[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Josh Sokol josh.sokol at owasp.org
Fri Jan 22 21:50:09 UTC 2016

It's not $86k in costs.  It's $86k worth of a service, that Bugcrowd
provides customers, which would be donated to OWASP.  That is what they
would normally charge a customer who was looking at using their platform.


On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie <paul.ritchie at owasp.org>

> Josh, Kelly, Claudia....this program sounds like it could be a really
> interesting opportunity and something 'many' on our community are pretty
> engaged with already.
> As the next round of details comes up....keep me in the loop.
> With my Finance Hat on....I'm curious to understand more about the $86K
> costs and who pays it, and if it is all hard dollars or if that includes
> some soft dollar barter numbers.
> Paul
> Best Regards, Paul Ritchie
> OWASP Executive Director
> paul.ritchie at owasp.org
> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> OWASP Board and Paul,
>> Kelly, Claudia, and I took some time this morning to discuss the
>> sponsorship opportunity with Bugcrowd.  What Bugcrowd is offering us is
>> their top-tier program for not only the OWASP website, servers, etc, but
>> also for any project that wants to use it as well.  I believe that this
>> would be a HUGE value-add to our projects platform to have this type of a
>> resource behind them.  We would still need to determine and pay the actual
>> bounties, but the management of the program itself from engaging
>> researchers to triaging submissions to determining the security impact
>> would all be handled by Bugcrowd.  They said that this program runs $86k/yr.
>> I made it a point to ask them "Why Bugcrowd" instead of one of their
>> competitors and their response was good, IMHO.  For one, they are already a
>> sponsor of numerous OWASP events, and for another, they already have
>> employees actively contributing to the OWASP community.
>> Kelly is working with Bugcrowd in order to come up with an
>> all-encompassing sponsorship package.  This would likely include corporate
>> membership at the Silver level and conference sponsorship in exchange for
>> some amount of money to be negotiated.  Assuming that we can come to terms
>> on the sponsorship package, they will throw in the Bugcrowd platform as a
>> "Donation" and it is up to us to decide whether we would like to use it or
>> engage another vendor.
>> Please let me know if you have any questions.
>> ~josh
>> ---------- Forwarded message ----------
>> From: Oscar Aguilera <oscar.aguilera at bugcrowd.com>
>> Date: Fri, Jan 22, 2016 at 1:39 PM
>> Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
>> To: Josh Sokol <josh.sokol at owasp.org>, Claudia Casanovas <
>> Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
>> kelly.santalucia at owasp.org>, johanna curiel curiel <
>> johanna.curiel at owasp.org>
>> Cc: Jason Pitzen <jason at bugcrowd.com>, Chris Tilton <
>> chris.tilton at bugcrowd.com>
>> Hi Josh, Claudia, Kelly,
>> It was great talking to you all this morning, thanks for taking the time
>> and jumping on the call. All of us here are really excited about the
>> opportunity to increase our sponsorship with OWASP and create this
>> partnership.
>> Below I've outlined what we are proposing and some next steps to ensure
>> we're all armed with the proper info to take back to our perspective teams
>> and board.
>> Bugcrowd will provide OWASP access to our Crowd Control platform, manage
>> all vulnerabilities submitted and will include the following:
>>    - *Crowd Control: E*nterprise Class platform to safely engage
>>    researchers on each and every submission. OWASP will have visibility into
>>    all submitted vulnerabilities, including out of scope, duplicates and
>>    validated submissions.
>>    - *Triage:* Separation of all submitted vulnerabilities. This means
>>    clarifying the vulnerability with the researcher. Determining if the
>>    vulnerability is within scope of the bug bounty or if that vulnerability is
>>    a duplicate or not.
>>    - *Validate: *Reproduce all submissions once they have been
>>    determined within scope and not a duplicate. This means going through the
>>    replication steps and validating that the vulnerability is a real security
>>    threat. (Attached is a one pager on the life cycle of a vulnerability)
>>    - *Push Vulnerabilities: *The OWASP security team will receive
>>    validated vulnerabilities with recommend levels of critically and our team
>>    will monitor the vulnerabilities for high severities to alert the OWASP
>>    team.
>>    - *Continued Paid Sponsorship: *Along with this service, Bugcrowd
>>    will continue to contribute to support OWASP, including with paid
>>    sponsorships to various events. (TBD with Chris and Kelly + any additional
>>    work they negotiate)
>> Over the past couple of years we have had a lot contribution into the
>> security and education space, not only with OWASP, but also with ISC^2. In
>> the past year we have seen Jason Haddix (director of our technical
>> operations team) Co-Authored the Mobile top 10 and was a project leader for
>> that effort. Bugcrowd has volunteered and sponsored various meet ups and
>> events and will be doing so again for AppSec California, where our Senior
>> Security Engineer Leif Dreizler his helping organize and where we will
>> be sponsoring and volunteering,
>> I say all of this because when the question arises, "why Bugcrowd and not
>> someone else?" We know that our history and continued support of OWASP
>> shows our commitment and dedication to OWASP's efforts and that at
>> partnership between us would be the best fit.
>> Claudia, Johanna, let's hop on a call next week to look at the scope of
>> the bounty.
>> Chris and Kelly, if you two can sync up and work out the logistics of the
>> partnership in the next week that would be awesome.
>> Josh, please let me know if there is any additional information we get
>> over to you, I'm glad to help where ever possible.
>> Let's try to reconvene in the next couple of weeks and map out a path
>> forward.
>> Again, thanks everyone for your time this morning. Look forward to
>> chatting again soon.
>> --
>> Best Regards,
>> Oscar Aguilera
>> Enterprise Account Executive - Bugcrowd Inc
>> Web:
>> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/00c2b71d4deb5666f131697d0f51ceda?ytl=http%3A%2F%2Fbugcrowd.com%2F>
>> https://bugcrowd.com
>> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/c4a3f3bcf3cd06d65ca950b3f44899b1?ytl=https%3A%2F%2Fbugcrowd.com%2F>
>> *Check out some of our happy partners: www.bugcrowd.com/programs
>> <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/136baf275f07ec38fd6fd14beb0ccd25?ytl=http%3A%2F%2Fwww.bugcrowd.com%2Fprograms> *
>> Desk: 415.795.7216
>> Cell:   415.304.6926
>> Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/d734348c/attachment-0001.html>

More information about the Owasp-board mailing list