[Owasp-board] Time to review

johanna curiel curiel johanna.curiel at owasp.org
Sun Feb 21 00:43:15 UTC 2016


>>I am very confused. *No one asked you to do any work here, am I
mistaken? *

Exactly,  *thank you for making that clear.*

I don't think you have read properly what I'm trying to say, which is, that
these activities, where there seems to be a need for operational support,
such as reviewing or wiki editing , does not have enough traction from
volunteer efforts and therefore not sustainable. Many talk cheap and in the
end, not enough people toy backup operations.

If you consider the wiki a success, (with XSS fiasco included) then you
have not read the responses people provided on the survey I did where 50
members of our community responded.Have you read what they say?

I'm looking for a discussion around solutions and creating initiatives that
are sustainable.

Once again Jim, thank you for making it very clear to me how you think.

 I was expecting a some discussions around sustainability.

Cheers

Johanna

On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Joanna,
>
> All I asked is that we give other vendors a chance to propose a bug bounty
> program instead of just choosing one vendor. I am not "the decider" here. I
> did not initiate the bug bounty program nor do I disagree with all of your
> comments below. I am sure we will face several challenges. I still think
> it's a good idea to try and I'm grateful Josh is taking a leadership
> position here.
>
> > I'm out of this equation regarding any decisions of a bounty program and
> management of it in the future.
>
> For someone who is "out of the equation" you sure have a lot to say! No
> one is asking you to do - any work. You are a volunteer (like me) and you
> do as you like when you feel like it and that is ok.
>
> > Wiki have shown that volunteer based does not work.
>
> I strongly disagree. I know the wiki is tough for some to read, and it
> needs work, but several pages have received millions of hits and have
> helped many on several issues. I know the wiki needs work, but I am proud
> of the accomplishments of the thousands of volunteers who have contributed
> to that knowledge base in some way.
>
> > Therefore, I prefer to abstain to participate on this bounty initiative
> because my workload has multiplied by the dozen, and as a volunteer, I
> cannot provide any guarantees of my availability in the future.
>
> I am very confused. No one asked you to do any work here, am I mistaken? I
> do not understand why you are upset or are abstaining in something that I
> did not even know you were a part of. I just recall you (and Josh) getting
> very upset that I even suggested we look at other vendor proposals....
> First you suggest we get a specific vendor for an OWASP bug bounty program,
> then you get upset that I suggested we discuss this with other vendors, and
> now you abstaining. It's hard for me to follow what you want here. I have
> watched you email the world about "taking on an initiative" and then quit
> several times now, that I am having a lot of trouble following your work
> and needs. And I have done this a few times myself, I'm not perfect. But I
> do keep trying.
>
> > This counts for the review process. This is the reason why we,  Enrico
> and I, proposed to decentralise and focus on a platform. Even so, this
> platform is highly dependable on volunteers. So far, only 6 members have
> voted for Graduation of the OWASP security project.We lack participation. I
> feel like no one cares. Or people just don't want to participate in this
> kind of thing.I have no freaking idea.
>
> Johanna, if you are not satisfied with your volunteer activities, then I
> suggest you find another way to lend support at OWASP (there are many many
> things going on with application security) or *take a break and take some
> time off*. OWASP is not supposed to get your angry or make you feel
> unsatisfied.  It's Saturday night and I'm stuck in Chicago so I'm going to
> work on a few wiki tasks on my plate because that gives me a lot of
> satisfaction - even in the face of other folks, like yourself, who do not
> see the value in the wiki. I do - so I'm going to keep at it.
>
> > Furthermore, you end as a solo-player, nobody gives you thanks, when all
> you are trying to do is help, burning your free time chasing
> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
> guess all you hear is criticism just as I do, and people just tends to
> forget we are not OWASP staff, we are volunteers)
>
> Yea, I think that if you join OWASP because you want "thanks" - you're in
> it for the wrong reason. Johanna, I have seen folks give you MANY
> compliments - over and over and over - on big public lists - from folks all
> over the world - and it does not seem to be enough for you, so I do not
> know what to tell you. I do the work I do at OWASP because I believe it in
> and find the value in it. I don't want thanks - I actually dislike getting
> public thanks - I just want more volunteers involved. And I find that
