[Owasp-board] Bugcrowd for OWASP Projects

Jim Manico jim.manico at owasp.org
Sat Jan 16 07:05:10 UTC 2016


We have a special duty towards vendor neutrality in our space (appsec). 
Salesforce, Amazon and Microsoft are not really application security 
providers. Bug Crowd is, so I think we need to treat this situation a 
bit differently than we do other providers.

- Jim

On 1/15/16 8:07 PM, Josh Sokol wrote:
> Looking at this old page here:
> https://owasp.org/index.php/Membership/members
> At least at some point in time we had Barter-In-Trade agreements.  I 
> had thought that SalesForce was one of them, but it sounds like that's 
> wrong.  I think that Rackspace is another.  I don't think we ever went 
> to Amazon, Microsoft, etc to ask them if they would be interested in 
> hosting us instead of Rackspace when they offered us a trade.  I don't 
> really see this as being any different.  From what he was telling me, 
> it sounds like Bug Crowd is offering to let us use their platform to 
> manage bounties for free.  I don't see that as a vendor selling us 
> something, I see it as a vendor sponsoring something.  Yes, it costs 
> money to run a bug bounty, but this would allow all of our money to go 
> toward rewarding the bugs, instead of some portion going towards 
> managing the program. Personally, I have no affinity towards Bug Crowd 
> so if Hackerone or another similar company is offering us something 
> better, I would be inclined to take that instead.  But, at least right 
> now, Bug Crowd approached me about it.  I think it's at least worth 
> exploring.  It sounds like it would make sense if we pulled together a 
> small team of Johanna, Kelly, Claudia, and me to evaluate the 
> opportunity and potential.  If anyone else is interested in 
> participating, let me know. Oscar, the account executive from Bug 
> Crowd, is supposed to send me a note next week and I will make 
> introductions then. Cool?
> ~josh
> On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Folks,
>     I feel that overall we've been doing a lot of free advertising for
>     bugcroud. I think they should be treated like an *vendor* (paying
>     us for advertisement), and not a service provider (we pay them to
>     use their platform).
>     If we want to pay them as a service provider, then I feel we
>     should do an open RFC and let the other bounty platforms bid.
>     - Jim
>     On 1/15/16 4:06 AM, Josh Sokol wrote:
>>     Bugcrowd sponsored the Austin Security Professionals Happy Hour
>>     last night and I had a brief conversation with one of their
>>     account guys.  He mentioned to me that they were working with
>>     Sarah in the past on a possible barter sponsorship of OWASP.  He
>>     mentioned something like a Silver sponsorship in exchange for
>>     using Bugcrowd's platform for managing the testing of OWASP
>>     projects.  Since there has been some discussions around that in
>>     the past, I figured it was worthwhile to at least bring it to the
>>     group for discussion.  I would assume that we would still be
>>     responsible for paying out bounties, but they would donate the
>>     management of the program to us.  I'm happy to get the
>>     conversation started if we'd be interested or tell him no if
>>     we're not. I'd be interested in hearing your thoughts.
>>     ~josh
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160115/a770d915/attachment.html>

More information about the Owasp-board mailing list