[Owasp-board] Time to review

Jim Manico jim.manico at owasp.org
Sun Feb 21 01:03:37 UTC 2016


I was not at all trying to be mean or hurtful, I was just saying that 
this is all volunteer and you do not have to work on the Bug Bounty 
program. I was worried you felt pressure here, and I did not think that 
was fair.

I was not trying to be mean, at all.

- Jim

On 2/20/16 7:02 PM, johanna curiel curiel wrote:
> >>I am very confused. *No one asked you to do any work here, am I mistaken? *
> *
> *
> I don't think this is a very nice thing to say to a volunteer.
>
> On Sat, Feb 20, 2016 at 9:00 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>
>     *> Thats counts for every volunteer I assume...*
>
>     Of course it does, me too!. :) There are about 10 folks active on
>     the wiki who I talk to on a very regular basis. In my experience
>     we all really enjoy messin' with the wiki and have a lot of fun
>     interacting with each other. It's satisfying and we all learn in
>     the process.
>
>     Wiki work brings a lot of joy to me in my OWASP interactions so
>     imma going to keep doing it. These are folks who are really sharp
>     about application security, enjoy debating the finer points and
>     are happy to contribute some of their expertise to the foundation.
>     No one forced any of the wiki (or project) folks to contribute.
>     They want to. :)
>
>     Aloha,
>     Jim
>
>     Not bad traffic for wiki pages
>
>     2.1 million
>     https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
>     1.9 million
>     https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>     <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet>
>
>
>
>
>>     >>I am very confused. *No one asked you to do any work here, am I
>>     mistaken? *
>>
>>     *Thats counts for every volunteer I assume...*
>>
>>     On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         > I don't think you have read properly what I'm trying to
>>         say, which is, that these activities, where there seems to be
>>         a need for operational support, such as reviewing or wiki
>>         editing , does not have enough traction from volunteer
>>         efforts and therefore not sustainable. Many talk cheap and in
>>         the end, not enough people toy backup operations.
>>
>>         Right. Wiki could use more help, but the Bug Bounty proposals
>>         include significant *vendor* support. I think that will work wel
>>
>>         > If you consider the wiki a success, (with XSS fiasco
>>         included) then you have not read the responses people
>>         provided on the survey I did where 50 members of our
>>         community responded.Have you read what they say?
>>
>>         Fiasco? We found and fixed bugs. That's good. The world keeps
>>         on spinning. Yes, I know of the complains from the 50 folks
>>         in your survey, and I agree with those concerns. But you must
>>         have missed the many *millions* of page hits on *several*
>>         wiki pages and other documentation projects...
>>
>>         Johanna, I do not know why you keep targeting me in these
>>         emails. I am just one board member - one that you apparently
>>         do not like or have respect for. Maybe consider talking to
>>         other board members if you are not happy with my actions. In
>>         the meantime, I am going to do a little wiki work tonight.
>>
>>         If you have sustainable ideas for these programs, by all
>>         means lets hear them. If there are things you need me to
>>         read, let me know. I am doing my best in my limited time as a
>>         volunteer.
>>
>>         Aloha,
>>         - Jim
>>
>>
>>
>>         On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>>>         >>I am very confused. *No one asked you to do any work here, am
>>>         I mistaken? *
>>>
>>>         Exactly, /_thank you for making that clear._/
>>>
>>>         I don't think you have read properly what I'm trying to say,
>>>         which is, that these activities, where there seems to be a
>>>         need for operational support, such as reviewing or wiki
>>>         editing , does not have enough traction from volunteer
>>>         efforts and therefore not sustainable. Many talk cheap and
>>>         in the end, not enough people toy backup operations.
>>>
>>>         If you consider the wiki a success, (with XSS fiasco
>>>         included) then you have not read the responses people
>>>         provided on the survey I did where 50 members of our
>>>         community responded.Have you read what they say?
>>>
>>>         I'm looking for a discussion around solutions and creating
>>>         initiatives that are sustainable.
>>>
>>>         Once again Jim, thank you for making it very clear to me how
>>>         you think.
>>>
>>>          I was expecting a some discussions around sustainability.
