[Owasp-board] Time to review

johanna curiel curiel johanna.curiel at owasp.org
Sun Feb 21 01:10:06 UTC 2016


>>I am very confused. No one asked you to do any work here, am I mistaken?

BTW , there is a nice wiki page asking for people to be volunteers:
https://www.owasp.org/index.php/Become_an_OWASP_Volunteer

Yes, I think that quite contradicts that 'no one asked you to do any work
here'...

Maybe should be set as inactive.😁 I would do it will all the pleasure...😝


On Sat, Feb 20, 2016 at 9:03 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I was not at all trying to be mean or hurtful, I was just saying that this
> is all volunteer and you do not have to work on the Bug Bounty program. I
> was worried you felt pressure here, and I did not think that was fair.
>
> I was not trying to be mean, at all.
>
> - Jim
>
>
> On 2/20/16 7:02 PM, johanna curiel curiel wrote:
>
> >>I am very confused. *No one asked you to do any work here, am I
> mistaken? *
>
> I don't think this is a very nice thing to say to a volunteer.
>
> On Sat, Feb 20, 2016 at 9:00 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>>
>> *> Thats counts for every volunteer I assume...*
>>
>> Of course it does, me too!. :) There are about 10 folks active on the
>> wiki who I talk to on a very regular basis. In my experience we all really
>> enjoy messin' with the wiki and have a lot of fun interacting with each
>> other. It's satisfying and we all learn in the process.
>>
>> Wiki work brings a lot of joy to me in my OWASP interactions so imma
>> going to keep doing it. These are folks who are really sharp about
>> application security, enjoy debating the finer points and are happy to
>> contribute some of their expertise to the foundation. No one forced any of
>> the wiki (or project) folks to contribute. They want to. :)
>>
>> Aloha,
>> Jim
>>
>> Not bad traffic for wiki pages
>>
>> 2.1 million
>> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
>> 1.9 million
>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>
>>
>>
>>
>> >>I am very confused. *No one asked you to do any work here, am I
>> mistaken? *
>>
>> *Thats counts for every volunteer I assume...*
>>
>> On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> > I don't think you have read properly what I'm trying to say, which is,
>>> that these activities, where there seems to be a need for operational
>>> support, such as reviewing or wiki editing , does not have enough traction
>>> from volunteer efforts and therefore not sustainable. Many talk cheap and
>>> in the end, not enough people toy backup operations.
>>>
>>> Right. Wiki could use more help, but the Bug Bounty proposals include
>>> significant *vendor* support. I think that will work wel
>>>
>>> > If you consider the wiki a success, (with XSS fiasco included) then
>>> you have not read the responses people provided on the survey I did where
>>> 50 members of our community responded.Have you read what they say?
>>>
>>> Fiasco? We found and fixed bugs. That's good. The world keeps on
>>> spinning. Yes, I know of the complains from the 50 folks in your survey,
>>> and I agree with those concerns. But you must have missed the many
>>> *millions* of page hits on *several*  wiki pages and other
>>> documentation projects...
>>>
>>> Johanna, I do not know why you keep targeting me in these emails. I am
>>> just one board member - one that you apparently do not like or have respect
>>> for. Maybe consider talking to other board members if you are not happy
>>> with my actions. In the meantime, I am going to do a little wiki work
>>> tonight.
>>>
>>> If you have sustainable ideas for these programs, by all means lets hear
>>> them. If there are things you need me to read, let me know. I am doing my
>>> best in my limited time as a volunteer.
>>>
>>> Aloha,
>>> - Jim
>>>
>>>
>>>
>>> On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>>>
>>> >>I am very confused. *No one asked you to do any work here, am I
>>> mistaken? *
>>>
>>> Exactly,  *thank you for making that clear.*
>>>
>>> I don't think you have read properly what I'm trying to say, which is,
>>> that these activities, where there seems to be a need for operational
>>> support, such as reviewing or wiki editing , does not have enough traction
>>> from volunteer efforts and therefore not sustainable. Many talk cheap and
>>> in the end, not enough people toy backup operations.
>>>
>>> If you consider the wiki a success, (with XSS fiasco included) then you
>>> have not read the responses people provided on the survey I did where 50
>>> members of our community responded.Have you read what they say?
>>>
>>> I'm looking for a discussion around solutions and creating initiatives
>>> that are sustainable.
>>>
>>> Once again Jim, thank you for making it very clear to me how you think.
>>>
>>>  I was expecting a some discussions around sustainability.
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>> On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico < <jim.manico at owasp.org>
>>> jim.manico at owasp.org> wrote:
>>>
>>>> Joanna,
>>>>
