[Owasp-board] Time to review

johanna curiel curiel johanna.curiel at owasp.org
Sun Feb 21 01:02:26 UTC 2016


>>I am very confused. *No one asked you to do any work here, am I
mistaken? *

I don't think this is a very nice thing to say to a volunteer.

On Sat, Feb 20, 2016 at 9:00 PM, Jim Manico <jim.manico at owasp.org> wrote:

>
> *> Thats counts for every volunteer I assume...*
>
> Of course it does, me too!. :) There are about 10 folks active on the wiki
> who I talk to on a very regular basis. In my experience we all really enjoy
> messin' with the wiki and have a lot of fun interacting with each other.
> It's satisfying and we all learn in the process.
>
> Wiki work brings a lot of joy to me in my OWASP interactions so imma going
> to keep doing it. These are folks who are really sharp about application
> security, enjoy debating the finer points and are happy to contribute some
> of their expertise to the foundation. No one forced any of the wiki (or
> project) folks to contribute. They want to. :)
>
> Aloha,
> Jim
>
> Not bad traffic for wiki pages
>
> 2.1 million https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
> 1.9 million
> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>
>
>
>
> >>I am very confused. *No one asked you to do any work here, am I
> mistaken? *
>
> *Thats counts for every volunteer I assume...*
>
> On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > I don't think you have read properly what I'm trying to say, which is,
>> that these activities, where there seems to be a need for operational
>> support, such as reviewing or wiki editing , does not have enough traction
>> from volunteer efforts and therefore not sustainable. Many talk cheap and
>> in the end, not enough people toy backup operations.
>>
>> Right. Wiki could use more help, but the Bug Bounty proposals include
>> significant *vendor* support. I think that will work wel
>>
>> > If you consider the wiki a success, (with XSS fiasco included) then you
>> have not read the responses people provided on the survey I did where 50
>> members of our community responded.Have you read what they say?
>>
>> Fiasco? We found and fixed bugs. That's good. The world keeps on
>> spinning. Yes, I know of the complains from the 50 folks in your survey,
>> and I agree with those concerns. But you must have missed the many
>> *millions* of page hits on *several*  wiki pages and other documentation
>> projects...
>>
>> Johanna, I do not know why you keep targeting me in these emails. I am
>> just one board member - one that you apparently do not like or have respect
>> for. Maybe consider talking to other board members if you are not happy
>> with my actions. In the meantime, I am going to do a little wiki work
>> tonight.
>>
>> If you have sustainable ideas for these programs, by all means lets hear
>> them. If there are things you need me to read, let me know. I am doing my
>> best in my limited time as a volunteer.
>>
>> Aloha,
>> - Jim
>>
>>
>>
>> On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>>
>> >>I am very confused. *No one asked you to do any work here, am I
>> mistaken? *
>>
>> Exactly,  *thank you for making that clear.*
>>
>> I don't think you have read properly what I'm trying to say, which is,
>> that these activities, where there seems to be a need for operational
>> support, such as reviewing or wiki editing , does not have enough traction
>> from volunteer efforts and therefore not sustainable. Many talk cheap and
>> in the end, not enough people toy backup operations.
>>
>> If you consider the wiki a success, (with XSS fiasco included) then you
>> have not read the responses people provided on the survey I did where 50
>> members of our community responded.Have you read what they say?
>>
>> I'm looking for a discussion around solutions and creating initiatives
>> that are sustainable.
>>
>> Once again Jim, thank you for making it very clear to me how you think.
>>
>>  I was expecting a some discussions around sustainability.
>>
>> Cheers
>>
>> Johanna
>>
>> On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> Joanna,
>>>
>>> All I asked is that we give other vendors a chance to propose a bug
>>> bounty program instead of just choosing one vendor. I am not "the decider"
>>> here. I did not initiate the bug bounty program nor do I disagree with all
>>> of your comments below. I am sure we will face several challenges. I still
>>> think it's a good idea to try and I'm grateful Josh is taking a leadership
>>> position here.
>>>
>>> > I'm out of this equation regarding any decisions of a bounty program
>>> and management of it in the future.
>>>
>>> For someone who is "out of the equation" you sure have a lot to say! No
>>> one is asking you to do - any work. You are a volunteer (like me) and you
>>> do as you like when you feel like it and that is ok.
>>>
>>> > Wiki have shown that volunteer based does not work.