>>>
>>>         Cheers
>>>
>>>         Johanna
>>>
>>>         On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             Joanna,
>>>
>>>             All I asked is that we give other vendors a chance to
>>>             propose a bug bounty program instead of just choosing
>>>             one vendor. I am not "the decider" here. I did not
>>>             initiate the bug bounty program nor do I disagree with
>>>             all of your comments below. I am sure we will face
>>>             several challenges. I still think it's a good idea to
>>>             try and I'm grateful Josh is taking a leadership
>>>             position here.
>>>
>>>             > I'm out of this equation regarding any decisions of a
>>>             bounty program and management of it in the future.
>>>
>>>             For someone who is "out of the equation" you sure have a
>>>             lot to say! No one is asking you to do - any work. You
>>>             are a volunteer (like me) and you do as you like when
>>>             you feel like it and that is ok.
>>>
>>>             > Wiki have shown that volunteer based does not work.
>>>
>>>             I strongly disagree. I know the wiki is tough for some
>>>             to read, and it needs work, but several pages have
>>>             received millions of hits and have helped many on
>>>             several issues. I know the wiki needs work, but I am
>>>             proud of the accomplishments of the thousands of
>>>             volunteers who have contributed to that knowledge base
>>>             in some way.
>>>
>>>             > Therefore, I prefer to abstain to participate on this
>>>             bounty initiative because my workload has multiplied by
>>>             the dozen, and as a volunteer, I cannot provide any
>>>             guarantees of my availability in the future.
>>>
>>>             I am very confused. No one asked you to do any work
>>>             here, am I mistaken? I do not understand why you are
>>>             upset or are abstaining in something that I did not even
>>>             know you were a part of. I just recall you (and Josh)
>>>             getting very upset that I even suggested we look at
>>>             other vendor proposals.... First you suggest we get a
>>>             specific vendor for an OWASP bug bounty program, then
>>>             you get upset that I suggested we discuss this with
>>>             other vendors, and now you abstaining. It's hard for me
>>>             to follow what you want here. I have watched you email
>>>             the world about "taking on an initiative" and then quit
>>>             several times now, that I am having a lot of trouble
>>>             following your work and needs. And I have done this a
>>>             few times myself, I'm not perfect. But I do keep trying.
>>>
>>>             > This counts for the review process. This is the reason
>>>             why we,  Enrico and I, proposed to decentralise and
>>>             focus on a platform. Even so, this platform is highly
>>>             dependable on volunteers. So far, only 6 members have
>>>             voted for Graduation of the OWASP security project.We
>>>             lack participation. I feel like no one cares. Or people
>>>             just don't want to participate in this kind of thing.I
>>>             have no freaking idea.
>>>
>>>             Johanna, if you are not satisfied with your volunteer
>>>             activities, then I suggest you find another way to lend
>>>             support at OWASP (there are many many things going on
>>>             with application security) or *take a break and take
>>>             some time off*. OWASP is not supposed to get your angry
>>>             or make you feel unsatisfied.  It's Saturday night and
>>>             I'm stuck in Chicago so I'm going to work on a few wiki
>>>             tasks on my plate because that gives me a lot of
>>>             satisfaction - even in the face of other folks, like
>>>             yourself, who do not see the value in the wiki. I do -
>>>             so I'm going to keep at it.
>>>
>>>             > Furthermore, you end as a solo-player, nobody gives
>>>             you thanks, when all you are trying to do is help,
>>>             burning your free time chasing waterfalls.(Thats counts
>>>             for you with the wiki editing of +8000 pages, I guess
>>>             all you hear is criticism just as I do, and people just
>>>             tends to forget we are not OWASP staff, we are volunteers)
>>>
>>>             Yea, I think that if you join OWASP because you want
>>>             "thanks" - you're in it for the wrong reason. Johanna, I
>>>             have seen folks give you MANY compliments - over and
>>>             over and over - on big public lists - from folks all
>>>             over the world - and it does not seem to be enough for
>>>             you, so I do not know what to tell you. I do the work I
>>>             do at OWASP because I believe it in and find the value
>>>             in it. I don't want thanks - I actually dislike getting
>>>             public thanks - I just want more volunteers involved.
