[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Josh Sokol josh.sokol at owasp.org
Mon Apr 18 16:39:05 UTC 2016

Thanks for the feedback, Matt.  Projects are definitely in scope, on an
opt-in basis, and subject to certain requirements that are yet to be
defined.  There will be both opportunities for "kudos" as well as for paid
bounties for them.  Regardless of whether we are talking about Project
bounties, or Foundation bounties, however, we still need to determine how
much money (if any) we put into the pot.  So, that question remains.

As for the Foundation bounties, I hear what you're saying, and tend to
agree.  If there are low-hanging fruit types of issues, they need to be
addressed internally first.  While I agree that there is little value-add
in piling up more work on your plate, I do find myself curious about the
issues that would be discovered and wondering about proper prioritization
of our limited resources.  I also wonder if, given your current state of
being overworked, we shouldn't open up a full-time position to handle our
IT work (or at least more than the currently allocated 10 hours).  It seems
that there is a lot to be done, and not a lot of time allocated to do it
in.  Ultimately, considering that we are a security organization, we should
be greatly interested in eliminating issues that could lead to compromise.
That would be quite embarrassing.  So, in my opinion, this is a merited
discussion that we probably need to pull into a different thread.


On Mon, Apr 18, 2016 at 10:51 AM, Matt Tesauro <matt.tesauro at owasp.org>

> My thoughts for what they are worth:
> My understanding was that the scope of this effort was OWASP projects - so
> that our projects have been vetted and, hopefully, are free from security
> defects.  This seems like a very sensible use of Foundation resources.
> Pointing the Bug Bounty masses at the OWASP infrastructure, even with the
> initial triage handled by a 3rd party, is foolish.  Why?
>    - I can list the problems with the current infrastructure for you and
>    zero cost. There is very little value in these being rediscovered by random
>    Internet bug hunters.
>    - I've spent the last 3 weekends writing various fail2ban rules to try
>    and stop the dramatic increase in automated crawling (aka pro bono
>    scanning) of the wiki.  The wiki, which wasn't running any where near
>    capacity, has been hitting 100% CPU and throwing high load/CPU monitoring
>    alerts from shortly after our 'draft' policy was placed on the OWASP wiki -
>    see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>    - It took several iterations to find a rule that adequately blocks
>       punks and lets the staff aka heavy wiki users get things done.  During
>       those iterations, several of the staff were temporarily blocked from the
>       wiki by fail2ban.
>    - Ask the staff about how much they liked last week when two instances
>    of some Internet putz fuzzing our Wiki account registration has created a
>    backlog of bogus registrations.  Beyond the hundreds of notification emails
>    the staff and I received, we how have a wiki registration system which
>       - Needs to manually have 100's of bogus requests reviewed and
>       deleted
>       - Legit requests are getting lost in the bogus requests
>       - On one occasion, a bogus registration was accidentally confirmed
>       leading to SPAM on the wiki which then needs to be cleaned up wasting more
>       staff time/resources non-productively.
> I completely agree that bug bounties of our PROJECTS is a great idea.
> However, until we have an infrastructure that is both more resilient and
> shored up with the issues we already know about, having the Internet poke
> at our servers is counter productive.  Of late, my 10 hours per week are
> spent either cleaning up cruft from those that don't realize that wiki page
> isn't an endorsement to poke at our infrastructure or just routine
> maintenance.
> The opportunity cost of a bug bounty is
>    - Staff work interrupted, delayed or refocused on clean-up that
>    inevitably happens when those with ranges of skills poke at infrastructure.
>    - Fire drills for our Infrastructure rather then planned and focused
>    upgrades across our infrastructure.  I'd have much rather used the last 3
>    weeks of my 10 hours to complete setting up a new Mailman instance.
>    Instead, I'm cleaning up messes and answering emails about problems I
>    already know about and have prioritized lower for various reasons.  This
>    email is an example of me being diverted from infrastructure enhancing
>    activities.
> Considering the large difference between my 'day job' pay rate and what
> OWASP pays me for 10 hours/week and the fact that I have and like my
> family, I'm loath to spend more then my allotted OWASP time - though I
> frequently do anyway.
> </Matt's 2 cents>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> My thinking is that this bounty would be used for the OWASP Foundation
>> resources.  The wiki, conference sites, etc.  Projects could participate
>> with kudos and could self-fund out of their project funds for any bounties
>> that they would like to pay out.  I still need to work on defining those
>> rules of engagement, but for now we need to come up with an initial deposit
>> amount that we feel comfortable transferring to BugCrowd to get this
>> rolling.
>> ~josh
>> On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org>
>> wrote:
>>> Josh,
>>> I would support putting some $ behind this.  Definitely a bounded small
>>> initial commitment but $.  That will result in better faster feedback IMO.
>>> I think we need to make sure we think through how it gets used.  90% to
>>> a smaller lesser known OWASP project and 10% to ZAP for example might be a
>>> possible problem.  Do we have a rule that project committers can't receive
>>> bounty?  :)
>>> We could start with a few projects and do the kudos approach and match
>>> funds that those projects want to use.
>>> I defer to the team that is focused here, just wanted to share my
>>> thoughts.
>>> Matt
>>> On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>> Board,
>>>> Now that we have announced BugCrowd as our bug bounty program platform,
>>>> it is time to take the next step of figuring out how much of a bounty we
>>>> want to start with.  There is no minimum funding amount (we could do "kudo"
>>>> bounties if we want) and we can scale the rewards however we would like for
>>>> different categories.  Obviously, money equates to more motivated
>>>> researchers.  BugCrowd's recommendation is to fund the initial pot at
>>>> $5,000 and go from there.  I think we were originally talking about just
>>>> leveraging a Wall of Fame to start with (ie. "kudos"), but I wanted to see
>>>> what others thought about it.  Should we throw some money into the pot?
>>>> How much?  Your feedback is greatly appreciated.
>>>> ~josh
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/fa7be8e8/attachment-0001.html>

More information about the Owasp-board mailing list