[Owasp-board] Time to review
Jim Manico
jim.manico at owasp.org
Sun Feb 21 01:11:17 UTC 2016
My apologies, Johanna. What I was trying to say that no one should put
pressure on you to do work at OWASP as a volunteer, you should do work
that makes you feel happy!
That is all I was trying to say, my sincerely apologies if I offended
you, it was not my intention.
- Jim
On 2/20/16 7:10 PM, johanna curiel curiel wrote:
> >>I am very confused. No one asked you to do any work here, am I
> mistaken?
>
> BTW , there is a nice wiki page asking for people to be volunteers:
> https://www.owasp.org/index.php/Become_an_OWASP_Volunteer*
> *
>
> Yes, I think that quite contradicts that 'no one asked you to do any
> work here'...
>
> Maybe should be set as inactive.😁 I would do it will all the
> pleasure...😝
>
>
> On Sat, Feb 20, 2016 at 9:03 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> I was not at all trying to be mean or hurtful, I was just saying
> that this is all volunteer and you do not have to work on the Bug
> Bounty program. I was worried you felt pressure here, and I did
> not think that was fair.
>
> I was not trying to be mean, at all.
>
> - Jim
>
>
> On 2/20/16 7:02 PM, johanna curiel curiel wrote:
>> >>I am very confused. *No one asked you to do any work here, am I
>> mistaken? *
>> *
>> *
>> I don't think this is a very nice thing to say to a volunteer.
>>
>> On Sat, Feb 20, 2016 at 9:00 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>
>> *> Thats counts for every volunteer I assume...*
>>
>> Of course it does, me too!. :) There are about 10 folks
>> active on the wiki who I talk to on a very regular basis. In
>> my experience we all really enjoy messin' with the wiki and
>> have a lot of fun interacting with each other. It's
>> satisfying and we all learn in the process.
>>
>> Wiki work brings a lot of joy to me in my OWASP interactions
>> so imma going to keep doing it. These are folks who are
>> really sharp about application security, enjoy debating the
>> finer points and are happy to contribute some of their
>> expertise to the foundation. No one forced any of the wiki
>> (or project) folks to contribute. They want to. :)
>>
>> Aloha,
>> Jim
>>
>> Not bad traffic for wiki pages
>>
>> 2.1 million
>> https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
>> 1.9 million
>> https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
>> <https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet>
>>
>>
>>
>>
>>> >>I am very confused. *No one asked you to do any work here, am
>>> I mistaken? *
>>>
>>> *Thats counts for every volunteer I assume...*
>>>
>>> On Sat, Feb 20, 2016 at 8:50 PM, Jim Manico
>>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>> > I don't think you have read properly what I'm trying
>>> to say, which is, that these activities, where there
>>> seems to be a need for operational support, such as
>>> reviewing or wiki editing , does not have enough
>>> traction from volunteer efforts and therefore not
>>> sustainable. Many talk cheap and in the end, not enough
>>> people toy backup operations.
>>>
>>> Right. Wiki could use more help, but the Bug Bounty
>>> proposals include significant *vendor* support. I think
>>> that will work wel
>>>
>>> > If you consider the wiki a success, (with XSS fiasco
>>> included) then you have not read the responses people
>>> provided on the survey I did where 50 members of our
>>> community responded.Have you read what they say?
>>>
>>> Fiasco? We found and fixed bugs. That's good. The world
>>> keeps on spinning. Yes, I know of the complains from the
>>> 50 folks in your survey, and I agree with those
>>> concerns. But you must have missed the many *millions*
>>> of page hits on *several* wiki pages and other
>>> documentation projects...
>>>
>>> Johanna, I do not know why you keep targeting me in
>>> these emails. I am just one board member - one that you
>>> apparently do not like or have respect for. Maybe
>>> consider talking to other board members if you are not
>>> happy with my actions. In the meantime, I am going to do
>>> a little wiki work tonight.
>>>
>>> If you have sustainable ideas for these programs, by all
>>> means lets hear them. If there are things you need me to
>>> read, let me know. I am doing my best in my limited time
>>> as a volunteer.
>>>
>>> Aloha,
>>> - Jim
>>>
>>>
>>>
>>> On 2/20/16 6:43 PM, johanna curiel curiel wrote:
>>>> >>I am very confused. *No one asked you to do any work
>>>> here, am I mistaken? *
>>>>
>>>> Exactly, /_thank you for making that clear._/
>>>>
>>>> I don't think you have read properly what I'm trying to
>>>> say, which is, that these activities, where there seems
>>>> to be a need for operational support, such as reviewing
>>>> or wiki editing , does not have enough traction from
>>>> volunteer efforts and therefore not sustainable. Many
>>>> talk cheap and in the end, not enough people toy backup
>>>> operations.
