[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Matt Tesauro matt.tesauro at owasp.org
Mon Apr 18 15:51:28 UTC 2016

My thoughts for what they are worth:

My understanding was that the scope of this effort was OWASP projects - so
that our projects have been vetted and, hopefully, are free from security
defects.  This seems like a very sensible use of Foundation resources.

Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
initial triage handled by a 3rd party, is foolish.  Why?

   - I can list the problems with the current infrastructure for you and
   zero cost. There is very little value in these being rediscovered by random
   Internet bug hunters.
   - I've spent the last 3 weekends writing various fail2ban rules to try
   and stop the dramatic increase in automated crawling (aka pro bono
   scanning) of the wiki.  The wiki, which wasn't running any where near
   capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
   alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
   see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
   - It took several iterations to find a rule that adequately blocks punks
      and lets the staff aka heavy wiki users get things done.  During those
      iterations, several of the staff were temporarily blocked from
the wiki by
   - Ask the staff about how much they liked last week when two instances
   of some Internet putz fuzzing our Wiki account registration has created a
   backlog of bogus registrations.  Beyond the hundreds of notification emails
   the staff and I received, we how have a wiki registration system which
      - Needs to manually have 100's of bogus requests reviewed and deleted
      - Legit requests are getting lost in the bogus requests
      - On one occasion, a bogus registration was accidentally confirmed
      leading to SPAM on the wiki which then needs to be cleaned up
wasting more
      staff time/resources non-productively.

I completely agree that bug bounties of our PROJECTS is a great idea.

However, until we have an infrastructure that is both more resilient and
shored up with the issues we already know about, having the Internet poke
at our servers is counter productive.  Of late, my 10 hours per week are
spent either cleaning up cruft from those that don't realize that wiki page
isn't an endorsement to poke at our infrastructure or just routine

The opportunity cost of a bug bounty is

   - Staff work interrupted, delayed or refocused on clean-up that
   inevitably happens when those with ranges of skills poke at infrastructure.
   - Fire drills for our Infrastructure rather then planned and focused
   upgrades across our infrastructure.  I'd have much rather used the last 3
   weeks of my 10 hours to complete setting up a new Mailman instance.
   Instead, I'm cleaning up messes and answering emails about problems I
   already know about and have prioritized lower for various reasons.  This
   email is an example of me being diverted from infrastructure enhancing

Considering the large difference between my 'day job' pay rate and what
OWASP pays me for 10 hours/week and the fact that I have and like my
family, I'm loath to spend more then my allotted OWASP time - though I
frequently do anyway.

</Matt's 2 cents>

-- Matt Tesauro
OWASP WTE Project Lead
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead

On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> My thinking is that this bounty would be used for the OWASP Foundation
> resources.  The wiki, conference sites, etc.  Projects could participate
> with kudos and could self-fund out of their project funds for any bounties
> that they would like to pay out.  I still need to work on defining those
> rules of engagement, but for now we need to come up with an initial deposit
> amount that we feel comfortable transferring to BugCrowd to get this
> rolling.
> ~josh
> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org> wrote:
>> Josh,
>> I would support putting some $ behind this.  Definitely a bounded small
>> initial commitment but $.  That will result in better faster feedback IMO.
>> I think we need to make sure we think through how it gets used.  90% to a
>> smaller lesser known OWASP project and 10% to ZAP for example might be a
>> possible problem.  Do we have a rule that project committers can't receive
>> bounty?  :)
>> We could start with a few projects and do the kudos approach and match
>> funds that those projects want to use.
>> I defer to the team that is focused here, just wanted to share my
>> thoughts.
>> Matt
>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Board,
>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>> it is time to take the next step of figuring out how much of a bounty we
>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>> bounties if we want) and we can scale the rewards however we would like for
>>> different categories.  Obviously, money equates to more motivated
>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>> $5,000 and go from there.  I think we were originally talking about just
>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>> what others thought about it.  Should we throw some money into the pot?
>>> How much?  Your feedback is greatly appreciated.
>>> ~josh
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/a1fccd75/attachment.html>

More information about the Owasp-board mailing list