[Owasp-board] OWASP Bug Bounty Proposals

Matt Konda matt.konda at owasp.org
Fri Apr 8 22:31:40 UTC 2016


Great work Josh and team.

Matt Konda
@mkonda

> On Apr 8, 2016, at 5:24 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
> 
> Board,
> 
> We had three companies submit proposals for the OWASP Bug Bounty Program.  Selecting one of them was a very difficult decision.  With the proposals themselves being fairly equal, we placed much of our emphasis in making the decision on the functional aspects of the platforms.  Johanna created an excellent matrix of desired functionality which we were able to use to narrow down to the one we selected.  Even that was a difficult decision, but we have officially given the nod to the company who handles the triage and validation of vulnerabilities internally (as opposed to outsourced) as we felt that having an internal team looking after us would provide the most value.  We are still firming up the contractual pieces, but I feel confident in announcing to you that we have officially selected BugCrowd as OWASP's new Bug Bounty platform.
> 
> The BugCrowd team is very excited about the prospects of working more closely with us and has already reached out to Johanna about onboarding a couple of projects that she was interested in handling bug bounties for.  I am out on vacation next week, but my next steps here will be to work with the staff as well as some members of the team and community in order to scope out and define what a formal bug bounty program will look like for the OWASP Foundation and it's assets.  I am unable to attend this month's Board meeting, so please consider this my official update on the progress and I will hopefully have and update on our progression for the May meeting.  Thank you!
> 
> ~josh
> 
>> On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org> wrote:
>> Sounds great, thank you for the information.
>> 
>> 
>> - Bil
>> 
>>> On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>> 
>>> .>Apologies, I probably miss it, but is OWASP paying bounties?  Or just providing recognition?  And what's the scope for the program?
>>> 
>>> Hi Bill, 
>>> 
>>> Clarifications on your questions:
>>> 
>>> No, OWASP will not be paying bounties but purely recognition, sure in this first phase once it is announced which Bounty management company we have selected
>>> 
>>>  >>And what's the scope for the program?
>>> 
>>> Right now the part I'll be supporting , some security libraries will participate in the program, to start with 
>>> CRSFGuard 
>>> OWASP SeraphimDroid
>>> Other projects leaders could manage a program directly within the interface, like ZAP.
>>> 
>>> The management of vulnerabilities will be totally in charge of the Bounty service provider and only those confirmed bugs we need to finalise verifying
>>> 
>>> The idea is also to have a Bounty program for OWASP wiki and mailman, this is lead by Frank Catucci and other OWASP volunteers that offered their support:
>>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>> 
>>> Cheers
>>> 
>>> Johanna
>>> 
>>> 
>>>> On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>>> Apologies, I probably miss it, but is OWASP paying bounties?  Or just providing recognition?  And what's the scope for the program?
>>>> 
>>>> 
>>>> - Bil
>>>> 
>>>>> On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>> All good Josh, thank you for this. I support the process.
>>>>> 
>>>>> Aloha,
>>>>> Jim
>>>>> 
>>>>> 
>>>>>> On 4/6/16 10:12 AM, Josh Sokol wrote:
>>>>>> OWASP Board,
>>>>>> 
>>>>>> The OWASP Bug Bounty initiative team, consisting of Kelly, Claudia, Johanna, Frank, Simon, and myself, have performed both a technical and contractual analysis of three bug bounty vendors.  We have come to a consensus on the vendor that we feel will provide us with the most capabilities and will be the best fit for the OWASP Foundation.  Before we notify the vendors and make an announcement of our selected vendor, I wanted to ask if any of you had any reservations with respect to the team's ability to conduct an impartial evaluation and select a vendor to move forward with?  If there are any concerns, I want to make sure that they are addressed now, before an announcement has been made.  If not, then you can expect an announcement in the next few days.  Thank you.
>>>>>> 
>>>>>> ~josh
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> 
>>> 
>>> 
>>> -- 
>>> Johanna Curiel 
>>> OWASP Volunteer
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160408/be7286c6/attachment-0001.html>


More information about the Owasp-board mailing list