[Owasp-board] Fwd: Bugcrowd / OWASP: Bughunt week
jim.manico at owasp.org
Tue Oct 21 10:13:41 UTC 2014
We are also supposed to avoid endorsing commercial vendors. I'm not saying
no, I'm just saying this is a commercial security vendor and we should
proceed with care regarding our vendor neutrality statements in our bylaws,
On Oct 21, 2014, at 4:36 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
This is a proposal they are making to us, not the other way around.
Also, I believe it ties quite nicely with the following strategic goal for
*Mobilize OWASP volunteers to help address security issues in large
So we could either accept it, amend it or reject it.
Thanks for your feedback.
On Tue, Oct 21, 2014 at 9:06 AM, Jim Manico <jim.manico at owasp.org> wrote:
> Since this is a commercial company, vendor neutrality encourages us to, at
> least, open a call to other vendors in the space.
> Jim Manico
> (808) 652-3805
> On Oct 21, 2014, at 3:57 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
> Could you please review below and let me know your thoughts on running
> this joint activity with Bugcrowd?
> It is basically the same concept of a bug bounty used at recent Appsec
> conferences but running on a global scale for a week.
> ---------- Forwarded message ----------
> From: *Marisa Fagan* <marisa at bugcrowd.com>
> Date: Tuesday, October 21, 2014
> Subject: Bugcrowd / OWASP: Bughunt week
> To: Fabio Cerullo <fcerullo at owasp.org>, Kelly Santalucia <
> kelly.santalucia at owasp.org>
> Cc: Casey Ellis <casey at bugcrowd.com>
> *Proposal*: **Bug Week 2015: ...and Bug Bounties for All**
> *Description*: 7 days of online competition to see who can find the most
> vulnerabilities in commercial software. Competitors are members of OWASP
> and supporting non-members who participate in Bugcrowd-hosted bug bounty
> programs. They're located all over the world and the competition field is
> online. Bugcrowd will be the platform, where the targets are as real world
> as it gets, with *30 companies putting their live software up for testing.
> The best will rise to the top of the leaderboard. On the final day, a
> special elite tournament for only the Top 10 will be held around the world
> for 24 hours at 00:00 UTC.
> In order to capture this energy and share in the learning, Bugcrowd will
> host a Bug Bash on location in their San Francisco headquarters on Thursday
> [date] to show the local community about what this is all about. Similarly,
> on the US East coast, there's another Bug Bash hosted by OWASP committee
> [to be arranged, maybe Boston chapter? They've expressed interest.] that
> will run in tandem to share via Skype. There's also a Bug Bash party
> running in [to be arranged, maybe Bangalore, India or Bogata, Colombia?] to
> share in the fun.
> OWASP is a strong supporter of the information security research
> community, and has supported multiple crowdsourced security Bug Bash
> events. They also [fill in here... for example... Adopted the Open Source
> Responsible Disclosure Framework on their wiki resource and have multiple
> other resources on how to run a bug bounty program].
> *Number of companies on the Bugcrowd platform changes often. Will update
> with true number closer to the date.
> *Date*: Sunday November 16th midnight - Sunday November 23rd midnight
> This is a suggested date based on avoiding holidays, we're open
> to another date if there's an overlap.
> *Requested Requirements from OWASP*:
> -- Marketing plan with PR team coordination (for in advance and week of
> -- Mention in the next newsletter to OWASP members (When does this go out?)
> -- Contribution of a First Place Prize (Suggestion: Trip to AppSecUSA 2015
> with badge)
> -- Access to OWASP Corporate Sponsors for collaboration with Bugcrowd
> -- Connect to Local Chapter support for the local party event on Thursday
> -- Local advertising for event in local mailing list (SF and
> -- Hosting and planning and sponsoring 1 (East Coast Chapter) Bug
> Bash party event with commitment to run it in tandem with the SF event
> (Boston? 30 ppl max... can explain more details separately)
> -- Connect to OWASP engineering/technology to coordinate on an OWASP Bug
> Bounty program (pending OWASP approval)
> *Deliverables From Bugcrowd:*
> -- Coordinated marketing + advertising support (for in advance and during
> the week of the event)
> -- Technical support for the Bugcrowd platform during the event week
> (which collects submissions, validates, and awards points for the
> -- Online competition leaderboard website with content to explain the
> competition (hosted on bugcrowd.com)
> -- Coordination with OWASP Corporate Sponsors... to offer them a place on
> the platform or other ways to collaborate
> -- Hosting and organizing 1 local Bug Bash party evening event during the
> Bug Week in SF (all OWASP SF members invited)
> Kelly, what more would you like to see here for a proposal? What do you
> think are the next steps? We're working with a short timeline... is that a
> Thanks as always!
> On Mon, Oct 6, 2014 at 3:38 PM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>> Hope you are keeping well. Although we didn't have a chance to follow up
>> on our conversation at AppSec USA, I met Marisa at Brucon last week. We
>> discussed several ideas on how OWASP & Bugcrowd could work together and
>> organise joint activities for the appsec community.
>> The main idea we came up was to organise a Bug Hunt Week during 2015.
>> The intention would be to organise a 1 week bug hunt as a global
>> competition in 2015 (similar to the ones you are currently running at the
>> AppSec conferences). Maybe we could organise this as a tournament where the
>> top X winners get a ticket to a major OWASP Appsec conference (e.g. San
>> Francisco 2015). And during that period, OWASP will actively promote the
>> competition, and where possible, seek support from tech companies to have
>> dedicated engineers working on fixing the bugs identified by researchers.
>> What do you think? I'm open to your suggestions/ideas.. just wanted to
>> keep the conversation flowing.
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board