[Owasp-board] Bugcrowd for OWASP Projects

Tom Brennan tomb at owasp.org
Sun Jan 17 15:26:53 UTC 2016

It is my position that, Barter for global corporate membership with
a voting right is a bad idea. That is not membership.

Donation of tools people products to the foundation to make the foundation
better is it added value, welcomed and celebrated it should never be traded
for membership and voting rights in any professional association that has
membership goals

Therefore I recommend we address this as a Foundation core topic that
affects job responsibilities and process for discussion to set the record
straight and vote on it. Topic "Barter"


On Saturday, January 16, 2016, Jim Manico <jim.manico at owasp.org> wrote:

> I'm suggesting that vendor neutrality dictates that we give other bug
> tracking platforms a chance to bid on this.
> It is just a suggestion, I don't have anything further to say on this
> matter.
> - Jim
> On 1/16/16 12:14 PM, johanna curiel curiel wrote:
> Jim, I think that this barter deal is not equal to hire or by their
> services,  we are not 'hiring'.
> They have offered a barter deal in exchange of publicity.
> So you expect that other similar service provider will offer a barter
> deal? Are you aware that these services cost 25K?
> We are not 'paying' them, and we should not assume that other vendors will
> actually accept such deal
> On Sat, Jan 16, 2016 at 4:14 PM, Jim Manico <jim.manico at owasp.org
> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>> This is not about conferences to me, its about hiring a service provider
>> from what I have read. If we are going to hire any service provider -
>> especially in the AppSec space - a public call is more "vendor neutral".
>> If BugCrowd is paying US to sponsor an event, then of course rock on. But
>> if we are paying them? RFP seems reasonable.
>> - Jim
>> On 1/16/16 6:55 AM, Josh Sokol wrote:
>> Jim,
>> I am all for vendor neutrality, but that doesn't mean that we have to put
>> out a RFP for proposed sponsorships.  If that were the case, every time a
>> vendor asked to sponsor one of our conferences, then we would need to put
>> out a RFP to see if any other vendors wanted to sponsor as well.  Do we do
>> an RFP for every company that wants a corporate OWASP membership?  The only
>> difference here is that they would like to offer us their service instead
>> of a check.  As Kelly said, we just need to evaluate if that is worth more
>> than the money to us.
>> If you feel passionately about this, then perhaps you would like to
>> engage other similar vendors and see if they would be interested in
>> offering up a similar barter-in-trade agreement?  Personally, I see value
>> in what Bug Crowd is offering us as it supports discussions that I've seen
>> OWASP Leaders have in the past and it seems like something that adds value
>> to the OWASP Projects platform given some of the recent discussions around
>> why someone would choose to be an OWASP project.  If we were paying Bug
>> Crowd for their services, then I would absolutely agree with you and if
>> they propose any sort of a fee, then I don't think I would be in favor of
>> it either.  But if they're truly offering us their platform to us to use
>> for free for the OWASP Foundation and it's projects, then I see A LOT of
>> value there and would like to at least have the conversations with them.
>> ~josh
>> On Sat, Jan 16, 2016 at 1:05 AM, Jim Manico <
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>
>> jim.manico at owasp.org
>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>> Josh,
>>> We have a special duty towards vendor neutrality in our space (appsec).
>>> Salesforce, Amazon and Microsoft are not really application security
>>> providers. Bug Crowd is, so I think we need to treat this situation a bit
>>> differently than we do other providers.
>>> - Jim
>>> On 1/15/16 8:07 PM, Josh Sokol wrote:
>>> Looking at this old page here:
>>> https://owasp.org/index.php/Membership/members
>>> At least at some point in time we had Barter-In-Trade agreements.  I had
>>> thought that SalesForce was one of them, but it sounds like that's wrong.
>>> I think that Rackspace is another.  I don't think we ever went to Amazon,
>>> Microsoft, etc to ask them if they would be interested in hosting us
>>> instead of Rackspace when they offered us a trade.  I don't really see this
>>> as being any different.  From what he was telling me, it sounds like Bug
>>> Crowd is offering to let us use their platform to manage bounties for
>>> free.  I don't see that as a vendor selling us something, I see it as a
>>> vendor sponsoring something.  Yes, it costs money to run a bug bounty, but
>>> this would allow all of our money to go toward rewarding the bugs, instead
>>> of some portion going towards managing the program.  Personally, I have no
>>> affinity towards Bug Crowd so if Hackerone or another similar company is
>>> offering us something better, I would be inclined to take that instead.
>>> But, at least right now, Bug Crowd approached me about it.  I think it's at
>>> least worth exploring.  It sounds like it would make sense if we pulled
>>> together a small team of Johanna, Kelly, Claudia, and me to evaluate the
>>> opportunity and potential.  If anyone else is interested in participating,
>>> let me know.  Oscar, the account executive from Bug Crowd, is supposed to
>>> send me a note next week and I will make introductions then.  Cool?
>>> ~josh
>>> On Fri, Jan 15, 2016 at 5:08 PM, Jim Manico <
>>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>
>>> jim.manico at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','jim.manico at owasp.org');>> wrote:
>>>> Folks,
>>>> I feel that overall we've been doing a lot of free advertising for
>>>> bugcroud. I think they should be treated like an *vendor* (paying us
>>>> for advertisement), and not a service provider (we pay them to use their
>>>> platform).
>>>> If we want to pay them as a service provider, then I feel we should do
>>>> an open RFC and let the other bounty platforms bid.
>>>> - Jim
>>>> On 1/15/16 4:06 AM, Josh Sokol wrote:
>>>> Bugcrowd sponsored the Austin Security Professionals Happy Hour last
>>>> night and I had a brief conversation with one of their account guys.  He
>>>> mentioned to me that they were working with Sarah in the past on a possible
>>>> barter sponsorship of OWASP.  He mentioned something like a Silver
>>>> sponsorship in exchange for using Bugcrowd's platform for managing the
>>>> testing of OWASP projects.  Since there has been some discussions around
>>>> that in the past, I figured it was worthwhile to at least bring it to the
>>>> group for discussion.  I would assume that we would still be responsible
>>>> for paying out bounties, but they would donate the management of the
>>>> program to us.  I'm happy to get the conversation started if we'd be
>>>> interested or tell him no if we're not.  I'd be interested in hearing your
>>>> thoughts.
>>>> ~josh
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.org <javascript:_e(%7B%7D,'cvml','Owasp-board at lists.owasp.org');>https://lists.owasp.org/mailman/listinfo/owasp-board

Tom Brennan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160117/05d85652/attachment-0001.html>

More information about the Owasp-board mailing list