[Owasp-board] Bugcrowd for OWASP Projects
Tom Brennan - OWASP
tomb at owasp.org
Fri Jan 15 15:16:44 UTC 2016
I worked on this actually the strawman was with Casey to do it for OWASP
infrastructure not "projects" related to responsible disclosure of
vulns in OWASP and OWASP would pay bounty findings think all public facing
There was similar discussion with Synack https://www.synack.com/ and Hacker
One https://hackerone.com/ too
barter is great in addition to membership of the owasp foundation but
barter should not be a vehicle to free membership.
On Friday, January 15, 2016, Josh Sokol <josh.sokol at owasp.org> wrote:
> I'm pretty sure that defining scope and payout is part of the onboarding
> process with them. If you would like, I would be happy to pass along their
> contact information. I know you've been passionate about the bug bounty
> stuff in the past (why I added you to this thread) and it seems like you
> would be a natural fit to lead such an effort if you're interested. I see
> a lot of value in doing it, but personally don't have the time to run with
> it. If not, we could put out a call for help on the Leaders list, assuming
> that the Board/ED would be supportive of such an initiative.
> On Fri, Jan 15, 2016 at 8:16 AM, johanna curiel curiel <
> johanna.curiel at owasp.org
>> Hi Josh
>> This is indeed great news. I believe that as part of a QA review we could
>> use this for projects focused to build secure libraries(defenders)
>> such as CRSFGuard or ModProxy rules.
>> Still, we will need to define a clear scope so we pay a bounty for very
>> specific test cases.
>> Some actions points we could take to make this a concrete proposal:
>> - Define the type of projects that can participate in the Bugcrowd
>> program (security libraries?)
>> - Make this testing part of the review and graduation process
>> - Define a scope for testing specific security issues based on the
>> level of protection offered by the security library
>> - Define a scope for functional issues?
>> Some ideas
>> On Fri, Jan 15, 2016 at 10:06 AM, Josh Sokol <josh.sokol at owasp.org
>>> Bugcrowd sponsored the Austin Security Professionals Happy Hour last
>>> night and I had a brief conversation with one of their account guys. He
>>> mentioned to me that they were working with Sarah in the past on a possible
>>> barter sponsorship of OWASP. He mentioned something like a Silver
>>> sponsorship in exchange for using Bugcrowd's platform for managing the
>>> testing of OWASP projects. Since there has been some discussions around
>>> that in the past, I figured it was worthwhile to at least bring it to the
>>> group for discussion. I would assume that we would still be responsible
>>> for paying out bounties, but they would donate the management of the
>>> program to us. I'm happy to get the conversation started if we'd be
>>> interested or tell him no if we're not. I'd be interested in hearing your
Global Board of Directors / NYC/NJ Metro Chapter Leader
OWASP Foundation | www.owasp.org
The information contained in this message and any attachments may be
privileged, confidential, proprietary or otherwise protected from
disclosure. If you, the reader of this message, are not the intended
recipient, you are hereby notified that any dissemination, distribution,
copying or use of this message and any attachment is strictly prohibited.
If you have received this message in error, please notify the sender
immediately by replying to the message, permanently delete it from your
computer and destroy any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board