[Owasp-board] Time to review

Jim Manico jim.manico at owasp.org
Sun Feb 21 01:11:17 UTC 2016


My apologies, Johanna. What I was trying to say that no one should put 
pressure on you to do work at OWASP as a volunteer, you should do work 
that makes you feel happy!

That is all I was trying to say, my sincerely apologies if I offended 
you, it was not my intention.

- Jim


On 2/20/16 7:10 PM, johanna curiel curiel wrote:
> >>I am very confused. No one asked you to do any work here, am I 
> mistaken?
>
> BTW , there is a nice wiki page asking for people to be volunteers:
> https://www.owasp.org/index.php/Become_an_OWASP_Volunteer*
> *
>
> Yes, I think that quite contradicts that 'no one asked you to do any 
> work here'...
>
> Maybe should be set as inactive.😁 I would do it will all the 
> pleasure...😝
>
>
> On Sat, Feb 20, 2016 at 9:03 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     I was not at all trying to be mean or hurtful, I was just saying
>     that this is all volunteer and you do not have to work on the Bug
>     Bounty program. I was worried you felt pressure here, and I did
>     not think that was fair.
>
>     I was not trying to be mean, at all.
>
>     - Jim
>
>
>     On 2/20/16 7:02 PM, johanna curiel curiel wrote:
>>     >>I am very confused. *No one asked you to do any work here, am I
>>     mistaken? *
>>     *
>>     *
>>     I don't think this is a very nice thing to say to a volunteer.
>>
>>     On Sat, Feb 20, 2016 at 9:00 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>
>>         *> Thats counts for every volunteer I assume...*
>>
>>         Of course it does, me too!. :) There are about 10 folks
>>         active on the wiki who I talk to on a very regular basis. In
>>         my experience we all really enjoy messin' with the wiki and
>>         have a lot of fun interacting with each other. It's
>>         satisfying and we all learn in the process.
>>
>>         Wiki work brings a lot of joy to me in my OWASP interactions
>>         so imma going to keep doing it. These are folks who are
>>         really sharp about application security, enjoy debating the
>>         finer points and are happy to contribute some of their
>>         expertise to the foundation. No one forced any of the wiki
>>         (or project) folks to contribute. They want to. :)
>>
>>         Aloha,
>>         Jim
>>
>>         Not bad traffic for wiki pages
>>
>>         2.1 million
>>         https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
>>         1.9 million
>>         https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>>         <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet>
>>
>>
>>
>>
>>>         >>I am very confused. *No one asked you to do any work here, am
>>>         I mistaken? *
>>>
>>>         *Thats counts for every volunteer I assume...*
>>>
>>>         On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             > I don't think you have read properly what I'm trying
>>>             to say, which is, that these activities, where there
>>>             seems to be a need for operational support, such as
>>>             reviewing or wiki editing , does not have enough
>>>             traction from volunteer efforts and therefore not
>>>             sustainable. Many talk cheap and in the end, not enough
>>>             people toy backup operations.
>>>
>>>             Right. Wiki could use more help, but the Bug Bounty
>>>             proposals include significant *vendor* support. I think
>>>             that will work wel
>>>
>>>             > If you consider the wiki a success, (with XSS fiasco
>>>             included) then you have not read the responses people
>>>             provided on the survey I did where 50 members of our
>>>             community responded.Have you read what they say?
>>>
>>>             Fiasco? We found and fixed bugs. That's good. The world
>>>             keeps on spinning. Yes, I know of the complains from the
>>>             50 folks in your survey, and I agree with those
>>>             concerns. But you must have missed the many *millions*
>>>             of page hits on *several* wiki pages and other
>>>             documentation projects...
>>>
>>>             Johanna, I do not know why you keep targeting me in
>>>             these emails. I am just one board member - one that you
>>>             apparently do not like or have respect for. Maybe
>>>             consider talking to other board members if you are not
>>>             happy with my actions. In the meantime, I am going to do
>>>             a little wiki work tonight.
