[Owasp-board] OWASP Bug Bounty Proposals

Kevin W. Wall kevin.w.wall at gmail.com
Fri Apr 8 22:57:42 UTC 2016


Josh, et al,

Thank you for going through this difficult exercise to pick a vendor from
an open RFP process. I think that reinforces OWASP's reputation by being
transparent, open, and vendor neutral.

Also, thanks for picking BugCrowd as that means I won't have to burn their
cool T-shirt. ;-)

-kevin
Sent from my Droid; please excuse typos.
On Apr 8, 2016 6:24 PM, "Josh Sokol" <josh.sokol at owasp.org> wrote:

> Board,
>
> We had three companies submit proposals for the OWASP Bug Bounty Program.
> Selecting one of them was a very difficult decision.  With the proposals
> themselves being fairly equal, we placed much of our emphasis in making the
> decision on the functional aspects of the platforms.  Johanna created an
> excellent matrix of desired functionality which we were able to use to
> narrow down to the one we selected.  Even that was a difficult decision,
> but we have officially given the nod to the company who handles the triage
> and validation of vulnerabilities internally (as opposed to outsourced) as
> we felt that having an internal team looking after us would provide the
> most value.  We are still firming up the contractual pieces, but I feel
> confident in announcing to you that we have officially selected BugCrowd as
> OWASP's new Bug Bounty platform.
>
> The BugCrowd team is very excited about the prospects of working more
> closely with us and has already reached out to Johanna about onboarding a
> couple of projects that she was interested in handling bug bounties for.  I
> am out on vacation next week, but my next steps here will be to work with
> the staff as well as some members of the team and community in order to
> scope out and define what a formal bug bounty program will look like for
> the OWASP Foundation and it's assets.  I am unable to attend this month's
> Board meeting, so please consider this my official update on the progress
> and I will hopefully have and update on our progression for the May
> meeting.  Thank you!
>
> ~josh
>
> On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org> wrote:
>
>> Sounds great, thank you for the information.
>>
>>
>> - Bil
>>
>> On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>>
>>> .>Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>> providing recognition?  And what's the scope for the program?
>>>
>>> Hi Bill,
>>>
>>> Clarifications on your questions:
>>>
>>> No, OWASP will not be paying bounties but purely recognition, sure in
>>> this first phase once it is announced which Bounty management company we
>>> have selected
>>>
>>>  >>And what's the scope for the program?
>>>
>>> Right now the part I'll be supporting , some security libraries will
>>> participate in the program, to start with
>>>
>>>    - CRSFGuard
>>>    - OWASP SeraphimDroid
>>>
>>> Other projects leaders could manage a program directly within the
>>> interface, like ZAP.
>>>
>>> The management of vulnerabilities will be totally in charge of the
>>> Bounty service provider and only those confirmed bugs we need to finalise
>>> verifying
>>>
>>> The idea is also to have a Bounty program for OWASP wiki and mailman,
>>> this is lead by Frank Catucci and other OWASP volunteers that offered their
>>> support:
>>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>>
>>> On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>>
>>>> Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>>> providing recognition?  And what's the scope for the program?
>>>>
>>>>
>>>> - Bil
>>>>
>>>> On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> All good Josh, thank you for this. I support the process.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>> On 4/6/16 10:12 AM, Josh Sokol wrote:
>>>>>
>>>>> OWASP Board,
>>>>>
>>>>> The OWASP Bug Bounty initiative team, consisting of Kelly, Claudia,
>>>>> Johanna, Frank, Simon, and myself, have performed both a technical and
>>>>> contractual analysis of three bug bounty vendors.  We have come to a
>>>>> consensus on the vendor that we feel will provide us with the most
>>>>> capabilities and will be the best fit for the OWASP Foundation.  Before we
>>>>> notify the vendors and make an announcement of our selected vendor, I
>>>>> wanted to ask if any of you had any reservations with respect to the team's
>>>>> ability to conduct an impartial evaluation and select a vendor to move
>>>>> forward with?  If there are any concerns, I want to make sure that they are
>>>>> addressed now, before an announcement has been made.  If not, then you can
>>>>> expect an announcement in the next few days.  Thank you.
>>>>>
>>>>> ~josh
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160408/bcb73040/attachment.html>


More information about the Owasp-board mailing list