[Owasp-board] Bugcrowd for OWASP Projects
Jim Manico
jim.manico at owasp.org
Sat Jan 16 20:14:24 UTC 2016
This is not about conferences to me, its about hiring a service provider
from what I have read. If we are going to hire any service provider -
especially in the AppSec space - a public call is more "vendor neutral".
If BugCrowd is paying US to sponsor an event, then of course rock on.
But if we are paying them? RFP seems reasonable.
- Jim
On 1/16/16 6:55 AM, Josh Sokol wrote:
> Jim,
>
> I am all for vendor neutrality, but that doesn't mean that we have to
> put out a RFP for proposed sponsorships. If that were the case, every
> time a vendor asked to sponsor one of our conferences, then we would
> need to put out a RFP to see if any other vendors wanted to sponsor as
> well. Do we do an RFP for every company that wants a corporate OWASP
> membership? The only difference here is that they would like to offer
> us their service instead of a check. As Kelly said, we just need to
> evaluate if that is worth more than the money to us.
>
> If you feel passionately about this, then perhaps you would like to
> engage other similar vendors and see if they would be interested in
> offering up a similar barter-in-trade agreement? Personally, I see
> value in what Bug Crowd is offering us as it supports discussions that
> I've seen OWASP Leaders have in the past and it seems like something
> that adds value to the OWASP Projects platform given some of the
> recent discussions around why someone would choose to be an OWASP
> project. If we were paying Bug Crowd for their services, then I would
> absolutely agree with you and if they propose any sort of a fee, then
> I don't think I would be in favor of it either. But if they're truly
> offering us their platform to us to use for free for the OWASP
> Foundation and it's projects, then I see A LOT of value there and
> would like to at least have the conversations with them.
>
> ~josh
>
> On Sat, Jan 16, 2016 at 1:05 AM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> Josh,
>
> We have a special duty towards vendor neutrality in our space
> (appsec). Salesforce, Amazon and Microsoft are not really
> application security providers. Bug Crowd is, so I think we need
> to treat this situation a bit differently than we do other providers.
>
> - Jim
>
>
> On 1/15/16 8:07 PM, Josh Sokol wrote:
>> Looking at this old page here:
>>
>> https://owasp.org/index.php/Membership/members
>>
>> At least at some point in time we had Barter-In-Trade
>> agreements. I had thought that SalesForce was one of them, but
>> it sounds like that's wrong. I think that Rackspace is another.
>> I don't think we ever went to Amazon, Microsoft, etc to ask them
>> if they would be interested in hosting us instead of Rackspace
>> when they offered us a trade. I don't really see this as being
>> any different. From what he was telling me, it sounds like Bug
>> Crowd is offering to let us use their platform to manage bounties
>> for free. I don't see that as a vendor selling us something, I
>> see it as a vendor sponsoring something. Yes, it costs money to
>> run a bug bounty, but this would allow all of our money to go
>> toward rewarding the bugs, instead of some portion going towards
>> managing the program. Personally, I have no affinity towards Bug
>> Crowd so if Hackerone or another similar company is offering us
>> something better, I would be inclined to take that instead. But,
>> at least right now, Bug Crowd approached me about it. I think
>> it's at least worth exploring. It sounds like it would make
>> sense if we pulled together a small team of Johanna, Kelly,
>> Claudia, and me to evaluate the opportunity and potential. If
>> anyone else is interested in participating, let me know. Oscar,
>> the account executive from Bug Crowd, is supposed to send me a
>> note next week and I will make introductions then. Cool?
>>
>> ~josh
>>
>> On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>> Folks,
>>
>> I feel that overall we've been doing a lot of free
>> advertising for bugcroud. I think they should be treated like
>> an *vendor* (paying us for advertisement), and not a service
>> provider (we pay them to use their platform).
>>
>> If we want to pay them as a service provider, then I feel we
>> should do an open RFC and let the other bounty platforms bid.
>>
>> - Jim
>>
>> On 1/15/16 4:06 AM, Josh Sokol wrote:
>>> Bugcrowd sponsored the Austin Security Professionals Happy
>>> Hour last night and I had a brief conversation with one of
>>> their account guys. He mentioned to me that they were
>>> working with Sarah in the past on a possible barter
>>> sponsorship of OWASP. He mentioned something like a Silver
>>> sponsorship in exchange for using Bugcrowd's platform for
>>> managing the testing of OWASP projects. Since there has
>>> been some discussions around that in the past, I figured it
>>> was worthwhile to at least bring it to the group for
>>> discussion. I would assume that we would still be
>>> responsible for paying out bounties, but they would donate
>>> the management of the program to us. I'm happy to get the
>>> conversation started if we'd be interested or tell him no if
>>> we're not. I'd be interested in hearing your thoughts.
>>>
>>> ~josh
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/75c49210/attachment.html>
More information about the Owasp-board
mailing list