>>>
>>>             If you have sustainable ideas for these programs, by all
>>>             means lets hear them. If there are things you need me to
>>>             read, let me know. I am doing my best in my limited time
>>>             as a volunteer.
>>>
>>>             Aloha,
>>>             - Jim
>>>
>>>
>>>
>>>             On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>>>>             >>I am very confused. *No one asked you to do any work
>>>>             here, am I mistaken? *
>>>>
>>>>             Exactly, /_thank you for making that clear._/
>>>>
>>>>             I don't think you have read properly what I'm trying to
>>>>             say, which is, that these activities, where there seems
>>>>             to be a need for operational support, such as reviewing
>>>>             or wiki editing , does not have enough traction from
>>>>             volunteer efforts and therefore not sustainable. Many
>>>>             talk cheap and in the end, not enough people toy backup
>>>>             operations.
>>>>
>>>>             If you consider the wiki a success, (with XSS fiasco
>>>>             included) then you have not read the responses people
>>>>             provided on the survey I did where 50 members of our
>>>>             community responded.Have you read what they say?
>>>>
>>>>             I'm looking for a discussion around solutions and
>>>>             creating initiatives that are sustainable.
>>>>
>>>>             Once again Jim, thank you for making it very clear to
>>>>             me how you think.
>>>>
>>>>              I was expecting a some discussions around sustainability.
>>>>
>>>>             Cheers
>>>>
>>>>             Johanna
>>>>
>>>>             On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico
>>>>             <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>>                 Joanna,
>>>>
>>>>                 All I asked is that we give other vendors a chance
>>>>                 to propose a bug bounty program instead of just
>>>>                 choosing one vendor. I am not "the decider" here. I
>>>>                 did not initiate the bug bounty program nor do I
>>>>                 disagree with all of your comments below. I am sure
>>>>                 we will face several challenges. I still think it's
>>>>                 a good idea to try and I'm grateful Josh is taking
>>>>                 a leadership position here.
>>>>
>>>>                 > I'm out of this equation regarding any decisions
>>>>                 of a bounty program and management of it in the future.
>>>>
>>>>                 For someone who is "out of the equation" you sure
>>>>                 have a lot to say! No one is asking you to do - any
>>>>                 work. You are a volunteer (like me) and you do as
>>>>                 you like when you feel like it and that is ok.
>>>>
>>>>                 > Wiki have shown that volunteer based does not work.
>>>>
>>>>                 I strongly disagree. I know the wiki is tough for
>>>>                 some to read, and it needs work, but several pages
>>>>                 have received millions of hits and have helped many
>>>>                 on several issues. I know the wiki needs work, but
>>>>                 I am proud of the accomplishments of the thousands
>>>>                 of volunteers who have contributed to that
>>>>                 knowledge base in some way.
>>>>
>>>>                 > Therefore, I prefer to abstain to participate on
>>>>                 this bounty initiative because my workload has
>>>>                 multiplied by the dozen, and as a volunteer, I
>>>>                 cannot provide any guarantees of my availability in
>>>>                 the future.
>>>>
>>>>                 I am very confused. No one asked you to do any work
>>>>                 here, am I mistaken? I do not understand why you
>>>>                 are upset or are abstaining in something that I did
>>>>                 not even know you were a part of. I just recall you
>>>>                 (and Josh) getting very upset that I even suggested
>>>>                 we look at other vendor proposals.... First you
>>>>                 suggest we get a specific vendor for an OWASP bug
>>>>                 bounty program, then you get upset that I suggested
>>>>                 we discuss this with other vendors, and now you
>>>>                 abstaining. It's hard for me to follow what you
>>>>                 want here. I have watched you email the world about
>>>>                 "taking on an initiative" and then quit several
>>>>                 times now, that I am having a lot of trouble
>>>>                 following your work and needs. And I have done this
>>>>                 a few times myself, I'm not perfect. But I do keep
>>>>                 trying.