>>>>
>>>> If you consider the wiki a success, (with XSS fiasco
>>>> included) then you have not read the responses people
>>>> provided on the survey I did where 50 members of our
>>>> community responded.Have you read what they say?
>>>>
>>>> I'm looking for a discussion around solutions and
>>>> creating initiatives that are sustainable.
>>>>
>>>> Once again Jim, thank you for making it very clear to
>>>> me how you think.
>>>>
>>>> I was expecting a some discussions around sustainability.
>>>>
>>>> Cheers
>>>>
>>>> Johanna
>>>>
>>>> On Sat, Feb 20, 2016 at 8:29 PM, Jim Manico
>>>> <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>>
>>>> Joanna,
>>>>
>>>> All I asked is that we give other vendors a chance
>>>> to propose a bug bounty program instead of just
>>>> choosing one vendor. I am not "the decider" here. I
>>>> did not initiate the bug bounty program nor do I
>>>> disagree with all of your comments below. I am sure
>>>> we will face several challenges. I still think it's
>>>> a good idea to try and I'm grateful Josh is taking
>>>> a leadership position here.
>>>>
>>>> > I'm out of this equation regarding any decisions
>>>> of a bounty program and management of it in the future.
>>>>
>>>> For someone who is "out of the equation" you sure
>>>> have a lot to say! No one is asking you to do - any
>>>> work. You are a volunteer (like me) and you do as
>>>> you like when you feel like it and that is ok.
>>>>
>>>> > Wiki have shown that volunteer based does not work.
>>>>
>>>> I strongly disagree. I know the wiki is tough for
>>>> some to read, and it needs work, but several pages
>>>> have received millions of hits and have helped many
>>>> on several issues. I know the wiki needs work, but
>>>> I am proud of the accomplishments of the thousands
>>>> of volunteers who have contributed to that
>>>> knowledge base in some way.
>>>>
>>>> > Therefore, I prefer to abstain to participate on
>>>> this bounty initiative because my workload has
>>>> multiplied by the dozen, and as a volunteer, I
>>>> cannot provide any guarantees of my availability in
>>>> the future.
>>>>
>>>> I am very confused. No one asked you to do any work
>>>> here, am I mistaken? I do not understand why you
>>>> are upset or are abstaining in something that I did
>>>> not even know you were a part of. I just recall you
>>>> (and Josh) getting very upset that I even suggested
>>>> we look at other vendor proposals.... First you
>>>> suggest we get a specific vendor for an OWASP bug
>>>> bounty program, then you get upset that I suggested
>>>> we discuss this with other vendors, and now you
>>>> abstaining. It's hard for me to follow what you
>>>> want here. I have watched you email the world about
>>>> "taking on an initiative" and then quit several
>>>> times now, that I am having a lot of trouble
>>>> following your work and needs. And I have done this
>>>> a few times myself, I'm not perfect. But I do keep
>>>> trying.
>>>>
>>>> > This counts for the review process. This is the
>>>> reason why we, Enrico and I, proposed to
>>>> decentralise and focus on a platform. Even so, this
>>>> platform is highly dependable on volunteers. So
>>>> far, only 6 members have voted for Graduation of
>>>> the OWASP security project.We lack participation. I
>>>> feel like no one cares. Or people just don't want
>>>> to participate in this kind of thing.I have no
>>>> freaking idea.
>>>>
>>>> Johanna, if you are not satisfied with your
>>>> volunteer activities, then I suggest you find
>>>> another way to lend support at OWASP (there are
>>>> many many things going on with application
>>>> security) or *take a break and take some time off*.
>>>> OWASP is not supposed to get your angry or make you
>>>> feel unsatisfied. It's Saturday night and I'm stuck
>>>> in Chicago so I'm going to work on a few wiki tasks
>>>> on my plate because that gives me a lot of
>>>> satisfaction - even in the face of other folks,
>>>> like yourself, who do not see the value in the
>>>> wiki. I do - so I'm going to keep at it.
