[Owasp-board] OWASP Bug Bounty Proposals

Josh Sokol josh.sokol at owasp.org
Fri Apr 8 22:24:00 UTC 2016


Board,

We had three companies submit proposals for the OWASP Bug Bounty Program.
Selecting one of them was a very difficult decision.  With the proposals
themselves being fairly equal, we placed much of our emphasis in making the
decision on the functional aspects of the platforms.  Johanna created an
excellent matrix of desired functionality which we were able to use to
narrow down to the one we selected.  Even that was a difficult decision,
but we have officially given the nod to the company who handles the triage
and validation of vulnerabilities internally (as opposed to outsourced) as
we felt that having an internal team looking after us would provide the
most value.  We are still firming up the contractual pieces, but I feel
confident in announcing to you that we have officially selected BugCrowd as
OWASP's new Bug Bounty platform.

The BugCrowd team is very excited about the prospects of working more
closely with us and has already reached out to Johanna about onboarding a
couple of projects that she was interested in handling bug bounties for.  I
am out on vacation next week, but my next steps here will be to work with
the staff as well as some members of the team and community in order to
scope out and define what a formal bug bounty program will look like for
the OWASP Foundation and it's assets.  I am unable to attend this month's
Board meeting, so please consider this my official update on the progress
and I will hopefully have and update on our progression for the May
meeting.  Thank you!

~josh

On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org> wrote:

> Sounds great, thank you for the information.
>
>
> - Bil
>
> On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>>
>> .>Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>> providing recognition?  And what's the scope for the program?
>>
>> Hi Bill,
>>
>> Clarifications on your questions:
>>
>> No, OWASP will not be paying bounties but purely recognition, sure in
>> this first phase once it is announced which Bounty management company we
>> have selected
>>
>>  >>And what's the scope for the program?
>>
>> Right now the part I'll be supporting , some security libraries will
>> participate in the program, to start with
>>
>>    - CRSFGuard
>>    - OWASP SeraphimDroid
>>
>> Other projects leaders could manage a program directly within the
>> interface, like ZAP.
>>
>> The management of vulnerabilities will be totally in charge of the Bounty
>> service provider and only those confirmed bugs we need to finalise verifying
>>
>> The idea is also to have a Bounty program for OWASP wiki and mailman,
>> this is lead by Frank Catucci and other OWASP volunteers that offered their
>> support:
>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>
>> Cheers
>>
>> Johanna
>>
>>
>> On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>>> Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>> providing recognition?  And what's the scope for the program?
>>>
>>>
>>> - Bil
>>>
>>> On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> All good Josh, thank you for this. I support the process.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>> On 4/6/16 10:12 AM, Josh Sokol wrote:
>>>>
>>>> OWASP Board,
>>>>
>>>> The OWASP Bug Bounty initiative team, consisting of Kelly, Claudia,
>>>> Johanna, Frank, Simon, and myself, have performed both a technical and
>>>> contractual analysis of three bug bounty vendors.  We have come to a
>>>> consensus on the vendor that we feel will provide us with the most
>>>> capabilities and will be the best fit for the OWASP Foundation.  Before we
>>>> notify the vendors and make an announcement of our selected vendor, I
>>>> wanted to ask if any of you had any reservations with respect to the team's
>>>> ability to conduct an impartial evaluation and select a vendor to move
>>>> forward with?  If there are any concerns, I want to make sure that they are
>>>> addressed now, before an announcement has been made.  If not, then you can
>>>> expect an announcement in the next few days.  Thank you.
>>>>
>>>> ~josh
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160408/f8420fe2/attachment.html>


More information about the Owasp-board mailing list