>>>>
>>>>                 > This counts for the review process. This is the
>>>>                 reason why we,  Enrico and I, proposed to
>>>>                 decentralise and focus on a platform. Even so, this
>>>>                 platform is highly dependable on volunteers. So
>>>>                 far, only 6 members have voted for Graduation of
>>>>                 the OWASP security project.We lack participation. I
>>>>                 feel like no one cares. Or people just don't want
>>>>                 to participate in this kind of thing.I have no
>>>>                 freaking idea.
>>>>
>>>>                 Johanna, if you are not satisfied with your
>>>>                 volunteer activities, then I suggest you find
>>>>                 another way to lend support at OWASP (there are
>>>>                 many many things going on with application
>>>>                 security) or *take a break and take some time off*.
>>>>                 OWASP is not supposed to get your angry or make you
>>>>                 feel unsatisfied. It's Saturday night and I'm stuck
>>>>                 in Chicago so I'm going to work on a few wiki tasks
>>>>                 on my plate because that gives me a lot of
>>>>                 satisfaction - even in the face of other folks,
>>>>                 like yourself, who do not see the value in the
>>>>                 wiki. I do - so I'm going to keep at it.
>>>>
>>>>                 > Furthermore, you end as a solo-player, nobody
>>>>                 gives you thanks, when all you are trying to do is
>>>>                 help, burning your free time chasing
>>>>                 waterfalls.(Thats counts for you with the wiki
>>>>                 editing of +8000 pages, I guess all you hear is
>>>>                 criticism just as I do, and people just tends to
>>>>                 forget we are not OWASP staff, we are volunteers)
>>>>
>>>>                 Yea, I think that if you join OWASP because you
>>>>                 want "thanks" - you're in it for the wrong reason.
>>>>                 Johanna, I have seen folks give you MANY
>>>>                 compliments - over and over and over - on big
>>>>                 public lists - from folks all over the world - and
>>>>                 it does not seem to be enough for you, so I do not
>>>>                 know what to tell you. I do the work I do at OWASP
>>>>                 because I believe it in and find the value in it. I
>>>>                 don't want thanks - I actually dislike getting
>>>>                 public thanks - I just want more volunteers
>>>>                 involved. And I find that leading by example helps.
>>>>                 There are quite a few folks working on the wiki
>>>>                 with me. I am super grateful for them all.
>>>>                 Generating new content is not an issue, dealing
>>>>                 with older content is.
>>>>
>>>>                 > Whatever the reason , the effect is, volunteered
>>>>                 based initiatives as wiki, reviews and possibly
>>>>                 Bounty program, does not seem to work.
>>>>
>>>>                 This is a fair point regarding the bug bounty
>>>>                 program. Please keep in mind that several of the
>>>>                 bounty programs proposed would be vendor driven,
>>>>                 not volunteer driven. It's not decided yet nor is
>>>>                 it my call (or even charge). This thread started
>>>>                 because I asked to be vendor neutral, and if this
>>>>                 was to start over I'd do the same.
>>>>
>>>>                 Have a nice Saturday night. I'm off to work on the
>>>>                 Java wiki page and do a little cleanup.
>>>>
>>>>                 Aloha,
>>>>                 - Jim
>>>>
>>>>
>>>>                 On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>>>>                 >>I trust those involved will make a good decision
>>>>>                 here.
>>>>>
>>>>>                 >>First, the current proposal _does not include
>>>>>                 the triage, reproduction, and remediation piece_
>>>>>                 (the Bugcrowd one does).  After speaking with them
>>>>>                 about this, they explained that it is because
>>>>>                 there is additional costs involved with that
>>>>>                 because they partner with other companies to
>>>>>                 provide that service.  That said, they offered to
>>>>>                 talk to one of their partners and had a strong
>>>>>                 belief that they could offer this to us as well.
>>>>>
>>>>>                 Hi Jim.
>>>>>
>>>>>                 I'm all in favour of vendor neutrality at all
>>>>>                 times.I admire your pro-activeness in these
>>>>>                 matters, however, at this point, I'm out of this
>>>>>                 equation regarding any decisions of a bounty
>>>>>                 program and management of it in the future.