>>>             And I find that leading by example helps. There are
>>>             quite a few folks working on the wiki with me. I am
>>>             super grateful for them all. Generating new content is
>>>             not an issue, dealing with older content is.
>>>
>>>             > Whatever the reason , the effect is, volunteered based
>>>             initiatives as wiki, reviews and possibly Bounty
>>>             program, does not seem to work.
>>>
>>>             This is a fair point regarding the bug bounty program.
>>>             Please keep in mind that several of the bounty programs
>>>             proposed would be vendor driven, not volunteer driven.
>>>             It's not decided yet nor is it my call (or even charge).
>>>             This thread started because I asked to be vendor
>>>             neutral, and if this was to start over I'd do the same.
>>>
>>>             Have a nice Saturday night. I'm off to work on the Java
>>>             wiki page and do a little cleanup.
>>>
>>>             Aloha,
>>>             - Jim
>>>
>>>
>>>             On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>>>             >>I trust those involved will make a good decision here.
>>>>
>>>>             >>First, the current proposal _does not include the
>>>>             triage, reproduction, and remediation piece_ (the
>>>>             Bugcrowd one does).  After speaking with them about
>>>>             this, they explained that it is because there is
>>>>             additional costs involved with that because they
>>>>             partner with other companies to provide that service. 
>>>>             That said, they offered to talk to one of their
>>>>             partners and had a strong belief that they could offer
>>>>             this to us as well.
>>>>
>>>>             Hi Jim.
>>>>
>>>>             I'm all in favour of vendor neutrality at all times.I
>>>>             admire your pro-activeness in these matters, however,
>>>>             at this point, I'm out of this equation regarding any
>>>>             decisions of a bounty program and management of it in
>>>>             the future.
>>>>
>>>>             One of the major problems we have, is to create
>>>>             sustainable initiatives. I'm a volunteer with limited
>>>>             time. My availability will vary a lot and this is
>>>>             common for volunteers.
>>>>
>>>>             I think is important that we ask ourselves who will be
>>>>             accountable for the system we bring in and able to
>>>>             manage this continuously. Volunteer based, I'm not
>>>>             convinced.
>>>>
>>>>             Wiki and Reviews have shown that volunteer based does
>>>>             not work. Therefore, I prefer to abstain to participate
>>>>             on this bounty initiative because my workload has
>>>>             multiplied by the dozen, and as a volunteer, I cannot
>>>>             provide any guarantees of my availability in the future.
>>>>
>>>>             This counts for the review process. This is the reason
>>>>             why we,  Enrico and I, proposed to decentralise and
>>>>             focus on a platform. Even so, this platform is highly
>>>>             dependable on volunteers. So far, only 6 members have
>>>>             voted for Graduation of the OWASP security project.We
>>>>             lack participation. I feel like no one cares. Or people
>>>>             just don't want to participate in this kind of thing.I
>>>>             have no freaking idea.
>>>>
>>>>             So far, there has not been any reviewers that have
>>>>             worked on reviews since we restarted this
>>>>             initiative.Even before, when Claudia start offering
>>>>             amazon cards in exchange for reviews, only 2 persons
>>>>             participated for 2 reviews one different projects. We
>>>>             keep on looking, I believe Claudia has contact them,
>>>>             but in the end, nothing.
>>>>
>>>>              I took many hours to build that criteria and let
>>>>             people comment and collaborate, so we make this process
>>>>             easier. There has been some participation , but from
>>>>             very few. We provide the community with all the
>>>>             opportunities to participate but still, there is a lack
>>>>             of interested in this subject.
>>>>
>>>>             I spoke with Jason Li, and even on an interview you did
>>>>             to him in 2008, he had the same idea of providing a
>>>>             platform for participation, but people don't want to
>>>>             volunteer to for these kind of tasks, just as happens
>>>>             with the wiki.
>>>>
>>>>             Furthermore, you end as a solo-player, nobody gives you
>>>>             thanks, when all you are trying to do is help, burning
>>>>             your free time chasing waterfalls.(Thats counts for you
>>>>             with the wiki editing of +8000 pages, I guess all you
>>>>             hear is criticism just as I do, and people just tends
>>>>             to forget we are not OWASP staff, we are volunteers)
>>>>
>>>>             I think is time that, from the operational management
>>>>             point of view, to revise all these actions and have a
>>>>             very serious talk about this.
