[Owasp-board] Bugcrowd for OWASP Projects

Jim Manico jim.manico at owasp.org
Sat Jan 16 23:08:34 UTC 2016

I'm suggesting that vendor neutrality dictates that we give other bug 
tracking platforms a chance to bid on this.

It is just a suggestion, I don't have anything further to say on this 

- Jim

On 1/16/16 12:14 PM, johanna curiel curiel wrote:
> Jim, I think that this barter deal is not equal to hire or by their 
> services,  we are not 'hiring'.
> They have offered a barter deal in exchange of publicity.
> So you expect that other similar service provider will offer a barter 
> deal? Are you aware that these services cost 25K?
> We are not 'paying' them, and we should not assume that other vendors 
> will actually accept such deal
> On Sat, Jan 16, 2016 at 4:14 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     This is not about conferences to me, its about hiring a service
>     provider from what I have read. If we are going to hire any
>     service provider - especially in the AppSec space - a public call
>     is more "vendor neutral".
>     If BugCrowd is paying US to sponsor an event, then of course rock
>     on. But if we are paying them? RFP seems reasonable.
>     - Jim
>     On 1/16/16 6:55 AM, Josh Sokol wrote:
>>     Jim,
>>     I am all for vendor neutrality, but that doesn't mean that we
>>     have to put out a RFP for proposed sponsorships.  If that were
>>     the case, every time a vendor asked to sponsor one of our
>>     conferences, then we would need to put out a RFP to see if any
>>     other vendors wanted to sponsor as well.  Do we do an RFP for
>>     every company that wants a corporate OWASP membership?  The only
>>     difference here is that they would like to offer us their service
>>     instead of a check.  As Kelly said, we just need to evaluate if
>>     that is worth more than the money to us.
>>     If you feel passionately about this, then perhaps you would like
>>     to engage other similar vendors and see if they would be
>>     interested in offering up a similar barter-in-trade agreement? 
>>     Personally, I see value in what Bug Crowd is offering us as it
>>     supports discussions that I've seen OWASP Leaders have in the
>>     past and it seems like something that adds value to the OWASP
>>     Projects platform given some of the recent discussions around why
>>     someone would choose to be an OWASP project.  If we were paying
>>     Bug Crowd for their services, then I would absolutely agree with
>>     you and if they propose any sort of a fee, then I don't think I
>>     would be in favor of it either.  But if they're truly offering us
>>     their platform to us to use for free for the OWASP Foundation and
>>     it's projects, then I see A LOT of value there and would like to
>>     at least have the conversations with them.
>>     ~josh
>>     On Sat, Jan 16, 2016 at 1:05 AM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>         Josh,
>>         We have a special duty towards vendor neutrality in our space
>>         (appsec). Salesforce, Amazon and Microsoft are not really
>>         application security providers. Bug Crowd is, so I think we
>>         need to treat this situation a bit differently than we do
>>         other providers.
>>         - Jim
>>         On 1/15/16 8:07 PM, Josh Sokol wrote:
>>>         Looking at this old page here:
>>>         https://owasp.org/index.php/Membership/members
>>>         At least at some point in time we had Barter-In-Trade
>>>         agreements.  I had thought that SalesForce was one of them,
>>>         but it sounds like that's wrong.  I think that Rackspace is
>>>         another.  I don't think we ever went to Amazon, Microsoft,
>>>         etc to ask them if they would be interested in hosting us
>>>         instead of Rackspace when they offered us a trade.  I don't
>>>         really see this as being any different.  From what he was
>>>         telling me, it sounds like Bug Crowd is offering to let us
>>>         use their platform to manage bounties for free.  I don't see
>>>         that as a vendor selling us something, I see it as a vendor
>>>         sponsoring something.  Yes, it costs money to run a bug
>>>         bounty, but this would allow all of our money to go toward
>>>         rewarding the bugs, instead of some portion going towards
>>>         managing the program.  Personally, I have no affinity
>>>         towards Bug Crowd so if Hackerone or another similar company
>>>         is offering us something better, I would be inclined to take
>>>         that instead. But, at least right now, Bug Crowd approached
>>>         me about it.  I think it's at least worth exploring.  It
>>>         sounds like it would make sense if we pulled together a
>>>         small team of Johanna, Kelly, Claudia, and me to evaluate
>>>         the opportunity and potential.  If anyone else is interested
>>>         in participating, let me know.  Oscar, the account executive
>>>         from Bug Crowd, is supposed to send me a note next week and
>>>         I will make introductions then.  Cool?
>>>         ~josh
>>>         On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>             Folks,
>>>             I feel that overall we've been doing a lot of free
>>>             advertising for bugcroud. I think they should be treated
>>>             like an *vendor* (paying us for advertisement), and not
>>>             a service provider (we pay them to use their platform).
>>>             If we want to pay them as a service provider, then I
>>>             feel we should do an open RFC and let the other bounty
>>>             platforms bid.
>>>             - Jim
>>>             On 1/15/16 4:06 AM, Josh Sokol wrote:
>>>>             Bugcrowd sponsored the Austin Security Professionals
>>>>             Happy Hour last night and I had a brief conversation
>>>>             with one of their account guys.  He mentioned to me
>>>>             that they were working with Sarah in the past on a
>>>>             possible barter sponsorship of OWASP.  He mentioned
>>>>             something like a Silver sponsorship in exchange for
>>>>             using Bugcrowd's platform for managing the testing of
>>>>             OWASP projects.  Since there has been some discussions
>>>>             around that in the past, I figured it was worthwhile to
>>>>             at least bring it to the group for discussion.  I would
>>>>             assume that we would still be responsible for paying
>>>>             out bounties, but they would donate the management of
>>>>             the program to us.  I'm happy to get the conversation
>>>>             started if we'd be interested or tell him no if we're
>>>>             not.  I'd be interested in hearing your thoughts.
>>>>             ~josh
>>>>             _______________________________________________
>>>>             Owasp-board mailing list
>>>>             Owasp-board at lists.owasp.org
>>>>             <mailto:Owasp-board at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160116/102fde80/attachment-0001.html>

More information about the Owasp-board mailing list