>>>> All I asked is that we give other vendors a chance to propose a bug
>>>> bounty program instead of just choosing one vendor. I am not "the decider"
>>>> here. I did not initiate the bug bounty program nor do I disagree with all
>>>> of your comments below. I am sure we will face several challenges. I still
>>>> think it's a good idea to try and I'm grateful Josh is taking a leadership
>>>> position here.
>>>>
>>>> > I'm out of this equation regarding any decisions of a bounty program
>>>> and management of it in the future.
>>>>
>>>> For someone who is "out of the equation" you sure have a lot to say! No
>>>> one is asking you to do - any work. You are a volunteer (like me) and you
>>>> do as you like when you feel like it and that is ok.
>>>>
>>>> > Wiki have shown that volunteer based does not work.
>>>>
>>>> I strongly disagree. I know the wiki is tough for some to read, and it
>>>> needs work, but several pages have received millions of hits and have
>>>> helped many on several issues. I know the wiki needs work, but I am proud
>>>> of the accomplishments of the thousands of volunteers who have contributed
>>>> to that knowledge base in some way.
>>>>
>>>> > Therefore, I prefer to abstain to participate on this bounty
>>>> initiative because my workload has multiplied by the dozen, and as a
>>>> volunteer, I cannot provide any guarantees of my availability in the future.
>>>>
>>>> I am very confused. No one asked you to do any work here, am I
>>>> mistaken? I do not understand why you are upset or are abstaining in
>>>> something that I did not even know you were a part of. I just recall you
>>>> (and Josh) getting very upset that I even suggested we look at other vendor
>>>> proposals.... First you suggest we get a specific vendor for an OWASP bug
>>>> bounty program, then you get upset that I suggested we discuss this with
>>>> other vendors, and now you abstaining. It's hard for me to follow what you
>>>> want here. I have watched you email the world about "taking on an
>>>> initiative" and then quit several times now, that I am having a lot of
>>>> trouble following your work and needs. And I have done this a few times
>>>> myself, I'm not perfect. But I do keep trying.
>>>>
>>>> > This counts for the review process. This is the reason why we,
>>>>  Enrico and I, proposed to decentralise and focus on a platform. Even so,
>>>> this platform is highly dependable on volunteers. So far, only 6 members
>>>> have voted for Graduation of the OWASP security project.We lack
>>>> participation. I feel like no one cares. Or people just don't want to
>>>> participate in this kind of thing.I have no freaking idea.
>>>>
>>>> Johanna, if you are not satisfied with your volunteer activities, then
>>>> I suggest you find another way to lend support at OWASP (there are many
>>>> many things going on with application security) or *take a break and
>>>> take some time off*. OWASP is not supposed to get your angry or make
>>>> you feel unsatisfied.  It's Saturday night and I'm stuck in Chicago so I'm
>>>> going to work on a few wiki tasks on my plate because that gives me a lot
>>>> of satisfaction - even in the face of other folks, like yourself, who do
>>>> not see the value in the wiki. I do - so I'm going to keep at it.
>>>>
>>>> > Furthermore, you end as a solo-player, nobody gives you thanks, when
>>>> all you are trying to do is help, burning your free time chasing
>>>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>>>> guess all you hear is criticism just as I do, and people just tends to
>>>> forget we are not OWASP staff, we are volunteers)
>>>>
>>>> Yea, I think that if you join OWASP because you want "thanks" - you're
>>>> in it for the wrong reason. Johanna, I have seen folks give you MANY
>>>> compliments - over and over and over - on big public lists - from folks all
>>>> over the world - and it does not seem to be enough for you, so I do not
>>>> know what to tell you. I do the work I do at OWASP because I believe it in
>>>> and find the value in it. I don't want thanks - I actually dislike getting
>>>> public thanks - I just want more volunteers involved. And I find that
>>>> leading by example helps. There are quite a few folks working on the wiki
>>>> with me. I am super grateful for them all. Generating new content is not an
>>>> issue, dealing with older content is.
>>>>
>>>> > Whatever the reason , the effect is, volunteered based initiatives as
>>>> wiki, reviews and possibly Bounty program, does not seem to work.
>>>>
>>>> This is a fair point regarding the bug bounty program. Please keep in
>>>> mind that several of the bounty programs proposed would be vendor driven,
>>>> not volunteer driven. It's not decided yet nor is it my call (or even
>>>> charge). This thread started because I asked to be vendor neutral, and if
>>>> this was to start over I'd do the same.
>>>>
>>>> Have a nice Saturday night. I'm off to work on the Java wiki page and
>>>> do a little cleanup.
>>>>
>>>> Aloha,
>>>> - Jim
>>>>
>>>>
>>>> On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>>>
