.com)
> -- Coordination with OWASP Corporate Sponsors... to offer them a place on
> the platform or other ways to collaborate
> -- Hosting and organizing 1 local Bug Bash party evening event during the
> Bug Week in SF (all OWASP SF members invited)
> Kelly, what more would you like to see here for a proposal? What do you
> think are the next steps? We're working with a short timeline... is that a
> dealbreaker?
> Thanks as always!
> -Marisa
> On Mon, Oct 6, 2014 at 3:38 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>> Casey
>> Hope you are keeping well. Although we didn't have a chance to follow up
>> on our conversation at AppSec USA, I met Marisa at Brucon last week. We
>> discussed several ideas on how OWASP & Bugcrowd could work together and
>> organise joint activities for the appsec community.
>> The main idea we came up was to organise a Bug Hunt Week during 2015.
>> The intention would be to organise a 1 week bug hunt as a global
>> competition in 2015 (similar to the ones you are currently running at the
>> AppSec conferences). Maybe we could organise this as a tournament where the
>> top X winners get a ticket to a major OWASP Appsec conference (e.g. San
>> Francisco 2015). And during that period, OWASP will actively promote the
>> competition, and where possible, seek support from tech companies to have
>> dedicated engineers working on fixing the bugs identified by researchers.
>> What do you think? I'm open to your suggestions/ideas.. just wanted to
>> keep the conversation flowing.
>> Thanks
>> Fabio
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141021/2bdaec7b/attachment.html>

More information about the Owasp-board mailing list