[Owasp-board] Fwd: OWASP + Bugcrowd - Program Proposal Details - Next Steps
josh.sokol at owasp.org
Fri Jan 22 20:11:57 UTC 2016
OWASP Board and Paul,
Kelly, Claudia, and I took some time this morning to discuss the
sponsorship opportunity with Bugcrowd. What Bugcrowd is offering us is
their top-tier program for not only the OWASP website, servers, etc, but
also for any project that wants to use it as well. I believe that this
would be a HUGE value-add to our projects platform to have this type of a
resource behind them. We would still need to determine and pay the actual
bounties, but the management of the program itself from engaging
researchers to triaging submissions to determining the security impact
would all be handled by Bugcrowd. They said that this program runs $86k/yr.
I made it a point to ask them "Why Bugcrowd" instead of one of their
competitors and their response was good, IMHO. For one, they are already a
sponsor of numerous OWASP events, and for another, they already have
employees actively contributing to the OWASP community.
Kelly is working with Bugcrowd in order to come up with an all-encompassing
sponsorship package. This would likely include corporate membership at the
Silver level and conference sponsorship in exchange for some amount of
money to be negotiated. Assuming that we can come to terms on the
sponsorship package, they will throw in the Bugcrowd platform as a
"Donation" and it is up to us to decide whether we would like to use it or
engage another vendor.
Please let me know if you have any questions.
---------- Forwarded message ----------
From: Oscar Aguilera <oscar.aguilera at bugcrowd.com>
Date: Fri, Jan 22, 2016 at 1:39 PM
Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
To: Josh Sokol <josh.sokol at owasp.org>, Claudia Casanovas <
Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
kelly.santalucia at owasp.org>, johanna curiel curiel <johanna.curiel at owasp.org
Cc: Jason Pitzen <jason at bugcrowd.com>, Chris Tilton <
chris.tilton at bugcrowd.com>
Hi Josh, Claudia, Kelly,
It was great talking to you all this morning, thanks for taking the time
and jumping on the call. All of us here are really excited about the
opportunity to increase our sponsorship with OWASP and create this
Below I've outlined what we are proposing and some next steps to ensure
we're all armed with the proper info to take back to our perspective teams
Bugcrowd will provide OWASP access to our Crowd Control platform, manage
all vulnerabilities submitted and will include the following:
- *Crowd Control: E*nterprise Class platform to safely engage
researchers on each and every submission. OWASP will have visibility into
all submitted vulnerabilities, including out of scope, duplicates and
- *Triage:* Separation of all submitted vulnerabilities. This means
clarifying the vulnerability with the researcher. Determining if the
vulnerability is within scope of the bug bounty or if that vulnerability is
a duplicate or not.
- *Validate: *Reproduce all submissions once they have been determined
within scope and not a duplicate. This means going through the replication
steps and validating that the vulnerability is a real security threat.
(Attached is a one pager on the life cycle of a vulnerability)
- *Push Vulnerabilities: *The OWASP security team will receive validated
vulnerabilities with recommend levels of critically and our team will
monitor the vulnerabilities for high severities to alert the OWASP team.
- *Continued Paid Sponsorship: *Along with this service, Bugcrowd will
continue to contribute to support OWASP, including with paid sponsorships
to various events. (TBD with Chris and Kelly + any additional work they
Over the past couple of years we have had a lot contribution into the
security and education space, not only with OWASP, but also with ISC^2. In
the past year we have seen Jason Haddix (director of our technical
operations team) Co-Authored the Mobile top 10 and was a project leader for
that effort. Bugcrowd has volunteered and sponsored various meet ups and
events and will be doing so again for AppSec California, where our Senior
Security Engineer Leif Dreizler his helping organize and where we will be
sponsoring and volunteering,
I say all of this because when the question arises, "why Bugcrowd and not
someone else?" We know that our history and continued support of OWASP
shows our commitment and dedication to OWASP's efforts and that at
partnership between us would be the best fit.
Claudia, Johanna, let's hop on a call next week to look at the scope of the
Chris and Kelly, if you two can sync up and work out the logistics of the
partnership in the next week that would be awesome.
Josh, please let me know if there is any additional information we get over
to you, I'm glad to help where ever possible.
Let's try to reconvene in the next couple of weeks and map out a path
Again, thanks everyone for your time this morning. Look forward to chatting
Enterprise Account Executive - Bugcrowd Inc
*Check out some of our happy partners: www.bugcrowd.com/programs
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Life cycle of a bug.pdf
Size: 84190 bytes
Desc: not available
More information about the Owasp-board