>>>>
>>>>               * Are they sustainable only volunteer based?
>>>>               * What has the experience shown?
>>>>               * Why does owasp lack volunteers to help on these tasks?
>>>>               * Is the workload to big to expect volunteers to do this?
>>>>               * Is this a community that has not time to do this
>>>>                 kind of work?
>>>>               * Do they actually want to do these kind of tasks?
>>>>
>>>>             Volunteers are volunteers, they are not workforce nor
>>>>             can you expect the same output.You cannot expect
>>>>             anything from them.
>>>>
>>>>             A volunteer must feel he gains something back for
>>>>             giving his time. If there is no exchange on this part,
>>>>             if he does not feel valued or that his work matters,
>>>>              or enjoys what he does, then , I think , volunteer
>>>>             work stops. For me , it must have a meaning, that what
>>>>             I do , matters.
>>>>
>>>>             Whatever the reason , the effect is, volunteered based
>>>>             initiatives as wiki, reviews and possibly Bounty
>>>>             program, does not seem to work.
>>>>
>>>>             We should evaluate this before we keep bringing systems
>>>>             that cannot be volunteered-based sustained.
>>>>
>>>>             Cheers
>>>>
>>>>             Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico
>>>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>                 Josh,
>>>>
>>>>                 I am grateful you took the time to hear other
>>>>                 bounty vendors out, especially since I forced your
>>>>                 hand to do so to some degree.
>>>>
>>>>                 I trust those involved will make a good decision here.
>>>>
>>>>                 I do not have a charge over this and do not want to
>>>>                 interfere, but if you want my assistance just ask.
>>>>
>>>>                 Aloha,
>>>>                 Jim
>>>>
>>>>
>>>>
>>>>                 On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>>>                 I went ahead and spoke with HackerOne this
>>>>>                 afternoon even though others were unable to make
>>>>>                 it.  I'm going to be mostly out-of-pocket over the
>>>>>                 next couple of weeks, but at least wanted to be
>>>>>                 informed.  I took some notes, included below, but
>>>>>                 had a couple of things that are worth mentioning
>>>>>                 here.  First, the current proposal does not
>>>>>                 include the triage, reproduction, and remediation
>>>>>                 piece (the Bugcrowd one does).  After speaking
>>>>>                 with them about this, they explained that it is
>>>>>                 because there is additional costs involved with
>>>>>                 that because they partner with other companies to
>>>>>                 provide that service.  That said, they offered to
>>>>>                 talk to one of their partners and had a strong
>>>>>                 belief that they could offer this to us as well. 
>>>>>                 With that, I think that what they are offering is
>>>>>                 pretty much equivalent to what Bugcrowd is
>>>>>                 offering. That said, the ask is **VERY**
>>>>>                 different. While Bugcrowd is looking for an OWASP
>>>>>                 Platinum sponsorship package in exchange for their
>>>>>                 services, HackerOne is literally asking for
>>>>>                 nothing.  They said that they are big supporters
>>>>>                 of the OWASP Foundation and what we stand for and
>>>>>                 want to do this to help us out. I was not
>>>>>                 expecting this, but am extremely happy with what I
>>>>>                 heard from them.  We haven't talked to Cobalt yet,
>>>>>                 but my gut at this point is that HackerOne would
>>>>>                 make for a great partner on this and I would
>>>>>                 recommend, if we were to accept their offer,
>>>>>                 providing them with a logo placement on the
>>>>>                 supporter page (as a minimum) as a token of our
>>>>>                 appreciation.
>>>>>
>>>>>                 So, I realize that we still have one more vendor
>>>>>                 to talk to, but HackerOne looks really good.  With
>>>>>                 Johanna out-of-pocket for the foreseeable future,
>>>>>                 I wanted to make a recommendation to pull Simon
>>>>>                 Bennetts (if he is willing) into this evaluation
>>>>>                 process.  I think that a bug bounty program would
>>>>>                 be of huge benefit to his efforts, and would like
>>>>>                 to get his impression of the value of such a tool
>>>>>                 for his project. Simon, would you be willing to
>>>>>                 hop on a call with the HackerOne folks to take a
>>>>>                 look at their platform?  Or, if you'd prefer, we
>>>>>                 have access to the platform already and can get
>>>>>                 you an account to poke around with on your own.