>>>>>
>>>>>                 One of the major problems we have, is to create
>>>>>                 sustainable initiatives. I'm a volunteer with
>>>>>                 limited time. My availability will vary a lot and
>>>>>                 this is common for volunteers.
>>>>>
>>>>>                 I think is important that we ask ourselves who
>>>>>                 will be accountable for the system we bring in and
>>>>>                 able to manage this continuously. Volunteer based,
>>>>>                 I'm not convinced.
>>>>>
>>>>>                 Wiki and Reviews have shown that volunteer based
>>>>>                 does not work. Therefore, I prefer to abstain to
>>>>>                 participate on this bounty initiative because my
>>>>>                 workload has multiplied by the dozen, and as a
>>>>>                 volunteer, I cannot provide any guarantees of my
>>>>>                 availability in the future.
>>>>>
>>>>>                 This counts for the review process. This is the
>>>>>                 reason why we,  Enrico and I, proposed to
>>>>>                 decentralise and focus on a platform. Even so,
>>>>>                 this platform is highly dependable on volunteers.
>>>>>                 So far, only 6 members have voted for Graduation
>>>>>                 of the OWASP security project.We lack
>>>>>                 participation. I feel like no one cares. Or people
>>>>>                 just don't want to participate in this kind of
>>>>>                 thing.I have no freaking idea.
>>>>>
>>>>>                 So far, there has not been any reviewers that have
>>>>>                 worked on reviews since we restarted this
>>>>>                 initiative.Even before, when Claudia start
>>>>>                 offering amazon cards in exchange for reviews,
>>>>>                 only 2 persons participated for 2 reviews one
>>>>>                 different projects. We keep on looking, I believe
>>>>>                 Claudia has contact them, but in the end, nothing.
>>>>>
>>>>>                  I took many hours to build that criteria and let
>>>>>                 people comment and collaborate, so we make this
>>>>>                 process easier. There has been some participation
>>>>>                 , but from very few. We provide the community with
>>>>>                 all the opportunities to participate but still,
>>>>>                 there is a lack of interested in this subject.
>>>>>
>>>>>                 I spoke with Jason Li, and even on an interview
>>>>>                 you did to him in 2008, he had the same idea of
>>>>>                 providing a platform for participation, but people
>>>>>                 don't want to volunteer to for these kind of
>>>>>                 tasks, just as happens with the wiki.
>>>>>
>>>>>                 Furthermore, you end as a solo-player, nobody
>>>>>                 gives you thanks, when all you are trying to do is
>>>>>                 help, burning your free time chasing
>>>>>                 waterfalls.(Thats counts for you with the wiki
>>>>>                 editing of +8000 pages, I guess all you hear is
>>>>>                 criticism just as I do, and people just tends to
>>>>>                 forget we are not OWASP staff, we are volunteers)
>>>>>
>>>>>                 I think is time that, from the operational
>>>>>                 management point of view, to revise all these
>>>>>                 actions and have a very serious talk about this.
>>>>>
>>>>>                   * Are they sustainable only volunteer based?
>>>>>                   * What has the experience shown?
>>>>>                   * Why does owasp lack volunteers to help on
>>>>>                     these tasks?
>>>>>                   * Is the workload to big to expect volunteers to
>>>>>                     do this?
>>>>>                   * Is this a community that has not time to do
>>>>>                     this kind of work?
>>>>>                   * Do they actually want to do these kind of tasks?
>>>>>
>>>>>                 Volunteers are volunteers, they are not workforce
>>>>>                 nor can you expect the same output.You cannot
>>>>>                 expect anything from them.
>>>>>
>>>>>                 A volunteer must feel he gains something back for
>>>>>                 giving his time. If there is no exchange on this
>>>>>                 part, if he does not feel valued or that his work
>>>>>                 matters,  or enjoys what he does, then , I think ,
>>>>>                 volunteer work stops. For me , it must have a
>>>>>                 meaning, that what I do , matters.