>>>> >>I trust those involved will make a good decision here.
>>>>
>>>> >>First, the current proposal *does not include the triage,
>>>> reproduction, and remediation piece* (the Bugcrowd one does).  After
>>>> speaking with them about this, they explained that it is because there is
>>>> additional costs involved with that because they partner with other
>>>> companies to provide that service.  That said, they offered to talk to one
>>>> of their partners and had a strong belief that they could offer this to us
>>>> as well.
>>>>
>>>> Hi Jim.
>>>>
>>>> I'm all in favour of vendor neutrality at all times.I admire your
>>>> pro-activeness in these matters, however, at this point, I'm out of this
>>>> equation regarding any decisions of a bounty program and management of it
>>>> in the future.
>>>>
>>>> One of the major problems we have, is to create sustainable
>>>> initiatives. I'm a volunteer with limited time. My availability will vary a
>>>> lot and this is common for volunteers.
>>>>
>>>> I think is important that we ask ourselves who will be accountable for
>>>> the system we bring in and able to manage this continuously. Volunteer
>>>> based, I'm not convinced.
>>>>
>>>> Wiki and Reviews have shown that volunteer based does not work.
>>>> Therefore, I prefer to abstain to participate on this bounty initiative
>>>> because my workload has multiplied by the dozen, and as a volunteer, I
>>>> cannot provide any guarantees of my availability in the future.
>>>>
>>>> This counts for the review process. This is the reason why we,  Enrico
>>>> and I, proposed to decentralise and focus on a platform. Even so, this
>>>> platform is highly dependable on volunteers. So far, only 6 members have
>>>> voted for Graduation of the OWASP security project.We lack participation. I
>>>> feel like no one cares. Or people just don't want to participate in this
>>>> kind of thing.I have no freaking idea.
>>>>
>>>> So far, there has not been any reviewers that have worked on reviews
>>>> since we restarted this initiative.Even before, when Claudia start offering
>>>> amazon cards in exchange for reviews, only 2 persons participated for 2
>>>> reviews one different projects. We keep on looking, I believe Claudia has
>>>> contact them, but in the end, nothing.
>>>>
>>>>  I took many hours to build that criteria and let people comment and
>>>> collaborate, so we make this process easier. There has been some
>>>> participation , but from very few. We provide the community with all the
>>>> opportunities to participate but still, there is a lack of interested in
>>>> this subject.
>>>>
>>>> I spoke with Jason Li, and even on an interview you did to him in 2008,
>>>> he had the same idea of providing a platform for participation, but people
>>>> don't want to volunteer to for these kind of tasks, just as happens with
>>>> the wiki.
>>>>
>>>> Furthermore, you end as a solo-player, nobody gives you thanks, when
>>>> all you are trying to do is help, burning your free time chasing
>>>> waterfalls.(Thats counts for you with the wiki editing of +8000 pages, I
>>>> guess all you hear is criticism just as I do, and people just tends to
>>>> forget we are not OWASP staff, we are volunteers)
>>>>
>>>> I think is time that, from the operational management point of view, to
>>>> revise all these actions and have a very serious talk about this.
>>>>
>>>>    - Are they sustainable only volunteer based?
>>>>    - What has the experience shown?
>>>>    - Why does owasp lack volunteers to help on these tasks?
>>>>    - Is the workload to big to expect volunteers to do this?
>>>>    - Is this a community that has not time to do this kind of work?
>>>>    - Do they actually want to do these kind of tasks?
>>>>
>>>> Volunteers are volunteers, they are not workforce nor can you expect
>>>> the same output.You cannot expect anything from them.
>>>>
>>>> A volunteer must feel he gains something back for giving his time. If
>>>> there is no exchange on this part, if he does not feel valued or that his
>>>> work matters,  or enjoys what he does, then , I think , volunteer work
>>>> stops. For me , it must have a meaning, that what I do , matters.
>>>>
>>>> Whatever the reason , the effect is, volunteered based initiatives as
>>>> wiki, reviews and possibly Bounty program, does not seem to work.
>>>>
>>>> We should evaluate this before we keep bringing systems that cannot be
>>>> volunteered-based sustained.
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico < <jim.manico at owasp.org>
>>>> jim.manico at owasp.org> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> I am grateful you took the time to hear other bounty vendors out,
>>>>> especially since I forced your hand to do so to some degree.
>>>>>
>>>>> I trust those involved will make a good decision here.
>>>>>
>>>>> I do not have a charge over this and do not want to interfere, but if
>>>>> you want my assistance just ask.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>>>
>>>>> I went ahead and spoke with HackerOne this afternoon even though
>>>>> others were unable to make it.  I'm going to be mostly out-of-pocket over
