[Owasp-board] Bugcrowd for OWASP Projects

Tom Brennan - OWASP tomb at owasp.org
Fri Jan 15 15:16:44 UTC 2016


I worked on this actually the strawman was with Casey to do it for OWASP
infrastructure not "projects" related to responsible disclosure of
vulns in OWASP and OWASP would pay bounty findings think all public facing
OWASP stuff

There was similar discussion with Synack https://www.synack.com/ and Hacker
One https://hackerone.com/ too

barter is great in addition to membership of the owasp foundation but
barter should not be a vehicle to free membership.



On Friday, January 15, 2016, Josh Sokol <josh.sokol at owasp.org> wrote:

> I'm pretty sure that defining scope and payout is part of the onboarding
> process with them.  If you would like, I would be happy to pass along their
> contact information.  I know you've been passionate about the bug bounty
> stuff in the past (why I added you to this thread) and it seems like you
> would be a natural fit to lead such an effort if you're interested.  I see
> a lot of value in doing it, but personally don't have the time to run with
> it.  If not, we could put out a call for help on the Leaders list, assuming
> that the Board/ED would be supportive of such an initiative.
>
> ~josh
>
> On Fri, Jan 15, 2016 at 8:16 AM, johanna curiel curiel <
> johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> Hi Josh
>>
>> This is indeed great news. I believe that as part of a QA review we could
>> use this for projects focused to build secure libraries(defenders)
>> such as CRSFGuard or ModProxy rules.
>>
>> Still, we will need to define a clear scope so we pay a bounty for very
>> specific test cases.
>> Some actions points we could take to make this a concrete proposal:
>>
>>    - Define the type of projects that can participate in the Bugcrowd
>>    program (security libraries?)
>>    - Make this testing part of the review and graduation process
>>    - Define a scope for testing specific security issues based on the
>>    level of protection offered by the security library
>>    - Define a scope for functional issues?
>>
>> Some ideas
>>
>> regards
>>
>> Johanna
>>
>> On Fri, Jan 15, 2016 at 10:06 AM, Josh Sokol <josh.sokol at owasp.org
>> <javascript:_e(%7B%7D,'cvml','josh.sokol at owasp.org');>> wrote:
>>
>>> Bugcrowd sponsored the Austin Security Professionals Happy Hour last
>>> night and I had a brief conversation with one of their account guys.  He
>>> mentioned to me that they were working with Sarah in the past on a possible
>>> barter sponsorship of OWASP.  He mentioned something like a Silver
>>> sponsorship in exchange for using Bugcrowd's platform for managing the
>>> testing of OWASP projects.  Since there has been some discussions around
>>> that in the past, I figured it was worthwhile to at least bring it to the
>>> group for discussion.  I would assume that we would still be responsible
>>> for paying out bounties, but they would donate the management of the
>>> program to us.  I'm happy to get the conversation started if we'd be
>>> interested or tell him no if we're not.  I'd be interested in hearing your
>>> thoughts.
>>>
>>> ~josh
>>>
>>
>>
>

-- 

Tom Brennan
Global Board of Directors / NYC/NJ Metro Chapter Leader
(d) 973-506-9304

OWASP Foundation | www.owasp.org

-- 
The information contained in this message and any attachments may be 
privileged, confidential, proprietary or otherwise protected from 
disclosure. If you, the reader of this message, are not the intended 
recipient, you are hereby notified that any dissemination, distribution, 
copying or use of this message and any attachment is strictly prohibited. 
If you have received this message in error, please notify the sender 
immediately by replying to the message, permanently delete it from your 
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160115/e140ed31/attachment.html>


More information about the Owasp-board mailing list