[Owasp-board] Bugcrowd for OWASP Projects

Josh Sokol josh.sokol at owasp.org
Sat Jan 16 06:07:11 UTC 2016

Looking at this old page here:


At least at some point in time we had Barter-In-Trade agreements.  I had
thought that SalesForce was one of them, but it sounds like that's wrong.
I think that Rackspace is another.  I don't think we ever went to Amazon,
Microsoft, etc to ask them if they would be interested in hosting us
instead of Rackspace when they offered us a trade.  I don't really see this
as being any different.  From what he was telling me, it sounds like Bug
Crowd is offering to let us use their platform to manage bounties for
free.  I don't see that as a vendor selling us something, I see it as a
vendor sponsoring something.  Yes, it costs money to run a bug bounty, but
this would allow all of our money to go toward rewarding the bugs, instead
of some portion going towards managing the program.  Personally, I have no
affinity towards Bug Crowd so if Hackerone or another similar company is
offering us something better, I would be inclined to take that instead.
But, at least right now, Bug Crowd approached me about it.  I think it's at
least worth exploring.  It sounds like it would make sense if we pulled
together a small team of Johanna, Kelly, Claudia, and me to evaluate the
opportunity and potential.  If anyone else is interested in participating,
let me know.  Oscar, the account executive from Bug Crowd, is supposed to
send me a note next week and I will make introductions then.  Cool?


On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Folks,
> I feel that overall we've been doing a lot of free advertising for
> bugcroud. I think they should be treated like an *vendor* (paying us for
> advertisement), and not a service provider (we pay them to use their
> platform).
> If we want to pay them as a service provider, then I feel we should do an
> open RFC and let the other bounty platforms bid.
> - Jim
> On 1/15/16 4:06 AM, Josh Sokol wrote:
> Bugcrowd sponsored the Austin Security Professionals Happy Hour last night
> and I had a brief conversation with one of their account guys.  He
> mentioned to me that they were working with Sarah in the past on a possible
> barter sponsorship of OWASP.  He mentioned something like a Silver
> sponsorship in exchange for using Bugcrowd's platform for managing the
> testing of OWASP projects.  Since there has been some discussions around
> that in the past, I figured it was worthwhile to at least bring it to the
> group for discussion.  I would assume that we would still be responsible
> for paying out bounties, but they would donate the management of the
> program to us.  I'm happy to get the conversation started if we'd be
> interested or tell him no if we're not.  I'd be interested in hearing your
> thoughts.
> ~josh
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/980c27c8/attachment-0001.html>

More information about the Owasp-board mailing list