>>>>> the next couple of weeks, but at least wanted to be informed.  I took some
>>>>> notes, included below, but had a couple of things that are worth mentioning
>>>>> here.  First, the current proposal does not include the triage,
>>>>> reproduction, and remediation piece (the Bugcrowd one does).  After
>>>>> speaking with them about this, they explained that it is because there is
>>>>> additional costs involved with that because they partner with other
>>>>> companies to provide that service.  That said, they offered to talk to one
>>>>> of their partners and had a strong belief that they could offer this to us
>>>>> as well.  With that, I think that what they are offering is pretty much
>>>>> equivalent to what Bugcrowd is offering.  That said, the ask is **VERY**
>>>>> different.  While Bugcrowd is looking for an OWASP Platinum sponsorship
>>>>> package in exchange for their services, HackerOne is literally asking for
>>>>> nothing.  They said that they are big supporters of the OWASP Foundation
>>>>> and what we stand for and want to do this to help us out.  I was not
>>>>> expecting this, but am extremely happy with what I heard from them.  We
>>>>> haven't talked to Cobalt yet, but my gut at this point is that HackerOne
>>>>> would make for a great partner on this and I would recommend, if we were to
>>>>> accept their offer, providing them with a logo placement on the supporter
>>>>> page (as a minimum) as a token of our appreciation.
>>>>>
>>>>> So, I realize that we still have one more vendor to talk to, but
>>>>> HackerOne looks really good.  With Johanna out-of-pocket for the
>>>>> foreseeable future, I wanted to make a recommendation to pull Simon
>>>>> Bennetts (if he is willing) into this evaluation process.  I think that a
>>>>> bug bounty program would be of huge benefit to his efforts, and would like
>>>>> to get his impression of the value of such a tool for his project.  Simon,
>>>>> would you be willing to hop on a call with the HackerOne folks to take a
>>>>> look at their platform?  Or, if you'd prefer, we have access to the
>>>>> platform already and can get you an account to poke around with on your
>>>>> own.
>>>>>
>>>>> In any case, notes are below.  Have a great weekend!
>>>>>
>>>>> ~josh
>>>>>
>>>>> *Your Platform:*
>>>>>
>>>>>    - Workflow & Automation: Focused on engineering the world's most
>>>>>    advanced vulnerability coordination platform.
>>>>>    - Signal: Numerous systems, such as Reputation and hackbot,
>>>>>    dedicated to ensuring high signal programs.
>>>>>    - Transparent: All hackers have a profile, history and
>>>>>    reputation.  Advanced public disclosure workflow when needed.
>>>>>
>>>>>
>>>>> *You are in Control:*
>>>>>
>>>>>    - Flexible: Run private or public programs, with or without
>>>>>    bounties, managed or unmanaged.
>>>>>    - Ownership: You own your data.  HackerOne makes no claims on
>>>>>    Vulnerability Information.
>>>>>    - Multiparty Coordination: Easily pull in other vendors or
>>>>>    external parties into a case.
>>>>>
>>>>> *Service Donation:*
>>>>>
>>>>>    - Waive bounty service fees
>>>>>    - Donate HackerOne Enterprise and a dedicated success manager for
>>>>>    min 2 years.
>>>>>
>>>>> FREE Program
>>>>>
>>>>>    - [email protected] Workflow
>>>>>    - Hacker Reputation
>>>>>    - Intelligent Duplication Detection
>>>>>    - Automation
>>>>>    - Issue Tracker Integration
>>>>>    - Analytics Dashboard
>>>>>
>>>>> PROFESSIONAL Program ($2k/mo)
>>>>>
>>>>>    - Everything in Free
>>>>>    - Advanced Hacker Matching
>>>>>    - Performance Benchmarking
>>>>>    - Launch & Optimization Guidance
>>>>>    - Report Mediation
>>>>>    - Reports API
>>>>>
>>>>> ENTERPRISE Program:
>>>>>
>>>>>    - Everything in Professional
>>>>>    - Dedicated Success Manager
>>>>>    - Custom Analytics & Reporting
>>>>>    - Custom Integrations
>>>>>    - Custom Branding Theme
>>>>>    - Communications Guidance
>>>>>
>>>>> ADD ON: Bug Bounty Global Payments (Included in our deal)
>>>>>
>>>>> ADD ON: HackerOne Managed - Triage, Reproduction & Remediation
>>>>> Guidance (Not included today in the proposal.  Implemented by partners.
>>>>> Need to negotiate this.)
>>>>>
>>>>>    - Would propose to have a separate instance for each project +
>>>>>    OWASP Foundation resources
>>>>>    - Do not want anything in return.  Support the OWASP Foundation
>>>>>    and what we are doing.
>>>>>    - Have a built in leaderboard sortable by timeframe
>>>>>    - Ranks hackers based on "signal" and "impact"
>>>>>    - Have an integration with Salesforce ticketing
>>>>>    - Support a wide range of common disclosure scenarios such as
>>>>>    "public disclosure".  By default they are confidential.
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>>
>>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>>
>>
>>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
>
>
>


-- 
Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/b79f8a13/attachment-0001.html>


More information about the Owasp-board mailing list