>>>
>>> I strongly disagree. I know the wiki is tough for some to read, and it
>>> needs work, but several pages have received millions of hits and have
>>> helped many on several issues. I know the wiki needs work, but I am proud
>>> of the accomplishments of the thousands of volunteers who have contributed
>>> to that knowledge base in some way.
>>>
>>> > Therefore, I prefer to abstain to participate on this bounty
>>> initiative because my workload has multiplied by the dozen, and as a
>>> volunteer, I cannot provide any guarantees of my availability in the future.
>>>
>>> I am very confused. No one asked you to do any work here, am I mistaken?
>>> I do not understand why you are upset or are abstaining in something that I
>>> did not even know you were a part of. I just recall you (and Josh) getting
>>> very upset that I even suggested we look at other vendor proposals....
>>> First you suggest we get a specific vendor for an OWASP bug bounty program,
>>> then you get upset that I suggested we discuss this with other vendors, and
>>> now you abstaining. It's hard for me to follow what you want here. I have
>>> watched you email the world about "taking on an initiative" and then quit
>>> several times now, that I am having a lot of trouble following your work
>>> and needs. And I have done this a few times myself, I'm not perfect. But I
>>> do keep trying.
>>>
>>> > This counts for the review process. This is the reason why we,  Enrico
>>> and I, proposed to decentralise and focus on a platform. Even so, this
>>> platform is highly dependable on volunteers. So far, only 6 members have
>>> voted for Graduation of the OWASP security project.We lack participation. I
>>> feel like no one cares. Or people just don't want to participate in this
>>> kind of thing.I have no freaking idea.
>>>
>>> Johanna, if you are not satisfied with your volunteer activities, then I
>>> suggest you find another way to lend support at OWASP (there are many many
>>> things going on with application security) or *take a break and take
>>> some time off*. OWASP is not supposed to get your angry or make you
>>> feel unsatisfied.  It's Saturday night and I'm stuck in Chicago so I'm
>>> going to work on a few wiki tasks on my plate because that gives me a lot
>>> of satisfaction - even in the face of other folks, like yourself, who do
>>> not see the value in the wiki. I do - so I'm going to keep at it.
>>>
>>> > Furthermore, you end as a solo-player, nobody gives you thanks, when
>>> all you are trying to do is help, burning your free time chasing
>>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>>> guess all you hear is criticism just as I do, and people just tends to
>>> forget we are not OWASP staff, we are volunteers)
>>>
>>> Yea, I think that if you join OWASP because you want "thanks" - you're
>>> in it for the wrong reason. Johanna, I have seen folks give you MANY
>>> compliments - over and over and over - on big public lists - from folks all
>>> over the world - and it does not seem to be enough for you, so I do not
>>> know what to tell you. I do the work I do at OWASP because I believe it in
>>> and find the value in it. I don't want thanks - I actually dislike getting
>>> public thanks - I just want more volunteers involved. And I find that
>>> leading by example helps. There are quite a few folks working on the wiki
>>> with me. I am super grateful for them all. Generating new content is not an
>>> issue, dealing with older content is.
>>>
>>> > Whatever the reason , the effect is, volunteered based initiatives as
>>> wiki, reviews and possibly Bounty program, does not seem to work.
>>>
>>> This is a fair point regarding the bug bounty program. Please keep in
>>> mind that several of the bounty programs proposed would be vendor driven,
>>> not volunteer driven. It's not decided yet nor is it my call (or even
>>> charge). This thread started because I asked to be vendor neutral, and if
>>> this was to start over I'd do the same.
>>>
>>> Have a nice Saturday night. I'm off to work on the Java wiki page and do
>>> a little cleanup.
>>>
>>> Aloha,
>>> - Jim
>>>
>>>
>>> On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>>
>>> >>I trust those involved will make a good decision here.
>>>
>>> >>First, the current proposal *does not include the triage,
>>> reproduction, and remediation piece* (the Bugcrowd one does).  After
>>> speaking with them about this, they explained that it is because there is
>>> additional costs involved with that because they partner with other
>>> companies to provide that service.  That said, they offered to talk to one
>>> of their partners and had a strong belief that they could offer this to us
>>> as well.
>>>
>>> Hi Jim.
>>>
>>> I'm all in favour of vendor neutrality at all times.I admire your
>>> pro-activeness in these matters, however, at this point, I'm out of this
>>> equation regarding any decisions of a bounty program and management of it
>>> in the future.
