[Owasp-board] Bugcrowd for OWASP Projects

Josh Sokol josh.sokol at owasp.org
Fri Jan 15 14:38:43 UTC 2016


I'm pretty sure that defining scope and payout is part of the onboarding
process with them.  If you would like, I would be happy to pass along their
contact information.  I know you've been passionate about the bug bounty
stuff in the past (why I added you to this thread) and it seems like you
would be a natural fit to lead such an effort if you're interested.  I see
a lot of value in doing it, but personally don't have the time to run with
it.  If not, we could put out a call for help on the Leaders list, assuming
that the Board/ED would be supportive of such an initiative.

~josh

On Fri, Jan 15, 2016 at 8:16 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Josh
>
> This is indeed great news. I believe that as part of a QA review we could
> use this for projects focused to build secure libraries(defenders)
> such as CRSFGuard or ModProxy rules.
>
> Still, we will need to define a clear scope so we pay a bounty for very
> specific test cases.
> Some actions points we could take to make this a concrete proposal:
>
>    - Define the type of projects that can participate in the Bugcrowd
>    program (security libraries?)
>    - Make this testing part of the review and graduation process
>    - Define a scope for testing specific security issues based on the
>    level of protection offered by the security library
>    - Define a scope for functional issues?
>
> Some ideas
>
> regards
>
> Johanna
>
> On Fri, Jan 15, 2016 at 10:06 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Bugcrowd sponsored the Austin Security Professionals Happy Hour last
>> night and I had a brief conversation with one of their account guys.  He
>> mentioned to me that they were working with Sarah in the past on a possible
>> barter sponsorship of OWASP.  He mentioned something like a Silver
>> sponsorship in exchange for using Bugcrowd's platform for managing the
>> testing of OWASP projects.  Since there has been some discussions around
>> that in the past, I figured it was worthwhile to at least bring it to the
>> group for discussion.  I would assume that we would still be responsible
>> for paying out bounties, but they would donate the management of the
>> program to us.  I'm happy to get the conversation started if we'd be
>> interested or tell him no if we're not.  I'd be interested in hearing your
>> thoughts.
>>
>> ~josh
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160115/6e9c94c8/attachment.html>


More information about the Owasp-board mailing list