[Owasp-board] Time to review

johanna curiel curiel johanna.curiel at owasp.org
Sun Feb 21 00:51:51 UTC 2016


>>I am very confused. *No one asked you to do any work here, am I
mistaken? *

*Thats counts for every volunteer I assume...*

On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > I don't think you have read properly what I'm trying to say, which is,
> that these activities, where there seems to be a need for operational
> support, such as reviewing or wiki editing , does not have enough traction
> from volunteer efforts and therefore not sustainable. Many talk cheap and
> in the end, not enough people toy backup operations.
>
> Right. Wiki could use more help, but the Bug Bounty proposals include
> significant *vendor* support. I think that will work well.
>
> > If you consider the wiki a success, (with XSS fiasco included) then you
> have not read the responses people provided on the survey I did where 50
> members of our community responded.Have you read what they say?
>
> Fiasco? We found and fixed bugs. That's good. The world keeps on spinning.
> Yes, I know of the complains from the 50 folks in your survey, and I agree
> with those concerns. But you must have missed the many *millions* of page
> hits on *several*  wiki pages and other documentation projects...
>
> Johanna, I do not know why you keep targeting me in these emails. I am
> just one board member - one that you apparently do not like or have respect
> for. Maybe consider talking to other board members if you are not happy
> with my actions. In the meantime, I am going to do a little wiki work
> tonight.
>
> If you have sustainable ideas for these programs, by all means lets hear
> them. If there are things you need me to read, let me know. I am doing my
> best in my limited time as a volunteer.
>
> Aloha,
> - Jim
>
>
>
> On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>
> >>I am very confused. *No one asked you to do any work here, am I
> mistaken? *
>
> Exactly,  *thank you for making that clear.*
>
> I don't think you have read properly what I'm trying to say, which is,
> that these activities, where there seems to be a need for operational
> support, such as reviewing or wiki editing , does not have enough traction
> from volunteer efforts and therefore not sustainable. Many talk cheap and
> in the end, not enough people toy backup operations.
>
> If you consider the wiki a success, (with XSS fiasco included) then you
> have not read the responses people provided on the survey I did where 50
> members of our community responded.Have you read what they say?
>
> I'm looking for a discussion around solutions and creating initiatives
> that are sustainable.
>
> Once again Jim, thank you for making it very clear to me how you think.
>
>  I was expecting a some discussions around sustainability.
>
> Cheers
>
> Johanna
>
> On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Joanna,
>>
>> All I asked is that we give other vendors a chance to propose a bug
>> bounty program instead of just choosing one vendor. I am not "the decider"
>> here. I did not initiate the bug bounty program nor do I disagree with all
>> of your comments below. I am sure we will face several challenges. I still
>> think it's a good idea to try and I'm grateful Josh is taking a leadership
>> position here.
>>
>> > I'm out of this equation regarding any decisions of a bounty program
>> and management of it in the future.
>>
>> For someone who is "out of the equation" you sure have a lot to say! No
>> one is asking you to do - any work. You are a volunteer (like me) and you
>> do as you like when you feel like it and that is ok.
>>
>> > Wiki have shown that volunteer based does not work.
>>
>> I strongly disagree. I know the wiki is tough for some to read, and it
>> needs work, but several pages have received millions of hits and have
>> helped many on several issues. I know the wiki needs work, but I am proud
>> of the accomplishments of the thousands of volunteers who have contributed
>> to that knowledge base in some way.
>>
>> > Therefore, I prefer to abstain to participate on this bounty initiative
>> because my workload has multiplied by the dozen, and as a volunteer, I
>> cannot provide any guarantees of my availability in the future.
>>
>> I am very confused. No one asked you to do any work here, am I mistaken?
>> I do not understand why you are upset or are abstaining in something that I
>> did not even know you were a part of. I just recall you (and Josh) getting
>> very upset that I even suggested we look at other vendor proposals....
