[Owasp-board] Initial Funding for OWASP Bug Bounty Program

Jim Manico jim.manico at owasp.org
Mon Apr 18 18:34:07 UTC 2016


I can help with the registration page issue (assume those fake regs' are
triggered from a scanner and not manual efforts).

We need to change a LITTLE code on the registration page, but there are
a few simple techniques that can remove scanner-based registration
fairly easily. Happy to talk offline about this if you like.

And in general Matt, thanks for adding needed clarity to this situation.
We appreciate your perspective.


On 4/18/16 5:51 AM, Matt Tesauro wrote:
> My thoughts for what they are worth:
> My understanding was that the scope of this effort was OWASP projects
> - so that our projects have been vetted and, hopefully, are free from
> security defects.  This seems like a very sensible use of Foundation
> resources.
> Pointing the Bug Bounty masses at the OWASP infrastructure, even with
> the initial triage handled by a 3rd party, is foolish.  Why? 
>   * I can list the problems with the current infrastructure for you
>     and zero cost. There is very little value in these being
>     rediscovered by random Internet bug hunters. 
>   * I've spent the last 3 weekends writing various fail2ban rules to
>     try and stop the dramatic increase in automated crawling (aka pro
>     bono scanning) of the wiki.  The wiki, which wasn't running any
>     where near capacity, has been hitting 100% CPU and throwing high
>     load/CPU monitoring alerts from shortly after our 'draft' policy
>     was placed on the OWASP wiki -
>     see https://www.owasp.org/index.php/About_OWASP/Bug_Bounty
>       o It took several iterations to find a rule that adequately
>         blocks punks and lets the staff aka heavy wiki users get
>         things done.  During those iterations, several of the staff
>         were temporarily blocked from the wiki by fail2ban. 
>   * Ask the staff about how much they liked last week when two
>     instances of some Internet putz fuzzing our Wiki account
>     registration has created a backlog of bogus registrations.  Beyond
>     the hundreds of notification emails the staff and I received, we
>     how have a wiki registration system which
>       o Needs to manually have 100's of bogus requests reviewed and
>         deleted
>       o Legit requests are getting lost in the bogus requests
>       o On one occasion, a bogus registration was accidentally
>         confirmed leading to SPAM on the wiki which then needs to be
>         cleaned up wasting more staff time/resources non-productively.
> I completely agree that bug bounties of our PROJECTS is a great idea.  
> However, until we have an infrastructure that is both more resilient
> and shored up with the issues we already know about, having the
> Internet poke at our servers is counter productive.  Of late, my 10
> hours per week are spent either cleaning up cruft from those that
> don't realize that wiki page isn't an endorsement to poke at our
> infrastructure or just routine maintenance.
> The opportunity cost of a bug bounty is 
>   * Staff work interrupted, delayed or refocused on clean-up that
>     inevitably happens when those with ranges of skills poke at
>     infrastructure.
>   * Fire drills for our Infrastructure rather then planned and focused
>     upgrades across our infrastructure.  I'd have much rather used the
>     last 3 weeks of my 10 hours to complete setting up a new Mailman
>     instance.  Instead, I'm cleaning up messes and answering emails
>     about problems I already know about and have prioritized lower for
>     various reasons.  This email is an example of me being diverted
>     from infrastructure enhancing activities.
> Considering the large difference between my 'day job' pay rate and
> what OWASP pays me for 10 hours/week and the fact that I have and like
> my family, I'm loath to spend more then my allotted OWASP time -
> though I frequently do anyway.
> </Matt's 2 cents> 
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
> On Mon, Apr 18, 2016 at 10:18 AM, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>     My thinking is that this bounty would be used for the OWASP
>     Foundation resources.  The wiki, conference sites, etc.  Projects
>     could participate with kudos and could self-fund out of their
>     project funds for any bounties that they would like to pay out.  I
>     still need to work on defining those rules of engagement, but for
>     now we need to come up with an initial deposit amount that we feel
>     comfortable transferring to BugCrowd to get this rolling.
>     ~josh
>     On Mon, Apr 18, 2016 at 10:07 AM, Matt Konda <matt.konda at owasp.org
>     <mailto:matt.konda at owasp.org>> wrote:
>         Josh,
>         I would support putting some $ behind this.  Definitely a
>         bounded small initial commitment but $.  That will result in
>         better faster feedback IMO.
>         I think we need to make sure we think through how it gets
>         used.  90% to a smaller lesser known OWASP project and 10% to
>         ZAP for example might be a possible problem.  Do we have a
>         rule that project committers can't receive bounty?  :)
>         We could start with a few projects and do the kudos approach
>         and match funds that those projects want to use.
>         I defer to the team that is focused here, just wanted to share
>         my thoughts.
>         Matt
>         On Mon, Apr 18, 2016 at 9:06 AM, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>             Board,
>             Now that we have announced BugCrowd as our bug bounty
>             program platform, it is time to take the next step of
>             figuring out how much of a bounty we want to start with. 
>             There is no minimum funding amount (we could do "kudo"
>             bounties if we want) and we can scale the rewards however
>             we would like for different categories.  Obviously, money
>             equates to more motivated researchers.  BugCrowd's
>             recommendation is to fund the initial pot at $5,000 and go
>             from there.  I think we were originally talking about just
>             leveraging a Wall of Fame to start with (ie. "kudos"), but
>             I wanted to see what others thought about it.  Should we
>             throw some money into the pot?  How much?  Your feedback
>             is greatly appreciated.
>             ~josh
>             _______________________________________________
>             Owasp-board mailing list
>             Owasp-board at lists.owasp.org
>             <mailto:Owasp-board at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-board
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/4253ff0d/attachment.html>

More information about the Owasp-board mailing list