[Owasp-board] OWASP Bug Bounty Proposals

Josh Sokol josh.sokol at owasp.org
Sat Apr 9 00:12:26 UTC 2016


Tom,

That page has already caused us a few headaches when it got put up without
a process behind it (see the person I added to the Wall of Fame).  On a
positive note, Dhiraj subsequently volunteered to to help us with this
project.  I realize that it's exciting and we all want to get stuff done,
but please, let's hold the horses for a little bit so that we can determine
the scope, get a process in place, and move things forward in an effective
manner.  Thank you!

~josh

On Fri, Apr 8, 2016 at 5:46 PM, Tom Brennan <tomb at proactiverisk.com> wrote:

> Excellent lefts update his then and push it live
>
> https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>
>
> On Friday, April 8, 2016, Matt Konda <matt.konda at owasp.org> wrote:
>
>> Great work Josh and team.
>>
>> Matt Konda
>> @mkonda
>>
>> On Apr 8, 2016, at 5:24 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>> Board,
>>
>> We had three companies submit proposals for the OWASP Bug Bounty
>> Program.  Selecting one of them was a very difficult decision.  With the
>> proposals themselves being fairly equal, we placed much of our emphasis in
>> making the decision on the functional aspects of the platforms.  Johanna
>> created an excellent matrix of desired functionality which we were able to
>> use to narrow down to the one we selected.  Even that was a difficult
>> decision, but we have officially given the nod to the company who handles
>> the triage and validation of vulnerabilities internally (as opposed to
>> outsourced) as we felt that having an internal team looking after us would
>> provide the most value.  We are still firming up the contractual pieces,
>> but I feel confident in announcing to you that we have officially selected
>> BugCrowd as OWASP's new Bug Bounty platform.
>>
>> The BugCrowd team is very excited about the prospects of working more
>> closely with us and has already reached out to Johanna about onboarding a
>> couple of projects that she was interested in handling bug bounties for.  I
>> am out on vacation next week, but my next steps here will be to work with
>> the staff as well as some members of the team and community in order to
>> scope out and define what a formal bug bounty program will look like for
>> the OWASP Foundation and it's assets.  I am unable to attend this month's
>> Board meeting, so please consider this my official update on the progress
>> and I will hopefully have and update on our progression for the May
>> meeting.  Thank you!
>>
>> ~josh
>>
>> On Thu, Apr 7, 2016 at 3:48 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>>> Sounds great, thank you for the information.
>>>
>>>
>>> - Bil
>>>
>>> On Thu, Apr 7, 2016 at 9:59 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>>
>>>> .>Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>>> providing recognition?  And what's the scope for the program?
>>>>
>>>> Hi Bill,
>>>>
>>>> Clarifications on your questions:
>>>>
>>>> No, OWASP will not be paying bounties but purely recognition, sure in
>>>> this first phase once it is announced which Bounty management company we
>>>> have selected
>>>>
>>>>  >>And what's the scope for the program?
>>>>
>>>> Right now the part I'll be supporting , some security libraries will
>>>> participate in the program, to start with
>>>>
>>>>    - CRSFGuard
>>>>    - OWASP SeraphimDroid
>>>>
>>>> Other projects leaders could manage a program directly within the
>>>> interface, like ZAP.
>>>>
>>>> The management of vulnerabilities will be totally in charge of the
>>>> Bounty service provider and only those confirmed bugs we need to finalise
>>>> verifying
>>>>
>>>> The idea is also to have a Bounty program for OWASP wiki and mailman,
>>>> this is lead by Frank Catucci and other OWASP volunteers that offered their
>>>> support:
>>>> https://www.owasp.org/index.php/Help_Secure_Owasp_assests
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>>
>>>> On Thu, Apr 7, 2016 at 3:46 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>>>
>>>>> Apologies, I probably miss it, but is OWASP paying bounties?  Or just
>>>>> providing recognition?  And what's the scope for the program?
>>>>>
>>>>>
>>>>> - Bil
>>>>>
>>>>> On Wed, Apr 6, 2016 at 10:53 PM, Jim Manico <jim.manico at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> All good Josh, thank you for this. I support the process.
>>>>>>
>>>>>> Aloha,
>>>>>> Jim
>>>>>>
>>>>>>
>>>>>> On 4/6/16 10:12 AM, Josh Sokol wrote:
>>>>>>
>>>>>> OWASP Board,
>>>>>>
>>>>>> The OWASP Bug Bounty initiative team, consisting of Kelly, Claudia,
>>>>>> Johanna, Frank, Simon, and myself, have performed both a technical and
>>>>>> contractual analysis of three bug bounty vendors.  We have come to a
>>>>>> consensus on the vendor that we feel will provide us with the most
>>>>>> capabilities and will be the best fit for the OWASP Foundation.  Before we
>>>>>> notify the vendors and make an announcement of our selected vendor, I
>>>>>> wanted to ask if any of you had any reservations with respect to the team's
>>>>>> ability to conduct an impartial evaluation and select a vendor to move
>>>>>> forward with?  If there are any concerns, I want to make sure that they are
>>>>>> addressed now, before an announcement has been made.  If not, then you can
>>>>>> expect an announcement in the next few days.  Thank you.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>
>>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
> The information contained in this message and any attachments may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If you, the reader of this message, are not the intended
> recipient, you are hereby notified that any dissemination, distribution,
> copying or use of this message and any attachment is strictly prohibited.
> If you have received this message in error, please notify the sender
> immediately by replying to the message, permanently delete it from your
> computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160408/7e4e126a/attachment-0001.html>


More information about the Owasp-board mailing list