[Owasp-board] Bugcrowd for OWASP Projects
jim.manico at owasp.org
Sat Jan 16 07:05:10 UTC 2016
We have a special duty towards vendor neutrality in our space (appsec).
Salesforce, Amazon and Microsoft are not really application security
providers. Bug Crowd is, so I think we need to treat this situation a
bit differently than we do other providers.
On 1/15/16 8:07 PM, Josh Sokol wrote:
> Looking at this old page here:
> At least at some point in time we had Barter-In-Trade agreements. I
> had thought that SalesForce was one of them, but it sounds like that's
> wrong. I think that Rackspace is another. I don't think we ever went
> to Amazon, Microsoft, etc to ask them if they would be interested in
> hosting us instead of Rackspace when they offered us a trade. I don't
> really see this as being any different. From what he was telling me,
> it sounds like Bug Crowd is offering to let us use their platform to
> manage bounties for free. I don't see that as a vendor selling us
> something, I see it as a vendor sponsoring something. Yes, it costs
> money to run a bug bounty, but this would allow all of our money to go
> toward rewarding the bugs, instead of some portion going towards
> managing the program. Personally, I have no affinity towards Bug Crowd
> so if Hackerone or another similar company is offering us something
> better, I would be inclined to take that instead. But, at least right
> now, Bug Crowd approached me about it. I think it's at least worth
> exploring. It sounds like it would make sense if we pulled together a
> small team of Johanna, Kelly, Claudia, and me to evaluate the
> opportunity and potential. If anyone else is interested in
> participating, let me know. Oscar, the account executive from Bug
> Crowd, is supposed to send me a note next week and I will make
> introductions then. Cool?
> On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> I feel that overall we've been doing a lot of free advertising for
> bugcroud. I think they should be treated like an *vendor* (paying
> us for advertisement), and not a service provider (we pay them to
> use their platform).
> If we want to pay them as a service provider, then I feel we
> should do an open RFC and let the other bounty platforms bid.
> - Jim
> On 1/15/16 4:06 AM, Josh Sokol wrote:
>> Bugcrowd sponsored the Austin Security Professionals Happy Hour
>> last night and I had a brief conversation with one of their
>> account guys. He mentioned to me that they were working with
>> Sarah in the past on a possible barter sponsorship of OWASP. He
>> mentioned something like a Silver sponsorship in exchange for
>> using Bugcrowd's platform for managing the testing of OWASP
>> projects. Since there has been some discussions around that in
>> the past, I figured it was worthwhile to at least bring it to the
>> group for discussion. I would assume that we would still be
>> responsible for paying out bounties, but they would donate the
>> management of the program to us. I'm happy to get the
>> conversation started if we'd be interested or tell him no if
>> we're not. I'd be interested in hearing your thoughts.
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board