>>>>
>>>> > Furthermore, you end as a solo-player, nobody
>>>> gives you thanks, when all you are trying to do is
>>>> help, burning your free time chasing
>>>> waterfalls.(Thats counts for you with the wiki
>>>> editing of +8000 pages, I guess all you hear is
>>>> criticism just as I do, and people just tends to
>>>> forget we are not OWASP staff, we are volunteers)
>>>>
>>>> Yea, I think that if you join OWASP because you
>>>> want "thanks" - you're in it for the wrong reason.
>>>> Johanna, I have seen folks give you MANY
>>>> compliments - over and over and over - on big
>>>> public lists - from folks all over the world - and
>>>> it does not seem to be enough for you, so I do not
>>>> know what to tell you. I do the work I do at OWASP
>>>> because I believe it in and find the value in it. I
>>>> don't want thanks - I actually dislike getting
>>>> public thanks - I just want more volunteers
>>>> involved. And I find that leading by example helps.
>>>> There are quite a few folks working on the wiki
>>>> with me. I am super grateful for them all.
>>>> Generating new content is not an issue, dealing
>>>> with older content is.
>>>>
>>>> > Whatever the reason , the effect is, volunteered
>>>> based initiatives as wiki, reviews and possibly
>>>> Bounty program, does not seem to work.
>>>>
>>>> This is a fair point regarding the bug bounty
>>>> program. Please keep in mind that several of the
>>>> bounty programs proposed would be vendor driven,
>>>> not volunteer driven. It's not decided yet nor is
>>>> it my call (or even charge). This thread started
>>>> because I asked to be vendor neutral, and if this
>>>> was to start over I'd do the same.
>>>>
>>>> Have a nice Saturday night. I'm off to work on the
>>>> Java wiki page and do a little cleanup.
>>>>
>>>> Aloha,
>>>> - Jim
>>>>
>>>>
>>>> On 2/20/16 11:14 AM, johanna curiel curiel wrote:
>>>>> >>I trust those involved will make a good decision
>>>>> here.
>>>>>
>>>>> >>First, the current proposal _does not include
>>>>> the triage, reproduction, and remediation piece_
>>>>> (the Bugcrowd one does). After speaking with them
>>>>> about this, they explained that it is because
>>>>> there is additional costs involved with that
>>>>> because they partner with other companies to
>>>>> provide that service. That said, they offered to
>>>>> talk to one of their partners and had a strong
>>>>> belief that they could offer this to us as well.
>>>>>
>>>>> Hi Jim.
>>>>>
>>>>> I'm all in favour of vendor neutrality at all
>>>>> times.I admire your pro-activeness in these
>>>>> matters, however, at this point, I'm out of this
>>>>> equation regarding any decisions of a bounty
>>>>> program and management of it in the future.
>>>>>
>>>>> One of the major problems we have, is to create
>>>>> sustainable initiatives. I'm a volunteer with
>>>>> limited time. My availability will vary a lot and
>>>>> this is common for volunteers.
>>>>>
>>>>> I think is important that we ask ourselves who
>>>>> will be accountable for the system we bring in and
>>>>> able to manage this continuously. Volunteer based,
>>>>> I'm not convinced.
>>>>>
>>>>> Wiki and Reviews have shown that volunteer based
>>>>> does not work. Therefore, I prefer to abstain to
>>>>> participate on this bounty initiative because my
>>>>> workload has multiplied by the dozen, and as a
>>>>> volunteer, I cannot provide any guarantees of my
>>>>> availability in the future.
>>>>>
>>>>> This counts for the review process. This is the
>>>>> reason why we, Enrico and I, proposed to
>>>>> decentralise and focus on a platform. Even so,
>>>>> this platform is highly dependable on volunteers.
>>>>> So far, only 6 members have voted for Graduation
>>>>> of the OWASP security project.We lack
>>>>> participation. I feel like no one cares. Or people
>>>>> just don't want to participate in this kind of
>>>>> thing.I have no freaking idea.
>>>>>
>>>>> So far, there has not been any reviewers that have
>>>>> worked on reviews since we restarted this
>>>>> initiative.Even before, when Claudia start
>>>>> offering amazon cards in exchange for reviews,
>>>>> only 2 persons participated for 2 reviews one
>>>>> different projects. We keep on looking, I believe
>>>>> Claudia has contact them, but in the end, nothing.
>>>>>
>>>>> I took many hours to build that criteria and let
>>>>> people comment and collaborate, so we make this
>>>>> process easier. There has been some participation
>>>>> , but from very few. We provide the community with
>>>>> all the opportunities to participate but still,
>>>>> there is a lack of interested in this subject.