>> First you suggest we get a specific vendor for an OWASP bug bounty program,
>> then you get upset that I suggested we discuss this with other vendors, and
>> now you abstaining. It's hard for me to follow what you want here. I have
>> watched you email the world about "taking on an initiative" and then quit
>> several times now, that I am having a lot of trouble following your work
>> and needs. And I have done this a few times myself, I'm not perfect. But I
>> do keep trying.
>>
>> > This counts for the review process. This is the reason why we,  Enrico
>> and I, proposed to decentralise and focus on a platform. Even so, this
>> platform is highly dependable on volunteers. So far, only 6 members have
>> voted for Graduation of the OWASP security project.We lack participation. I
>> feel like no one cares. Or people just don't want to participate in this
>> kind of thing.I have no freaking idea.
>>
>> Johanna, if you are not satisfied with your volunteer activities, then I
>> suggest you find another way to lend support at OWASP (there are many many
>> things going on with application security) or *take a break and take
>> some time off*. OWASP is not supposed to get your angry or make you feel
>> unsatisfied.  It's Saturday night and I'm stuck in Chicago so I'm going to
>> work on a few wiki tasks on my plate because that gives me a lot of
>> satisfaction - even in the face of other folks, like yourself, who do not
>> see the value in the wiki. I do - so I'm going to keep at it.
>>
>> > Furthermore, you end as a solo-player, nobody gives you thanks, when
>> all you are trying to do is help, burning your free time chasing
>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>> guess all you hear is criticism just as I do, and people just tends to
>> forget we are not OWASP staff, we are volunteers)
>>
>> Yea, I think that if you join OWASP because you want "thanks" - you're in
>> it for the wrong reason. Johanna, I have seen folks give you MANY
>> compliments - over and over and over - on big public lists - from folks all
>> over the world - and it does not seem to be enough for you, so I do not
>> know what to tell you. I do the work I do at OWASP because I believe it in
>> and find the value in it. I don't want thanks - I actually dislike getting
>> public thanks - I just want more volunteers involved. And I find that
>> leading by example helps. There are quite a few folks working on the wiki
>> with me. I am super grateful for them all. Generating new content is not an
>> issue, dealing with older content is.
>>
>> > Whatever the reason , the effect is, volunteered based initiatives as
>> wiki, reviews and possibly Bounty program, does not seem to work.
>>
>> This is a fair point regarding the bug bounty program. Please keep in
>> mind that several of the bounty programs proposed would be vendor driven,
>> not volunteer driven. It's not decided yet nor is it my call (or even
>> charge). This thread started because I asked to be vendor neutral, and if
>> this was to start over I'd do the same.
>>
>> Have a nice Saturday night. I'm off to work on the Java wiki page and do
>> a little cleanup.
>>
>> Aloha,
>> - Jim
>>
>>
>> On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>
>> >>I trust those involved will make a good decision here.
>>
>> >>First, the current proposal *does not include the triage,
>> reproduction, and remediation piece* (the Bugcrowd one does).  After
>> speaking with them about this, they explained that it is because there is
>> additional costs involved with that because they partner with other
>> companies to provide that service.  That said, they offered to talk to one
>> of their partners and had a strong belief that they could offer this to us
>> as well.
>>
>> Hi Jim.
>>
>> I'm all in favour of vendor neutrality at all times.I admire your
>> pro-activeness in these matters, however, at this point, I'm out of this
>> equation regarding any decisions of a bounty program and management of it
>> in the future.
>>
>> One of the major problems we have, is to create sustainable initiatives.
>> I'm a volunteer with limited time. My availability will vary a lot and this
>> is common for volunteers.
>>
>> I think is important that we ask ourselves who will be accountable for
>> the system we bring in and able to manage this continuously. Volunteer
>> based, I'm not convinced.
>>
>> Wiki and Reviews have shown that volunteer based does not work.
