[Owasp-board] Bugcrowd for OWASP Projects

Josh Sokol josh.sokol at owasp.org
Sat Jan 16 16:55:31 UTC 2016


I am all for vendor neutrality, but that doesn't mean that we have to put
out a RFP for proposed sponsorships.  If that were the case, every time a
vendor asked to sponsor one of our conferences, then we would need to put
out a RFP to see if any other vendors wanted to sponsor as well.  Do we do
an RFP for every company that wants a corporate OWASP membership?  The only
difference here is that they would like to offer us their service instead
of a check.  As Kelly said, we just need to evaluate if that is worth more
than the money to us.

If you feel passionately about this, then perhaps you would like to engage
other similar vendors and see if they would be interested in offering up a
similar barter-in-trade agreement?  Personally, I see value in what Bug
Crowd is offering us as it supports discussions that I've seen OWASP
Leaders have in the past and it seems like something that adds value to the
OWASP Projects platform given some of the recent discussions around why
someone would choose to be an OWASP project.  If we were paying Bug Crowd
for their services, then I would absolutely agree with you and if they
propose any sort of a fee, then I don't think I would be in favor of it
either.  But if they're truly offering us their platform to us to use for
free for the OWASP Foundation and it's projects, then I see A LOT of value
there and would like to at least have the conversations with them.


On Sat, Jan 16, 2016 at 1:05 AM, Jim Manico <jim.manico at owasp.org> wrote:

> Josh,
> We have a special duty towards vendor neutrality in our space (appsec).
> Salesforce, Amazon and Microsoft are not really application security
> providers. Bug Crowd is, so I think we need to treat this situation a bit
> differently than we do other providers.
> - Jim
> On 1/15/16 8:07 PM, Josh Sokol wrote:
> Looking at this old page here:
> https://owasp.org/index.php/Membership/members
> At least at some point in time we had Barter-In-Trade agreements.  I had
> thought that SalesForce was one of them, but it sounds like that's wrong.
> I think that Rackspace is another.  I don't think we ever went to Amazon,
> Microsoft, etc to ask them if they would be interested in hosting us
> instead of Rackspace when they offered us a trade.  I don't really see this
> as being any different.  From what he was telling me, it sounds like Bug
> Crowd is offering to let us use their platform to manage bounties for
> free.  I don't see that as a vendor selling us something, I see it as a
> vendor sponsoring something.  Yes, it costs money to run a bug bounty, but
> this would allow all of our money to go toward rewarding the bugs, instead
> of some portion going towards managing the program.  Personally, I have no
> affinity towards Bug Crowd so if Hackerone or another similar company is
> offering us something better, I would be inclined to take that instead.
> But, at least right now, Bug Crowd approached me about it.  I think it's at
> least worth exploring.  It sounds like it would make sense if we pulled
> together a small team of Johanna, Kelly, Claudia, and me to evaluate the
> opportunity and potential.  If anyone else is interested in participating,
> let me know.  Oscar, the account executive from Bug Crowd, is supposed to
> send me a note next week and I will make introductions then.  Cool?
> ~josh
> On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> Folks,
>> I feel that overall we've been doing a lot of free advertising for
>> bugcroud. I think they should be treated like an *vendor* (paying us for
>> advertisement), and not a service provider (we pay them to use their
>> platform).
>> If we want to pay them as a service provider, then I feel we should do an
>> open RFC and let the other bounty platforms bid.
>> - Jim
>> On 1/15/16 4:06 AM, Josh Sokol wrote:
>> Bugcrowd sponsored the Austin Security Professionals Happy Hour last
>> night and I had a brief conversation with one of their account guys.  He
>> mentioned to me that they were working with Sarah in the past on a possible
>> barter sponsorship of OWASP.  He mentioned something like a Silver
>> sponsorship in exchange for using Bugcrowd's platform for managing the
>> testing of OWASP projects.  Since there has been some discussions around
>> that in the past, I figured it was worthwhile to at least bring it to the
>> group for discussion.  I would assume that we would still be responsible
>> for paying out bounties, but they would donate the management of the
>> program to us.  I'm happy to get the conversation started if we'd be
>> interested or tell him no if we're not.  I'd be interested in hearing your
>> thoughts.
>> ~josh
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/1989ef29/attachment-0001.html>

More information about the Owasp-board mailing list