> leading by example helps. There are quite a few folks working on the wiki
> with me. I am super grateful for them all. Generating new content is not an
> issue, dealing with older content is.
>
> > Whatever the reason , the effect is, volunteered based initiatives as
> wiki, reviews and possibly Bounty program, does not seem to work.
>
> This is a fair point regarding the bug bounty program. Please keep in mind
> that several of the bounty programs proposed would be vendor driven, not
> volunteer driven. It's not decided yet nor is it my call (or even charge).
> This thread started because I asked to be vendor neutral, and if this was
> to start over I'd do the same.
>
> Have a nice Saturday night. I'm off to work on the Java wiki page and do a
> little cleanup.
>
> Aloha,
> - Jim
>
>
> On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>
> >>I trust those involved will make a good decision here.
>
> >>First, the current proposal *does not include the triage, reproduction,
> and remediation piece* (the Bugcrowd one does).  After speaking with them
> about this, they explained that it is because there is additional costs
> involved with that because they partner with other companies to provide
> that service.  That said, they offered to talk to one of their partners and
> had a strong belief that they could offer this to us as well.
>
> Hi Jim.
>
> I'm all in favour of vendor neutrality at all times.I admire your
> pro-activeness in these matters, however, at this point, I'm out of this
> equation regarding any decisions of a bounty program and management of it
> in the future.
>
> One of the major problems we have, is to create sustainable initiatives.
> I'm a volunteer with limited time. My availability will vary a lot and this
> is common for volunteers.
>
> I think is important that we ask ourselves who will be accountable for the
> system we bring in and able to manage this continuously. Volunteer based,
> I'm not convinced.
>
> Wiki and Reviews have shown that volunteer based does not work. Therefore,
> I prefer to abstain to participate on this bounty initiative because my
> workload has multiplied by the dozen, and as a volunteer, I cannot provide
> any guarantees of my availability in the future.
>
> This counts for the review process. This is the reason why we,  Enrico and
> I, proposed to decentralise and focus on a platform. Even so, this platform
> is highly dependable on volunteers. So far, only 6 members have voted for
> Graduation of the OWASP security project.We lack participation. I feel like
> no one cares. Or people just don't want to participate in this kind of
> thing.I have no freaking idea.
>
> So far, there has not been any reviewers that have worked on reviews since
> we restarted this initiative.Even before, when Claudia start offering
> amazon cards in exchange for reviews, only 2 persons participated for 2
> reviews one different projects. We keep on looking, I believe Claudia has
> contact them, but in the end, nothing.
>
>  I took many hours to build that criteria and let people comment and
> collaborate, so we make this process easier. There has been some
> participation , but from very few. We provide the community with all the
> opportunities to participate but still, there is a lack of interested in
> this subject.
>
> I spoke with Jason Li, and even on an interview you did to him in 2008, he
> had the same idea of providing a platform for participation, but people
> don't want to volunteer to for these kind of tasks, just as happens with
> the wiki.
>
> Furthermore, you end as a solo-player, nobody gives you thanks, when all
> you are trying to do is help, burning your free time chasing
> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
> guess all you hear is criticism just as I do, and people just tends to
> forget we are not OWASP staff, we are volunteers)
>
> I think is time that, from the operational management point of view, to
> revise all these actions and have a very serious talk about this.
>
>    - Are they sustainable only volunteer based?
>    - What has the experience shown?
>    - Why does owasp lack volunteers to help on these tasks?
>    - Is the workload to big to expect volunteers to do this?
>    - Is this a community that has not time to do this kind of work?
>    - Do they actually want to do these kind of tasks?
>
> Volunteers are volunteers, they are not workforce nor can you expect the
> same output.You cannot expect anything from them.
>
> A volunteer must feel he gains something back for giving his time. If
> there is no exchange on this part, if he does not feel valued or that his
> work matters,  or enjoys what he does, then , I think , volunteer work
> stops. For me , it must have a meaning, that what I do , matters.
>
> Whatever the reason , the effect is, volunteered based initiatives as
> wiki, reviews and possibly Bounty program, does not seem to work.
>
> We should evaluate this before we keep bringing systems that cannot be
> volunteered-based sustained.
>
> Cheers
>
> Johanna
>
>
>
>
>
>
>
>
> On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Josh,