>> Therefore, I prefer to abstain to participate on this bounty initiative
>> because my workload has multiplied by the dozen, and as a volunteer, I
>> cannot provide any guarantees of my availability in the future.
>>
>> This counts for the review process. This is the reason why we,  Enrico
>> and I, proposed to decentralise and focus on a platform. Even so, this
>> platform is highly dependable on volunteers. So far, only 6 members have
>> voted for Graduation of the OWASP security project.We lack participation. I
>> feel like no one cares. Or people just don't want to participate in this
>> kind of thing.I have no freaking idea.
>>
>> So far, there has not been any reviewers that have worked on reviews
>> since we restarted this initiative.Even before, when Claudia start offering
>> amazon cards in exchange for reviews, only 2 persons participated for 2
>> reviews one different projects. We keep on looking, I believe Claudia has
>> contact them, but in the end, nothing.
>>
>>  I took many hours to build that criteria and let people comment and
>> collaborate, so we make this process easier. There has been some
>> participation , but from very few. We provide the community with all the
>> opportunities to participate but still, there is a lack of interested in
>> this subject.
>>
>> I spoke with Jason Li, and even on an interview you did to him in 2008,
>> he had the same idea of providing a platform for participation, but people
>> don't want to volunteer to for these kind of tasks, just as happens with
>> the wiki.
>>
>> Furthermore, you end as a solo-player, nobody gives you thanks, when all
>> you are trying to do is help, burning your free time chasing
>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>> guess all you hear is criticism just as I do, and people just tends to
>> forget we are not OWASP staff, we are volunteers)
>>
>> I think is time that, from the operational management point of view, to
>> revise all these actions and have a very serious talk about this.
>>
>>    - Are they sustainable only volunteer based?
>>    - What has the experience shown?
>>    - Why does owasp lack volunteers to help on these tasks?
>>    - Is the workload to big to expect volunteers to do this?
>>    - Is this a community that has not time to do this kind of work?
>>    - Do they actually want to do these kind of tasks?
>>
>> Volunteers are volunteers, they are not workforce nor can you expect the
>> same output.You cannot expect anything from them.
>>
>> A volunteer must feel he gains something back for giving his time. If
>> there is no exchange on this part, if he does not feel valued or that his
>> work matters,  or enjoys what he does, then , I think , volunteer work
>> stops. For me , it must have a meaning, that what I do , matters.
>>
>> Whatever the reason , the effect is, volunteered based initiatives as
>> wiki, reviews and possibly Bounty program, does not seem to work.
>>
>> We should evaluate this before we keep bringing systems that cannot be
>> volunteered-based sustained.
>>
>> Cheers
>>
>> Johanna
>>
>>
>>
>>
>>
>>
>>
>>
>> On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> Josh,
>>>
>>> I am grateful you took the time to hear other bounty vendors out,
>>> especially since I forced your hand to do so to some degree.
>>>
>>> I trust those involved will make a good decision here.
>>>
>>> I do not have a charge over this and do not want to interfere, but if
>>> you want my assistance just ask.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>> On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>
>>> I went ahead and spoke with HackerOne this afternoon even though others
>>> were unable to make it.  I'm going to be mostly out-of-pocket over the next
>>> couple of weeks, but at least wanted to be informed.  I took some notes,
>>> included below, but had a couple of things that are worth mentioning here.
>>> First, the current proposal does not include the triage, reproduction, and
>>> remediation piece (the Bugcrowd one does).  After speaking with them about
>>> this, they explained that it is because there is additional costs involved
>>> with that because they partner with other companies to provide that
>>> service.  That said, they offered to talk to one of their partners and had
>>> a strong belief that they could offer this to us as well.  With that, I
>>> think that what they are offering is pretty much equivalent to what
>>> Bugcrowd is offering.  That said, the ask is **VERY** different.  While
>>> Bugcrowd is looking for an OWASP Platinum sponsorship package in exchange
>>> for their services, HackerOne is literally asking for nothing.  They said
>>> that they are big supporters of the OWASP Foundation and what we stand for
>>> and want to do this to help us out.  I was not expecting this, but am
>>> extremely happy with what I heard from them.  We haven't talked to Cobalt
>>> yet, but my gut at this point is that HackerOne would make for a great
>>> partner on this and I would recommend, if we were to accept their offer,
>>> providing them with a logo placement on the supporter page (as a minimum)
>>> as a token of our appreciation.