>>>
>>> One of the major problems we have, is to create sustainable initiatives.
>>> I'm a volunteer with limited time. My availability will vary a lot and this
>>> is common for volunteers.
>>>
>>> I think is important that we ask ourselves who will be accountable for
>>> the system we bring in and able to manage this continuously. Volunteer
>>> based, I'm not convinced.
>>>
>>> Wiki and Reviews have shown that volunteer based does not work.
>>> Therefore, I prefer to abstain to participate on this bounty initiative
>>> because my workload has multiplied by the dozen, and as a volunteer, I
>>> cannot provide any guarantees of my availability in the future.
>>>
>>> This counts for the review process. This is the reason why we,  Enrico
>>> and I, proposed to decentralise and focus on a platform. Even so, this
>>> platform is highly dependable on volunteers. So far, only 6 members have
>>> voted for Graduation of the OWASP security project.We lack participation. I
>>> feel like no one cares. Or people just don't want to participate in this
>>> kind of thing.I have no freaking idea.
>>>
>>> So far, there has not been any reviewers that have worked on reviews
>>> since we restarted this initiative.Even before, when Claudia start offering
>>> amazon cards in exchange for reviews, only 2 persons participated for 2
>>> reviews one different projects. We keep on looking, I believe Claudia has
>>> contact them, but in the end, nothing.
>>>
>>>  I took many hours to build that criteria and let people comment and
>>> collaborate, so we make this process easier. There has been some
>>> participation , but from very few. We provide the community with all the
>>> opportunities to participate but still, there is a lack of interested in
>>> this subject.
>>>
>>> I spoke with Jason Li, and even on an interview you did to him in 2008,
>>> he had the same idea of providing a platform for participation, but people
>>> don't want to volunteer to for these kind of tasks, just as happens with
>>> the wiki.
>>>
>>> Furthermore, you end as a solo-player, nobody gives you thanks, when all
>>> you are trying to do is help, burning your free time chasing
>>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>>> guess all you hear is criticism just as I do, and people just tends to
>>> forget we are not OWASP staff, we are volunteers)
>>>
>>> I think is time that, from the operational management point of view, to
>>> revise all these actions and have a very serious talk about this.
>>>
>>>    - Are they sustainable only volunteer based?
>>>    - What has the experience shown?
>>>    - Why does owasp lack volunteers to help on these tasks?
>>>    - Is the workload to big to expect volunteers to do this?
>>>    - Is this a community that has not time to do this kind of work?
>>>    - Do they actually want to do these kind of tasks?
>>>
>>> Volunteers are volunteers, they are not workforce nor can you expect the
>>> same output.You cannot expect anything from them.
>>>
>>> A volunteer must feel he gains something back for giving his time. If
>>> there is no exchange on this part, if he does not feel valued or that his
>>> work matters,  or enjoys what he does, then , I think , volunteer work
>>> stops. For me , it must have a meaning, that what I do , matters.
>>>
>>> Whatever the reason , the effect is, volunteered based initiatives as
>>> wiki, reviews and possibly Bounty program, does not seem to work.
>>>
>>> We should evaluate this before we keep bringing systems that cannot be
>>> volunteered-based sustained.
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico < <jim.manico at owasp.org>
>>> jim.manico at owasp.org> wrote:
>>>
>>>> Josh,
>>>>
>>>> I am grateful you took the time to hear other bounty vendors out,
>>>> especially since I forced your hand to do so to some degree.
>>>>
>>>> I trust those involved will make a good decision here.
>>>>
>>>> I do not have a charge over this and do not want to interfere, but if
>>>> you want my assistance just ask.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>> On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>>
>>>> I went ahead and spoke with HackerOne this afternoon even though others
>>>> were unable to make it.  I'm going to be mostly out-of-pocket over the next
>>>> couple of weeks, but at least wanted to be informed.  I took some notes,
>>>> included below, but had a couple of things that are worth mentioning here.