>>
>> I am grateful you took the time to hear other bounty vendors out,
>> especially since I forced your hand to do so to some degree.
>>
>> I trust those involved will make a good decision here.
>>
>> I do not have a charge over this and do not want to interfere, but if you
>> want my assistance just ask.
>>
>> Aloha,
>> Jim
>>
>>
>>
>> On 2/19/16 4:07 PM, Josh Sokol wrote:
>>
>> I went ahead and spoke with HackerOne this afternoon even though others
>> were unable to make it.  I'm going to be mostly out-of-pocket over the next
>> couple of weeks, but at least wanted to be informed.  I took some notes,
>> included below, but had a couple of things that are worth mentioning here.
>> First, the current proposal does not include the triage, reproduction, and
>> remediation piece (the Bugcrowd one does).  After speaking with them about
>> this, they explained that it is because there is additional costs involved
>> with that because they partner with other companies to provide that
>> service.  That said, they offered to talk to one of their partners and had
>> a strong belief that they could offer this to us as well.  With that, I
>> think that what they are offering is pretty much equivalent to what
>> Bugcrowd is offering.  That said, the ask is **VERY** different.  While
>> Bugcrowd is looking for an OWASP Platinum sponsorship package in exchange
>> for their services, HackerOne is literally asking for nothing.  They said
>> that they are big supporters of the OWASP Foundation and what we stand for
>> and want to do this to help us out.  I was not expecting this, but am
>> extremely happy with what I heard from them.  We haven't talked to Cobalt
>> yet, but my gut at this point is that HackerOne would make for a great
>> partner on this and I would recommend, if we were to accept their offer,
>> providing them with a logo placement on the supporter page (as a minimum)
>> as a token of our appreciation.
>>
>> So, I realize that we still have one more vendor to talk to, but
>> HackerOne looks really good.  With Johanna out-of-pocket for the
>> foreseeable future, I wanted to make a recommendation to pull Simon
>> Bennetts (if he is willing) into this evaluation process.  I think that a
>> bug bounty program would be of huge benefit to his efforts, and would like
>> to get his impression of the value of such a tool for his project.  Simon,
>> would you be willing to hop on a call with the HackerOne folks to take a
>> look at their platform?  Or, if you'd prefer, we have access to the
>> platform already and can get you an account to poke around with on your
>> own.
>>
>> In any case, notes are below.  Have a great weekend!
>>
>> ~josh
>>
>> *Your Platform:*
>>
>>    - Workflow & Automation: Focused on engineering the world's most
>>    advanced vulnerability coordination platform.
>>    - Signal: Numerous systems, such as Reputation and hackbot, dedicated
>>    to ensuring high signal programs.
>>    - Transparent: All hackers have a profile, history and reputation.
>>    Advanced public disclosure workflow when needed.
>>
>>
>> *You are in Control:*
>>
>>    - Flexible: Run private or public programs, with or without bounties,
>>    managed or unmanaged.
>>    - Ownership: You own your data.  HackerOne makes no claims on
>>    Vulnerability Information.
>>    - Multiparty Coordination: Easily pull in other vendors or external
>>    parties into a case.
>>
>> *Service Donation:*
>>
>>    - Waive bounty service fees
>>    - Donate HackerOne Enterprise and a dedicated success manager for min
>>    2 years.
>>
>> FREE Program
>>
>>    - [email protected] Workflow
>>    - Hacker Reputation
>>    - Intelligent Duplication Detection
>>    - Automation
>>    - Issue Tracker Integration
>>    - Analytics Dashboard
>>
>> PROFESSIONAL Program ($2k/mo)
>>
>>    - Everything in Free
>>    - Advanced Hacker Matching
>>    - Performance Benchmarking
>>    - Launch & Optimization Guidance
>>    - Report Mediation
>>    - Reports API
>>
>> ENTERPRISE Program:
>>
>>    - Everything in Professional
>>    - Dedicated Success Manager
>>    - Custom Analytics & Reporting
>>    - Custom Integrations
>>    - Custom Branding Theme
>>    - Communications Guidance
>>
>> ADD ON: Bug Bounty Global Payments (Included in our deal)
>>
>> ADD ON: HackerOne Managed - Triage, Reproduction & Remediation Guidance
>> (Not included today in the proposal.  Implemented by partners.  Need to
>> negotiate this.)
>>
>>    - Would propose to have a separate instance for each project + OWASP
>>    Foundation resources
>>    - Do not want anything in return.  Support the OWASP Foundation and
>>    what we are doing.
>>    - Have a built in leaderboard sortable by timeframe
>>    - Ranks hackers based on "signal" and "impact"
>>    - Have an integration with Salesforce ticketing
>>    - Support a wide range of common disclosure scenarios such as "public
>>    disclosure".  By default they are confidential.
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/935637a6/attachment-0001.html>


More information about the Owasp-board mailing list