[Owasp-board] Bugcrowd for OWASP Projects

Jim Manico jim.manico at owasp.org
Sat Jan 16 20:09:46 UTC 2016


BugCrowd is a application security platform and they compete with other 
application security providers. I just want to consider that as we 
discuss partnering with them in terms of vendor neutrality.

- Jim

On 1/16/16 3:50 AM, johanna curiel curiel wrote:
> Jim
>
> I'm confused here. In which category of 'vendor' does bugcrowd fall?
>
> So far I know they offer a management services to supervise bug 
> hunting activities and penetration testing with researchers subscribed 
> to Bugcrowd.
> This is not a vendor selling a 'security' product like Veracode, 
> Contrast, or Whitehat.
>
> I just would like very much if you can clarify this because I feel the 
> same as Josh regarding his explanation on 'vendor' and the comparison 
> to product services like Microsoft ro Salesforce. I think if you are 
> right, then any service or software provider would have to go through 
> the same RFC process.
>
> Cheers
>
> Johanna
>
> On Sat, Jan 16, 2016 at 3:05 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     Josh,
>
>     We have a special duty towards vendor neutrality in our space
>     (appsec). Salesforce, Amazon and Microsoft are not really
>     application security providers. Bug Crowd is, so I think we need
>     to treat this situation a bit differently than we do other providers.
>
>     - Jim
>
>
>     On 1/15/16 8:07 PM, Josh Sokol wrote:
>>     Looking at this old page here:
>>
>>     https://owasp.org/index.php/Membership/members
>>
>>     At least at some point in time we had Barter-In-Trade
>>     agreements.  I had thought that SalesForce was one of them, but
>>     it sounds like that's wrong.  I think that Rackspace is another. 
>>     I don't think we ever went to Amazon, Microsoft, etc to ask them
>>     if they would be interested in hosting us instead of Rackspace
>>     when they offered us a trade.  I don't really see this as being
>>     any different.  From what he was telling me, it sounds like Bug
>>     Crowd is offering to let us use their platform to manage bounties
>>     for free.  I don't see that as a vendor selling us something, I
>>     see it as a vendor sponsoring something.  Yes, it costs money to
>>     run a bug bounty, but this would allow all of our money to go
>>     toward rewarding the bugs, instead of some portion going towards
>>     managing the program.  Personally, I have no affinity towards Bug
>>     Crowd so if Hackerone or another similar company is offering us
>>     something better, I would be inclined to take that instead.  But,
>>     at least right now, Bug Crowd approached me about it.  I think
>>     it's at least worth exploring.  It sounds like it would make
>>     sense if we pulled together a small team of Johanna, Kelly,
>>     Claudia, and me to evaluate the opportunity and potential.  If
>>     anyone else is interested in participating, let me know. Oscar,
>>     the account executive from Bug Crowd, is supposed to send me a
>>     note next week and I will make introductions then.  Cool?
>>
>>     ~josh
>>
>>     On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Folks,
>>
>>         I feel that overall we've been doing a lot of free
>>         advertising for bugcroud. I think they should be treated like
>>         an *vendor* (paying us for advertisement), and not a service
>>         provider (we pay them to use their platform).
>>
>>         If we want to pay them as a service provider, then I feel we
>>         should do an open RFC and let the other bounty platforms bid.
>>
>>         - Jim
>>
>>         On 1/15/16 4:06 AM, Josh Sokol wrote:
>>>         Bugcrowd sponsored the Austin Security Professionals Happy
>>>         Hour last night and I had a brief conversation with one of
>>>         their account guys.  He mentioned to me that they were
>>>         working with Sarah in the past on a possible barter
>>>         sponsorship of OWASP.  He mentioned something like a Silver
>>>         sponsorship in exchange for using Bugcrowd's platform for
>>>         managing the testing of OWASP projects.  Since there has
>>>         been some discussions around that in the past, I figured it
>>>         was worthwhile to at least bring it to the group for
>>>         discussion.  I would assume that we would still be
>>>         responsible for paying out bounties, but they would donate
>>>         the management of the program to us.  I'm happy to get the
>>>         conversation started if we'd be interested or tell him no if
>>>         we're not.  I'd be interested in hearing your thoughts.
>>>
>>>         ~josh
>>>
>>>
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/127bc3b7/attachment.html>


More information about the Owasp-board mailing list