>>>> First, the current proposal does not include the triage, reproduction, and
>>>> remediation piece (the Bugcrowd one does).  After speaking with them about
>>>> this, they explained that it is because there is additional costs involved
>>>> with that because they partner with other companies to provide that
>>>> service.  That said, they offered to talk to one of their partners and had
>>>> a strong belief that they could offer this to us as well.  With that, I
>>>> think that what they are offering is pretty much equivalent to what
>>>> Bugcrowd is offering.  That said, the ask is **VERY** different.  While
>>>> Bugcrowd is looking for an OWASP Platinum sponsorship package in exchange
>>>> for their services, HackerOne is literally asking for nothing.  They said
>>>> that they are big supporters of the OWASP Foundation and what we stand for
>>>> and want to do this to help us out.  I was not expecting this, but am
>>>> extremely happy with what I heard from them.  We haven't talked to Cobalt
>>>> yet, but my gut at this point is that HackerOne would make for a great
>>>> partner on this and I would recommend, if we were to accept their offer,
>>>> providing them with a logo placement on the supporter page (as a minimum)
>>>> as a token of our appreciation.
>>>>
>>>> So, I realize that we still have one more vendor to talk to, but
>>>> HackerOne looks really good.  With Johanna out-of-pocket for the
>>>> foreseeable future, I wanted to make a recommendation to pull Simon
>>>> Bennetts (if he is willing) into this evaluation process.  I think that a
>>>> bug bounty program would be of huge benefit to his efforts, and would like
>>>> to get his impression of the value of such a tool for his project.  Simon,
>>>> would you be willing to hop on a call with the HackerOne folks to take a
>>>> look at their platform?  Or, if you'd prefer, we have access to the
>>>> platform already and can get you an account to poke around with on your
>>>> own.
>>>>
>>>> In any case, notes are below.  Have a great weekend!
>>>>
>>>> ~josh
>>>>
>>>> *Your Platform:*
>>>>
>>>>    - Workflow & Automation: Focused on engineering the world's most
>>>>    advanced vulnerability coordination platform.
>>>>    - Signal: Numerous systems, such as Reputation and hackbot,
>>>>    dedicated to ensuring high signal programs.
>>>>    - Transparent: All hackers have a profile, history and reputation.
>>>>    Advanced public disclosure workflow when needed.
>>>>
>>>>
>>>> *You are in Control:*
>>>>
>>>>    - Flexible: Run private or public programs, with or without
>>>>    bounties, managed or unmanaged.
>>>>    - Ownership: You own your data.  HackerOne makes no claims on
>>>>    Vulnerability Information.
>>>>    - Multiparty Coordination: Easily pull in other vendors or external
>>>>    parties into a case.
>>>>
>>>> *Service Donation:*
>>>>
>>>>    - Waive bounty service fees
>>>>    - Donate HackerOne Enterprise and a dedicated success manager for
>>>>    min 2 years.
>>>>
>>>> FREE Program
>>>>
>>>>    - [email protected] Workflow
>>>>    - Hacker Reputation
>>>>    - Intelligent Duplication Detection
>>>>    - Automation
>>>>    - Issue Tracker Integration
>>>>    - Analytics Dashboard
>>>>
>>>> PROFESSIONAL Program ($2k/mo)
>>>>
>>>>    - Everything in Free
>>>>    - Advanced Hacker Matching
>>>>    - Performance Benchmarking
>>>>    - Launch & Optimization Guidance
>>>>    - Report Mediation
>>>>    - Reports API
>>>>
>>>> ENTERPRISE Program:
>>>>
>>>>    - Everything in Professional
>>>>    - Dedicated Success Manager
>>>>    - Custom Analytics & Reporting
>>>>    - Custom Integrations
>>>>    - Custom Branding Theme
>>>>    - Communications Guidance
>>>>
>>>> ADD ON: Bug Bounty Global Payments (Included in our deal)
>>>>
>>>> ADD ON: HackerOne Managed - Triage, Reproduction & Remediation Guidance
>>>> (Not included today in the proposal.  Implemented by partners.  Need to
>>>> negotiate this.)
>>>>
>>>>    - Would propose to have a separate instance for each project +
>>>>    OWASP Foundation resources
>>>>    - Do not want anything in return.  Support the OWASP Foundation and
>>>>    what we are doing.
>>>>    - Have a built in leaderboard sortable by timeframe
>>>>    - Ranks hackers based on "signal" and "impact"
>>>>    - Have an integration with Salesforce ticketing
>>>>    - Support a wide range of common disclosure scenarios such as
>>>>    "public disclosure".  By default they are confidential.
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/3fb9aed0/attachment-0001.html>


More information about the Owasp-board mailing list