[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps
josh.sokol at owasp.org
Fri Jan 22 21:50:09 UTC 2016
It's not $86k in costs. It's $86k worth of a service, that Bugcrowd
provides customers, which would be donated to OWASP. That is what they
would normally charge a customer who was looking at using their platform.
On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie <paul.ritchie at owasp.org>
> Josh, Kelly, Claudia....this program sounds like it could be a really
> interesting opportunity and something 'many' on our community are pretty
> engaged with already.
> As the next round of details comes up....keep me in the loop.
> With my Finance Hat on....I'm curious to understand more about the $86K
> costs and who pays it, and if it is all hard dollars or if that includes
> some soft dollar barter numbers.
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org
> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> OWASP Board and Paul,
>> Kelly, Claudia, and I took some time this morning to discuss the
>> sponsorship opportunity with Bugcrowd. What Bugcrowd is offering us is
>> their top-tier program for not only the OWASP website, servers, etc, but
>> also for any project that wants to use it as well. I believe that this
>> would be a HUGE value-add to our projects platform to have this type of a
>> resource behind them. We would still need to determine and pay the actual
>> bounties, but the management of the program itself from engaging
>> researchers to triaging submissions to determining the security impact
>> would all be handled by Bugcrowd. They said that this program runs $86k/yr.
>> I made it a point to ask them "Why Bugcrowd" instead of one of their
>> competitors and their response was good, IMHO. For one, they are already a
>> sponsor of numerous OWASP events, and for another, they already have
>> employees actively contributing to the OWASP community.
>> Kelly is working with Bugcrowd in order to come up with an
>> all-encompassing sponsorship package. This would likely include corporate
>> membership at the Silver level and conference sponsorship in exchange for
>> some amount of money to be negotiated. Assuming that we can come to terms
>> on the sponsorship package, they will throw in the Bugcrowd platform as a
>> "Donation" and it is up to us to decide whether we would like to use it or
>> engage another vendor.
>> Please let me know if you have any questions.
>> ---------- Forwarded message ----------
>> From: Oscar Aguilera <oscar.aguilera at bugcrowd.com>
>> Date: Fri, Jan 22, 2016 at 1:39 PM
>> Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
>> To: Josh Sokol <josh.sokol at owasp.org>, Claudia Casanovas <
>> Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
>> kelly.santalucia at owasp.org>, johanna curiel curiel <
>> johanna.curiel at owasp.org>
>> Cc: Jason Pitzen <jason at bugcrowd.com>, Chris Tilton <
>> chris.tilton at bugcrowd.com>
>> Hi Josh, Claudia, Kelly,
>> It was great talking to you all this morning, thanks for taking the time
>> and jumping on the call. All of us here are really excited about the
>> opportunity to increase our sponsorship with OWASP and create this
>> Below I've outlined what we are proposing and some next steps to ensure
>> we're all armed with the proper info to take back to our perspective teams
>> and board.
>> Bugcrowd will provide OWASP access to our Crowd Control platform, manage
>> all vulnerabilities submitted and will include the following:
>> - *Crowd Control: E*nterprise Class platform to safely engage
>> researchers on each and every submission. OWASP will have visibility into
>> all submitted vulnerabilities, including out of scope, duplicates and
>> validated submissions.
>> - *Triage:* Separation of all submitted vulnerabilities. This means
>> clarifying the vulnerability with the researcher. Determining if the
>> vulnerability is within scope of the bug bounty or if that vulnerability is
>> a duplicate or not.
>> - *Validate: *Reproduce all submissions once they have been
>> determined within scope and not a duplicate. This means going through the
>> replication steps and validating that the vulnerability is a real security
>> threat. (Attached is a one pager on the life cycle of a vulnerability)
>> - *Push Vulnerabilities: *The OWASP security team will receive
>> validated vulnerabilities with recommend levels of critically and our team
>> will monitor the vulnerabilities for high severities to alert the OWASP
>> - *Continued Paid Sponsorship: *Along with this service, Bugcrowd
>> will continue to contribute to support OWASP, including with paid
>> sponsorships to various events. (TBD with Chris and Kelly + any additional
>> work they negotiate)
>> Over the past couple of years we have had a lot contribution into the
>> security and education space, not only with OWASP, but also with ISC^2. In
>> the past year we have seen Jason Haddix (director of our technical
>> operations team) Co-Authored the Mobile top 10 and was a project leader for
>> that effort. Bugcrowd has volunteered and sponsored various meet ups and
>> events and will be doing so again for AppSec California, where our Senior
>> Security Engineer Leif Dreizler his helping organize and where we will
>> be sponsoring and volunteering,
>> I say all of this because when the question arises, "why Bugcrowd and not
>> someone else?" We know that our history and continued support of OWASP
>> shows our commitment and dedication to OWASP's efforts and that at
>> partnership between us would be the best fit.
>> Claudia, Johanna, let's hop on a call next week to look at the scope of
>> the bounty.
>> Chris and Kelly, if you two can sync up and work out the logistics of the
>> partnership in the next week that would be awesome.
>> Josh, please let me know if there is any additional information we get
>> over to you, I'm glad to help where ever possible.
>> Let's try to reconvene in the next couple of weeks and map out a path
>> Again, thanks everyone for your time this morning. Look forward to
>> chatting again soon.
>> Best Regards,
>> Oscar Aguilera
>> Enterprise Account Executive - Bugcrowd Inc
>> *Check out some of our happy partners: www.bugcrowd.com/programs
>> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/136baf275f07ec38fd6fd14beb0ccd25?ytl=http%3A%2F%2Fwww.bugcrowd.com%2Fprograms> *
>> Desk: 415.795.7216
>> Cell: 415.304.6926
>> Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board