>>>>>
>>>>>                 Whatever the reason , the effect is, volunteered
>>>>>                 based initiatives as wiki, reviews and possibly
>>>>>                 Bounty program, does not seem to work.
>>>>>
>>>>>                 We should evaluate this before we keep bringing
>>>>>                 systems that cannot be volunteered-based sustained.
>>>>>
>>>>>                 Cheers
>>>>>
>>>>>                 Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                 On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico
>>>>>                 <jim.manico at owasp.org
>>>>>                 <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>>                     Josh,
>>>>>
>>>>>                     I am grateful you took the time to hear other
>>>>>                     bounty vendors out, especially since I forced
>>>>>                     your hand to do so to some degree.
>>>>>
>>>>>                     I trust those involved will make a good
>>>>>                     decision here.
>>>>>
>>>>>                     I do not have a charge over this and do not
>>>>>                     want to interfere, but if you want my
>>>>>                     assistance just ask.
>>>>>
>>>>>                     Aloha,
>>>>>                     Jim
>>>>>
>>>>>
>>>>>
>>>>>                     On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>>>>                     I went ahead and spoke with HackerOne this
>>>>>>                     afternoon even though others were unable to
>>>>>>                     make it.  I'm going to be mostly
>>>>>>                     out-of-pocket over the next couple of weeks,
>>>>>>                     but at least wanted to be informed.  I took
>>>>>>                     some notes, included below, but had a couple
>>>>>>                     of things that are worth mentioning here. 
>>>>>>                     First, the current proposal does not include
>>>>>>                     the triage, reproduction, and remediation
>>>>>>                     piece (the Bugcrowd one does).  After
>>>>>>                     speaking with them about this, they explained
>>>>>>                     that it is because there is additional costs
>>>>>>                     involved with that because they partner with
>>>>>>                     other companies to provide that service. 
>>>>>>                     That said, they offered to talk to one of
>>>>>>                     their partners and had a strong belief that
>>>>>>                     they could offer this to us as well.  With
>>>>>>                     that, I think that what they are offering is
>>>>>>                     pretty much equivalent to what Bugcrowd is
>>>>>>                     offering. That said, the ask is **VERY**
>>>>>>                     different. While Bugcrowd is looking for an
>>>>>>                     OWASP Platinum sponsorship package in
>>>>>>                     exchange for their services, HackerOne is
>>>>>>                     literally asking for nothing.  They said that
>>>>>>                     they are big supporters of the OWASP
>>>>>>                     Foundation and what we stand for and want to
>>>>>>                     do this to help us out. I was not expecting
>>>>>>                     this, but am extremely happy with what I
>>>>>>                     heard from them.  We haven't talked to Cobalt
>>>>>>                     yet, but my gut at this point is that
>>>>>>                     HackerOne would make for a great partner on
>>>>>>                     this and I would recommend, if we were to
>>>>>>                     accept their offer, providing them with a
>>>>>>                     logo placement on the supporter page (as a
>>>>>>                     minimum) as a token of our appreciation.
>>>>>>
>>>>>>                     So, I realize that we still have one more
>>>>>>                     vendor to talk to, but HackerOne looks really
>>>>>>                     good.  With Johanna out-of-pocket for the
>>>>>>                     foreseeable future, I wanted to make a
>>>>>>                     recommendation to pull Simon Bennetts (if he
>>>>>>                     is willing) into this evaluation process.  I
>>>>>>                     think that a bug bounty program would be of
>>>>>>                     huge benefit to his efforts, and would like
>>>>>>                     to get his impression of the value of such a
>>>>>>                     tool for his project. Simon, would you be
>>>>>>                     willing to hop on a call with the HackerOne
>>>>>>                     folks to take a look at their platform?  Or,
>>>>>>                     if you'd prefer, we have access to the
>>>>>>                     platform already and can get you an account
>>>>>>                     to poke around with on your own.
>>>>>>
>>>>>>                     In any case, notes are below. Have a great
>>>>>>                     weekend!