>>>
>>> So, I realize that we still have one more vendor to talk to, but
>>> HackerOne looks really good.  With Johanna out-of-pocket for the
>>> foreseeable future, I wanted to make a recommendation to pull Simon
>>> Bennetts (if he is willing) into this evaluation process.  I think that a
>>> bug bounty program would be of huge benefit to his efforts, and would like
>>> to get his impression of the value of such a tool for his project.  Simon,
>>> would you be willing to hop on a call with the HackerOne folks to take a
>>> look at their platform?  Or, if you'd prefer, we have access to the
>>> platform already and can get you an account to poke around with on your
>>> own.
>>>
>>> In any case, notes are below.  Have a great weekend!
>>>
>>> ~josh
>>>
>>> *Your Platform:*
>>>
>>>    - Workflow & Automation: Focused on engineering the world's most
>>>    advanced vulnerability coordination platform.
>>>    - Signal: Numerous systems, such as Reputation and hackbot,
>>>    dedicated to ensuring high signal programs.
>>>    - Transparent: All hackers have a profile, history and reputation.
>>>    Advanced public disclosure workflow when needed.
>>>
>>>
>>> *You are in Control:*
>>>
>>>    - Flexible: Run private or public programs, with or without
>>>    bounties, managed or unmanaged.
>>>    - Ownership: You own your data.  HackerOne makes no claims on
>>>    Vulnerability Information.
>>>    - Multiparty Coordination: Easily pull in other vendors or external
>>>    parties into a case.
>>>
>>> *Service Donation:*
>>>
>>>    - Waive bounty service fees
>>>    - Donate HackerOne Enterprise and a dedicated success manager for
>>>    min 2 years.
>>>
>>> FREE Program
>>>
>>>    - [email protected] Workflow
>>>    - Hacker Reputation
>>>    - Intelligent Duplication Detection
>>>    - Automation
>>>    - Issue Tracker Integration
>>>    - Analytics Dashboard
>>>
>>> PROFESSIONAL Program ($2k/mo)
>>>
>>>    - Everything in Free
>>>    - Advanced Hacker Matching
>>>    - Performance Benchmarking
>>>    - Launch & Optimization Guidance
>>>    - Report Mediation
>>>    - Reports API
>>>
>>> ENTERPRISE Program:
>>>
>>>    - Everything in Professional
>>>    - Dedicated Success Manager
>>>    - Custom Analytics & Reporting
>>>    - Custom Integrations
>>>    - Custom Branding Theme
>>>    - Communications Guidance
>>>
>>> ADD ON: Bug Bounty Global Payments (Included in our deal)
>>>
>>> ADD ON: HackerOne Managed - Triage, Reproduction & Remediation Guidance
>>> (Not included today in the proposal.  Implemented by partners.  Need to
>>> negotiate this.)
>>>
>>>    - Would propose to have a separate instance for each project + OWASP
>>>    Foundation resources
>>>    - Do not want anything in return.  Support the OWASP Foundation and
>>>    what we are doing.
>>>    - Have a built in leaderboard sortable by timeframe
>>>    - Ranks hackers based on "signal" and "impact"
>>>    - Have an integration with Salesforce ticketing
>>>    - Support a wide range of common disclosure scenarios such as
>>>    "public disclosure".  By default they are confidential.
>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/e434b9ca/attachment-0001.html>


More information about the Owasp-board mailing list