[Owasp-board] Bugcrowd for OWASP Projects

Jim Manico jim.manico at owasp.org
Sat Jan 16 20:14:24 UTC 2016

This is not about conferences to me, its about hiring a service provider 
from what I have read. If we are going to hire any service provider - 
especially in the AppSec space - a public call is more "vendor neutral".

If BugCrowd is paying US to sponsor an event, then of course rock on. 
But if we are paying them? RFP seems reasonable.

- Jim

On 1/16/16 6:55 AM, Josh Sokol wrote:
> Jim,
> I am all for vendor neutrality, but that doesn't mean that we have to 
> put out a RFP for proposed sponsorships.  If that were the case, every 
> time a vendor asked to sponsor one of our conferences, then we would 
> need to put out a RFP to see if any other vendors wanted to sponsor as 
> well.  Do we do an RFP for every company that wants a corporate OWASP 
> membership?  The only difference here is that they would like to offer 
> us their service instead of a check.  As Kelly said, we just need to 
> evaluate if that is worth more than the money to us.
> If you feel passionately about this, then perhaps you would like to 
> engage other similar vendors and see if they would be interested in 
> offering up a similar barter-in-trade agreement?  Personally, I see 
> value in what Bug Crowd is offering us as it supports discussions that 
> I've seen OWASP Leaders have in the past and it seems like something 
> that adds value to the OWASP Projects platform given some of the 
> recent discussions around why someone would choose to be an OWASP 
> project.  If we were paying Bug Crowd for their services, then I would 
> absolutely agree with you and if they propose any sort of a fee, then 
> I don't think I would be in favor of it either.  But if they're truly 
> offering us their platform to us to use for free for the OWASP 
> Foundation and it's projects, then I see A LOT of value there and 
> would like to at least have the conversations with them.
> ~josh
> On Sat, Jan 16, 2016 at 1:05 AM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     Josh,
>     We have a special duty towards vendor neutrality in our space
>     (appsec). Salesforce, Amazon and Microsoft are not really
>     application security providers. Bug Crowd is, so I think we need
>     to treat this situation a bit differently than we do other providers.
>     - Jim
>     On 1/15/16 8:07 PM, Josh Sokol wrote:
>>     Looking at this old page here:
>>     https://owasp.org/index.php/Membership/members
>>     At least at some point in time we had Barter-In-Trade
>>     agreements.  I had thought that SalesForce was one of them, but
>>     it sounds like that's wrong.  I think that Rackspace is another. 
>>     I don't think we ever went to Amazon, Microsoft, etc to ask them
>>     if they would be interested in hosting us instead of Rackspace
>>     when they offered us a trade.  I don't really see this as being
>>     any different.  From what he was telling me, it sounds like Bug
>>     Crowd is offering to let us use their platform to manage bounties
>>     for free.  I don't see that as a vendor selling us something, I
>>     see it as a vendor sponsoring something.  Yes, it costs money to
>>     run a bug bounty, but this would allow all of our money to go
>>     toward rewarding the bugs, instead of some portion going towards
>>     managing the program.  Personally, I have no affinity towards Bug
>>     Crowd so if Hackerone or another similar company is offering us
>>     something better, I would be inclined to take that instead.  But,
>>     at least right now, Bug Crowd approached me about it.  I think
>>     it's at least worth exploring.  It sounds like it would make
>>     sense if we pulled together a small team of Johanna, Kelly,
>>     Claudia, and me to evaluate the opportunity and potential.  If
>>     anyone else is interested in participating, let me know. Oscar,
>>     the account executive from Bug Crowd, is supposed to send me a
>>     note next week and I will make introductions then.  Cool?
>>     ~josh
>>     On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>         Folks,
>>         I feel that overall we've been doing a lot of free
>>         advertising for bugcroud. I think they should be treated like
>>         an *vendor* (paying us for advertisement), and not a service
>>         provider (we pay them to use their platform).
>>         If we want to pay them as a service provider, then I feel we
>>         should do an open RFC and let the other bounty platforms bid.
>>         - Jim
>>         On 1/15/16 4:06 AM, Josh Sokol wrote:
>>>         Bugcrowd sponsored the Austin Security Professionals Happy
>>>         Hour last night and I had a brief conversation with one of
>>>         their account guys.  He mentioned to me that they were
>>>         working with Sarah in the past on a possible barter
>>>         sponsorship of OWASP.  He mentioned something like a Silver
>>>         sponsorship in exchange for using Bugcrowd's platform for
>>>         managing the testing of OWASP projects.  Since there has
>>>         been some discussions around that in the past, I figured it
>>>         was worthwhile to at least bring it to the group for
>>>         discussion.  I would assume that we would still be
>>>         responsible for paying out bounties, but they would donate
>>>         the management of the program to us.  I'm happy to get the
>>>         conversation started if we'd be interested or tell him no if
>>>         we're not.  I'd be interested in hearing your thoughts.
>>>         ~josh
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/75c49210/attachment.html>

More information about the Owasp-board mailing list