>>>>>
>>>>> I spoke with Jason Li, and even on an interview
>>>>> you did to him in 2008, he had the same idea of
>>>>> providing a platform for participation, but people
>>>>> don't want to volunteer to for these kind of
>>>>> tasks, just as happens with the wiki.
>>>>>
>>>>> Furthermore, you end as a solo-player, nobody
>>>>> gives you thanks, when all you are trying to do is
>>>>> help, burning your free time chasing
>>>>> waterfalls.(Thats counts for you with the wiki
>>>>> editing of +8000 pages, I guess all you hear is
>>>>> criticism just as I do, and people just tends to
>>>>> forget we are not OWASP staff, we are volunteers)
>>>>>
>>>>> I think is time that, from the operational
>>>>> management point of view, to revise all these
>>>>> actions and have a very serious talk about this.
>>>>>
>>>>> * Are they sustainable only volunteer based?
>>>>> * What has the experience shown?
>>>>> * Why does owasp lack volunteers to help on
>>>>> these tasks?
>>>>> * Is the workload to big to expect volunteers to
>>>>> do this?
>>>>> * Is this a community that has not time to do
>>>>> this kind of work?
>>>>> * Do they actually want to do these kind of tasks?
>>>>>
>>>>> Volunteers are volunteers, they are not workforce
>>>>> nor can you expect the same output.You cannot
>>>>> expect anything from them.
>>>>>
>>>>> A volunteer must feel he gains something back for
>>>>> giving his time. If there is no exchange on this
>>>>> part, if he does not feel valued or that his work
>>>>> matters, or enjoys what he does, then , I think ,
>>>>> volunteer work stops. For me , it must have a
>>>>> meaning, that what I do , matters.
>>>>>
>>>>> Whatever the reason , the effect is, volunteered
>>>>> based initiatives as wiki, reviews and possibly
>>>>> Bounty program, does not seem to work.
>>>>>
>>>>> We should evaluate this before we keep bringing
>>>>> systems that cannot be volunteered-based sustained.
>>>>>
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Feb 20, 2016 at 12:17 AM, Jim Manico
>>>>> <jim.manico at owasp.org
>>>>> <mailto:jim.manico at owasp.org>> wrote:
>>>>>
>>>>> Josh,
>>>>>
>>>>> I am grateful you took the time to hear other
>>>>> bounty vendors out, especially since I forced
>>>>> your hand to do so to some degree.
>>>>>
>>>>> I trust those involved will make a good
>>>>> decision here.
>>>>>
>>>>> I do not have a charge over this and do not
>>>>> want to interfere, but if you want my
>>>>> assistance just ask.
>>>>>
>>>>> Aloha,
>>>>> Jim
>>>>>
>>>>>
>>>>>
>>>>> On 2/19/16 4:07 PM, Josh Sokol wrote:
>>>>>> I went ahead and spoke with HackerOne this
>>>>>> afternoon even though others were unable to
>>>>>> make it. I'm going to be mostly
>>>>>> out-of-pocket over the next couple of weeks,
>>>>>> but at least wanted to be informed. I took
>>>>>> some notes, included below, but had a couple
>>>>>> of things that are worth mentioning here.
>>>>>> First, the current proposal does not include
>>>>>> the triage, reproduction, and remediation
>>>>>> piece (the Bugcrowd one does). After
>>>>>> speaking with them about this, they explained
>>>>>> that it is because there is additional costs
>>>>>> involved with that because they partner with
>>>>>> other companies to provide that service.
>>>>>> That said, they offered to talk to one of
>>>>>> their partners and had a strong belief that
>>>>>> they could offer this to us as well. With
>>>>>> that, I think that what they are offering is
>>>>>> pretty much equivalent to what Bugcrowd is
>>>>>> offering. That said, the ask is **VERY**
>>>>>> different. While Bugcrowd is looking for an
>>>>>> OWASP Platinum sponsorship package in
>>>>>> exchange for their services, HackerOne is
>>>>>> literally asking for nothing. They said that
>>>>>> they are big supporters of the OWASP
>>>>>> Foundation and what we stand for and want to
>>>>>> do this to help us out. I was not expecting
>>>>>> this, but am extremely happy with what I
>>>>>> heard from them. We haven't talked to Cobalt
>>>>>> yet, but my gut at this point is that
>>>>>> HackerOne would make for a great partner on
>>>>>> this and I would recommend, if we were to
>>>>>> accept their offer, providing them with a
>>>>>> logo placement on the supporter page (as a
>>>>>> minimum) as a token of our appreciation.
