[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Paul Ritchie paul.ritchie at owasp.org
Fri Jan 22 20:34:07 UTC 2016

Josh, Kelly, Claudia....this program sounds like it could be a really
interesting opportunity and something 'many' on our community are pretty
engaged with already.

As the next round of details comes up....keep me in the loop.
With my Finance Hat on....I'm curious to understand more about the $86K
costs and who pays it, and if it is all hard dollars or if that includes
some soft dollar barter numbers.


Best Regards, Paul Ritchie
OWASP Executive Director
paul.ritchie at owasp.org

On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> OWASP Board and Paul,
> Kelly, Claudia, and I took some time this morning to discuss the
> sponsorship opportunity with Bugcrowd.  What Bugcrowd is offering us is
> their top-tier program for not only the OWASP website, servers, etc, but
> also for any project that wants to use it as well.  I believe that this
> would be a HUGE value-add to our projects platform to have this type of a
> resource behind them.  We would still need to determine and pay the actual
> bounties, but the management of the program itself from engaging
> researchers to triaging submissions to determining the security impact
> would all be handled by Bugcrowd.  They said that this program runs $86k/yr.
> I made it a point to ask them "Why Bugcrowd" instead of one of their
> competitors and their response was good, IMHO.  For one, they are already a
> sponsor of numerous OWASP events, and for another, they already have
> employees actively contributing to the OWASP community.
> Kelly is working with Bugcrowd in order to come up with an
> all-encompassing sponsorship package.  This would likely include corporate
> membership at the Silver level and conference sponsorship in exchange for
> some amount of money to be negotiated.  Assuming that we can come to terms
> on the sponsorship package, they will throw in the Bugcrowd platform as a
> "Donation" and it is up to us to decide whether we would like to use it or
> engage another vendor.
> Please let me know if you have any questions.
> ~josh
> ---------- Forwarded message ----------
> From: Oscar Aguilera <oscar.aguilera at bugcrowd.com>
> Date: Fri, Jan 22, 2016 at 1:39 PM
> Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
> To: Josh Sokol <josh.sokol at owasp.org>, Claudia Casanovas <
> Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
> kelly.santalucia at owasp.org>, johanna curiel curiel <
> johanna.curiel at owasp.org>
> Cc: Jason Pitzen <jason at bugcrowd.com>, Chris Tilton <
> chris.tilton at bugcrowd.com>
> Hi Josh, Claudia, Kelly,
> It was great talking to you all this morning, thanks for taking the time
> and jumping on the call. All of us here are really excited about the
> opportunity to increase our sponsorship with OWASP and create this
> partnership.
> Below I've outlined what we are proposing and some next steps to ensure
> we're all armed with the proper info to take back to our perspective teams
> and board.
> Bugcrowd will provide OWASP access to our Crowd Control platform, manage
> all vulnerabilities submitted and will include the following:
>    - *Crowd Control: E*nterprise Class platform to safely engage
>    researchers on each and every submission. OWASP will have visibility into
>    all submitted vulnerabilities, including out of scope, duplicates and
>    validated submissions.
>    - *Triage:* Separation of all submitted vulnerabilities. This means
>    clarifying the vulnerability with the researcher. Determining if the
>    vulnerability is within scope of the bug bounty or if that vulnerability is
>    a duplicate or not.
>    - *Validate: *Reproduce all submissions once they have been determined
>    within scope and not a duplicate. This means going through the replication
>    steps and validating that the vulnerability is a real security threat.
>    (Attached is a one pager on the life cycle of a vulnerability)
>    - *Push Vulnerabilities: *The OWASP security team will receive
>    validated vulnerabilities with recommend levels of critically and our team
>    will monitor the vulnerabilities for high severities to alert the OWASP
>    team.
>    - *Continued Paid Sponsorship: *Along with this service, Bugcrowd will
>    continue to contribute to support OWASP, including with paid sponsorships
>    to various events. (TBD with Chris and Kelly + any additional work they
>    negotiate)
> Over the past couple of years we have had a lot contribution into the
> security and education space, not only with OWASP, but also with ISC^2. In
> the past year we have seen Jason Haddix (director of our technical
> operations team) Co-Authored the Mobile top 10 and was a project leader for
> that effort. Bugcrowd has volunteered and sponsored various meet ups and
> events and will be doing so again for AppSec California, where our Senior
> Security Engineer Leif Dreizler his helping organize and where we will be
> sponsoring and volunteering,
> I say all of this because when the question arises, "why Bugcrowd and not
> someone else?" We know that our history and continued support of OWASP
> shows our commitment and dedication to OWASP's efforts and that at
> partnership between us would be the best fit.
> Claudia, Johanna, let's hop on a call next week to look at the scope of
> the bounty.
> Chris and Kelly, if you two can sync up and work out the logistics of the
> partnership in the next week that would be awesome.
> Josh, please let me know if there is any additional information we get
> over to you, I'm glad to help where ever possible.
> Let's try to reconvene in the next couple of weeks and map out a path
> forward.
> Again, thanks everyone for your time this morning. Look forward to
> chatting again soon.
> --
> Best Regards,
> Oscar Aguilera
> Enterprise Account Executive - Bugcrowd Inc
> Web:
> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/00c2b71d4deb5666f131697d0f51ceda?ytl=http%3A%2F%2Fbugcrowd.com%2F>
> https://bugcrowd.com
> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/c4a3f3bcf3cd06d65ca950b3f44899b1?ytl=https%3A%2F%2Fbugcrowd.com%2F>
> *Check out some of our happy partners: www.bugcrowd.com/programs
> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/136baf275f07ec38fd6fd14beb0ccd25?ytl=http%3A%2F%2Fwww.bugcrowd.com%2Fprograms> *
> Desk: 415.795.7216
> Cell:   415.304.6926
> Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/05461a1e/attachment.html>

More information about the Owasp-board mailing list