[Owasp-board] OWASP Bug Bounty Proposals

Jim Manico jim.manico at owasp.org
Fri Apr 8 22:28:29 UTC 2016


Fantastic. THANK YOU for taking the time to put out an open call for 
vendor proposals. It was the right thing to do, IMO.

Aloha,
Jim


On 4/8/16 12:24 PM, Josh Sokol wrote:
> Board,
>
> We had three companies submit proposals for the OWASP Bug Bounty 
> Program.  Selecting one of them was a very difficult decision.  With 
> the proposals themselves being fairly equal, we placed much of our 
> emphasis in making the decision on the functional aspects of the 
> platforms.  Johanna created an excellent matrix of desired 
> functionality which we were able to use to narrow down to the one we 
> selected.  Even that was a difficult decision, but we have officially 
> given the nod to the company who handles the triage and validation of 
> vulnerabilities internally (as opposed to outsourced) as we felt that 
> having an internal team looking after us would provide the most 
> value.  We are still firming up the contractual pieces, but I feel 
> confident in announcing to you that we have officially selected 
> BugCrowd as OWASP's new Bug Bounty platform.
>
> The BugCrowd team is very excited about the prospects of working more 
> closely with us and has already reached out to Johanna about 
> onboarding a couple of projects that she was interested in handling 
> bug bounties for.  I am out on vacation next week, but my next steps 
> here will be to work with the staff as well as some members of the 
> team and community in order to scope out and define what a formal bug 
> bounty program will look like for the OWASP Foundation and it's 
> assets.  I am unable to attend this month's Board meeting, so please 
> consider this my official update on the progress and I will hopefully 
> have and update on our progression for the May meeting.  Thank you!
>
> ~josh
>
> On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org 
> <mailto:bil.corry at owasp.org>> wrote:
>
>     Sounds great, thank you for the information.
>
>
>     - Bil
>
>     On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel
>     <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>> wrote:
>
>
>         .>Apologies, I probably miss it, but is OWASP paying
>         bounties?  Or just providing recognition?  And what's the
>         scope for the program?
>
>         Hi Bill,
>
>         Clarifications on your questions:
>
>         No, OWASP will not be paying bounties but purely recognition,
>         sure in this first phase once it is announced which Bounty
>         management company we have selected
>
>          >>And what's the scope for the program?
>
>         Right now the part I'll be supporting , some security
>         libraries will participate in the program, to start with
>
>           * CRSFGuard
>           * OWASP SeraphimDroid
>
>         Other projects leaders could manage a program directly within
>         the interface, like ZAP.
>
>         The management of vulnerabilities will be totally in charge of
>         the Bounty service provider and only those confirmed bugs we
>         need to finalise verifying
>
>         The idea is also to have a Bounty program for OWASP wiki and
>         mailman, this is lead by Frank Catucci and other OWASP
>         volunteers that offered their support:
>         https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>
>         Cheers
>
>         Johanna
>
>
>         On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org
>         <mailto:bil.corry at owasp.org>> wrote:
>
>             Apologies, I probably miss it, but is OWASP paying
>             bounties?  Or just providing recognition?  And what's the
>             scope for the program?
>
>
>             - Bil
>
>             On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico
>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>
>                 All good Josh, thank you for this. I support the process.
>
>                 Aloha,
>                 Jim
>
>
>                 On 4/6/16 10:12 AM, Josh Sokol wrote:
>>                 OWASP Board,
>>
>>                 The OWASP Bug Bounty initiative team, consisting of
>>                 Kelly, Claudia, Johanna, Frank, Simon, and myself,
>>                 have performed both a technical and contractual
>>                 analysis of three bug bounty vendors.  We have come
>>                 to a consensus on the vendor that we feel will
>>                 provide us with the most capabilities and will be the
>>                 best fit for the OWASP Foundation. Before we notify
>>                 the vendors and make an announcement of our selected
>>                 vendor, I wanted to ask if any of you had any
>>                 reservations with respect to the team's ability to
>>                 conduct an impartial evaluation and select a vendor
>>                 to move forward with?  If there are any concerns, I
>>                 want to make sure that they are addressed now, before
>>                 an announcement has been made.  If not, then you can
>>                 expect an announcement in the next few days.  Thank you.
>>
>>                 ~josh
>>
>>
>>                 _______________________________________________
>>                 Owasp-board mailing list
>>                 Owasp-board at lists.owasp.org
>>                 <mailto:Owasp-board at lists.owasp.org>
>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>                 _______________________________________________
>                 Owasp-board mailing list
>                 Owasp-board at lists.owasp.org
>                 <mailto:Owasp-board at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
>
>         -- 
>         Johanna Curiel
>         OWASP Volunteer
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160408/3e8942b0/attachment.html>


More information about the Owasp-board mailing list