>>>>>>
>>>>>> So, I realize that we still have one more
>>>>>> vendor to talk to, but HackerOne looks really
>>>>>> good. With Johanna out-of-pocket for the
>>>>>> foreseeable future, I wanted to make a
>>>>>> recommendation to pull Simon Bennetts (if he
>>>>>> is willing) into this evaluation process. I
>>>>>> think that a bug bounty program would be of
>>>>>> huge benefit to his efforts, and would like
>>>>>> to get his impression of the value of such a
>>>>>> tool for his project. Simon, would you be
>>>>>> willing to hop on a call with the HackerOne
>>>>>> folks to take a look at their platform? Or,
>>>>>> if you'd prefer, we have access to the
>>>>>> platform already and can get you an account
>>>>>> to poke around with on your own.
>>>>>>
>>>>>> In any case, notes are below. Have a great
>>>>>> weekend!
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> _*Your Platform:*_
>>>>>>
>>>>>> * Workflow & Automation: Focused on
>>>>>> engineering the world's most advanced
>>>>>> vulnerability coordination platform.
>>>>>> * Signal: Numerous systems, such as
>>>>>> Reputation and hackbot, dedicated to
>>>>>> ensuring high signal programs.
>>>>>> * Transparent: All hackers have a profile,
>>>>>> history and reputation. Advanced public
>>>>>> disclosure workflow when needed.
>>>>>>
>>>>>>
>>>>>> _*You are in Control:*_
>>>>>>
>>>>>> * Flexible: Run private or public programs,
>>>>>> with or without bounties, managed or
>>>>>> unmanaged.
>>>>>> * Ownership: You own your data. HackerOne
>>>>>> makes no claims on Vulnerability Information.
>>>>>> * Multiparty Coordination: Easily pull in
>>>>>> other vendors or external parties into a
>>>>>> case.
>>>>>>
>>>>>> _*Service Donation:*_
>>>>>>
>>>>>> * Waive bounty service fees
>>>>>> * Donate HackerOne Enterprise and a
>>>>>> dedicated success manager for min 2 years.
>>>>>>
>>>>>> FREE Program
>>>>>>
>>>>>> * [email protected] Workflow
>>>>>> * Hacker Reputation
>>>>>> * Intelligent Duplication Detection
>>>>>> * Automation
>>>>>> * Issue Tracker Integration
>>>>>> * Analytics Dashboard
>>>>>>
>>>>>> PROFESSIONAL Program ($2k/mo)
>>>>>>
>>>>>> * Everything in Free
>>>>>> * Advanced Hacker Matching
>>>>>> * Performance Benchmarking
>>>>>> * Launch & Optimization Guidance
>>>>>> * Report Mediation
>>>>>> * Reports API
>>>>>>
>>>>>> ENTERPRISE Program:
>>>>>>
>>>>>> * Everything in Professional
>>>>>> * Dedicated Success Manager
>>>>>> * Custom Analytics & Reporting
>>>>>> * Custom Integrations
>>>>>> * Custom Branding Theme
>>>>>> * Communications Guidance
>>>>>>
>>>>>> ADD ON: Bug Bounty Global Payments (Included
>>>>>> in our deal)
>>>>>>
>>>>>> ADD ON: HackerOne Managed - Triage,
>>>>>> Reproduction & Remediation Guidance (Not
>>>>>> included today in the proposal. Implemented
>>>>>> by partners. Need to negotiate this.)
>>>>>>
>>>>>> * Would propose to have a separate instance
>>>>>> for each project + OWASP Foundation resources
>>>>>> * Do not want anything in return. Support
>>>>>> the OWASP Foundation and what we are doing.
>>>>>> * Have a built in leaderboard sortable by
>>>>>> timeframe
>>>>>> * Ranks hackers based on "signal" and "impact"
>>>>>> * Have an integration with Salesforce ticketing
>>>>>> * Support a wide range of common disclosure
>>>>>> scenarios such as "public disclosure". By
>>>>>> default they are confidential.
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>
>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>
>>
>>
>>
>> --
>> Johanna Curiel
>> OWASP Volunteer
>
>
>
>
> --
> Johanna Curiel
> OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160220/7c5256e5/attachment-0001.html>
More information about the Owasp-board
mailing list