>>>>>
>>>>>                 In any case, notes are below. Have a great weekend!
>>>>>
>>>>>                 ~josh
>>>>>
>>>>>                 _*Your Platform:*_
>>>>>
>>>>>                   * Workflow & Automation: Focused on engineering
>>>>>                     the world's most advanced vulnerability
>>>>>                     coordination platform.
>>>>>                   * Signal: Numerous systems, such as Reputation
>>>>>                     and hackbot, dedicated to ensuring high signal
>>>>>                     programs.
>>>>>                   * Transparent: All hackers have a profile,
>>>>>                     history and reputation. Advanced public
>>>>>                     disclosure workflow when needed.
>>>>>
>>>>>
>>>>>                 _*You are in Control:*_
>>>>>
>>>>>                   * Flexible: Run private or public programs, with
>>>>>                     or without bounties, managed or unmanaged.
>>>>>                   * Ownership: You own your data. HackerOne makes
>>>>>                     no claims on Vulnerability Information.
>>>>>                   * Multiparty Coordination: Easily pull in other
>>>>>                     vendors or external parties into a case.
>>>>>
>>>>>                 _*Service Donation:*_
>>>>>
>>>>>                   * Waive bounty service fees
>>>>>                   * Donate HackerOne Enterprise and a dedicated
>>>>>                     success manager for min 2 years.
>>>>>
>>>>>                 FREE Program
>>>>>
>>>>>                   * [email protected] Workflow
>>>>>                   * Hacker Reputation
>>>>>                   * Intelligent Duplication Detection
>>>>>                   * Automation
>>>>>                   * Issue Tracker Integration
>>>>>                   * Analytics Dashboard
>>>>>
>>>>>                 PROFESSIONAL Program ($2k/mo)
>>>>>
>>>>>                   * Everything in Free
>>>>>                   * Advanced Hacker Matching
>>>>>                   * Performance Benchmarking
>>>>>                   * Launch & Optimization Guidance
>>>>>                   * Report Mediation
>>>>>                   * Reports API
>>>>>
>>>>>                 ENTERPRISE Program:
>>>>>
>>>>>                   * Everything in Professional
>>>>>                   * Dedicated Success Manager
>>>>>                   * Custom Analytics & Reporting
>>>>>                   * Custom Integrations
>>>>>                   * Custom Branding Theme
>>>>>                   * Communications Guidance
>>>>>
>>>>>                 ADD ON: Bug Bounty Global Payments (Included in
>>>>>                 our deal)
>>>>>
>>>>>                 ADD ON: HackerOne Managed - Triage, Reproduction &
>>>>>                 Remediation Guidance (Not included today in the
>>>>>                 proposal. Implemented by partners. Need to
>>>>>                 negotiate this.)
>>>>>
>>>>>                   * Would propose to have a separate instance for
>>>>>                     each project + OWASP Foundation resources
>>>>>                   * Do not want anything in return. Support the
>>>>>                     OWASP Foundation and what we are doing.
>>>>>                   * Have a built in leaderboard sortable by timeframe
>>>>>                   * Ranks hackers based on "signal" and "impact"
>>>>>                   * Have an integration with Salesforce ticketing
>>>>>                   * Support a wide range of common disclosure
>>>>>                     scenarios such as "public disclosure". By
>>>>>                     default they are confidential.
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             -- 
>>>>             Johanna Curiel
>>>>             OWASP Volunteer
>>>
>>>
>>>
>>>
>>>         -- 
>>>         Johanna Curiel
>>>         OWASP Volunteer
>>
>>
>>
>>
>>     -- 
>>     Johanna Curiel
>>     OWASP Volunteer
>
>
>
>
> -- 
> Johanna Curiel
> OWASP Volunteer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/68746fb5/attachment-0001.html>


More information about the Owasp-board mailing list