>>>>>>
>>>>>>                     ~josh
>>>>>>
>>>>>>                     _*Your Platform:*_
>>>>>>
>>>>>>                       * Workflow & Automation: Focused on
>>>>>>                         engineering the world's most advanced
>>>>>>                         vulnerability coordination platform.
>>>>>>                       * Signal: Numerous systems, such as
>>>>>>                         Reputation and hackbot, dedicated to
>>>>>>                         ensuring high signal programs.
>>>>>>                       * Transparent: All hackers have a profile,
>>>>>>                         history and reputation. Advanced public
>>>>>>                         disclosure workflow when needed.
>>>>>>
>>>>>>
>>>>>>                     _*You are in Control:*_
>>>>>>
>>>>>>                       * Flexible: Run private or public programs,
>>>>>>                         with or without bounties, managed or
>>>>>>                         unmanaged.
>>>>>>                       * Ownership: You own your data. HackerOne
>>>>>>                         makes no claims on Vulnerability Information.
>>>>>>                       * Multiparty Coordination: Easily pull in
>>>>>>                         other vendors or external parties into a
>>>>>>                         case.
>>>>>>
>>>>>>                     _*Service Donation:*_
>>>>>>
>>>>>>                       * Waive bounty service fees
>>>>>>                       * Donate HackerOne Enterprise and a
>>>>>>                         dedicated success manager for min 2 years.
>>>>>>
>>>>>>                     FREE Program
>>>>>>
>>>>>>                       * [email protected] Workflow
>>>>>>                       * Hacker Reputation
>>>>>>                       * Intelligent Duplication Detection
>>>>>>                       * Automation
>>>>>>                       * Issue Tracker Integration
>>>>>>                       * Analytics Dashboard
>>>>>>
>>>>>>                     PROFESSIONAL Program ($2k/mo)
>>>>>>
>>>>>>                       * Everything in Free
>>>>>>                       * Advanced Hacker Matching
>>>>>>                       * Performance Benchmarking
>>>>>>                       * Launch & Optimization Guidance
>>>>>>                       * Report Mediation
>>>>>>                       * Reports API
>>>>>>
>>>>>>                     ENTERPRISE Program:
>>>>>>
>>>>>>                       * Everything in Professional
>>>>>>                       * Dedicated Success Manager
>>>>>>                       * Custom Analytics & Reporting
>>>>>>                       * Custom Integrations
>>>>>>                       * Custom Branding Theme
>>>>>>                       * Communications Guidance
>>>>>>
>>>>>>                     ADD ON: Bug Bounty Global Payments (Included
>>>>>>                     in our deal)
>>>>>>
>>>>>>                     ADD ON: HackerOne Managed - Triage,
>>>>>>                     Reproduction & Remediation Guidance (Not
>>>>>>                     included today in the proposal. Implemented
>>>>>>                     by partners. Need to negotiate this.)
>>>>>>
>>>>>>                       * Would propose to have a separate instance
>>>>>>                         for each project + OWASP Foundation resources
>>>>>>                       * Do not want anything in return. Support
>>>>>>                         the OWASP Foundation and what we are doing.
>>>>>>                       * Have a built in leaderboard sortable by
>>>>>>                         timeframe
>>>>>>                       * Ranks hackers based on "signal" and "impact"
>>>>>>                       * Have an integration with Salesforce ticketing
>>>>>>                       * Support a wide range of common disclosure
>>>>>>                         scenarios such as "public disclosure". By
>>>>>>                         default they are confidential.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                 -- 
>>>>>                 Johanna Curiel
>>>>>                 OWASP Volunteer
>>>>
>>>>
>>>>
>>>>
>>>>             -- 
>>>>             Johanna Curiel
>>>>             OWASP Volunteer
>>>
>>>
>>>
>>>
>>>         -- 
>>>         Johanna Curiel
>>>         OWASP Volunteer
>>
>>
>>
>>
>>     -- 
>>     Johanna Curiel
>>     OWASP Volunteer
>
>
>
>
> -- 
> Johanna Curiel
> OWASP Volunteer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/7c5256e5/attachment-0001.html>


More information about the Owasp-board mailing list