[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Jim Manico jim.manico at owasp.org
Fri Jan 22 22:02:34 UTC 2016

At the very least, I think we need to say that we do not at all endorse 
BugCrowd as per the OWASP rules of play.

Josh, your "why BugCrowd" comments gives me concern. Regardless of their 
sponsorship, donations or contributions, we still need to maintain a 
strong commitment to vendor neutrality. What this means is we need to 
give all vendors in this space a chance to play or at least treat them 
all in a equal way. To conflate their (great!) contributions with a 
preference to chose them as a vendor - donated service or not - is 
something deeply against the spirit of what vendor neutrality means.

I respect BugCrowd and what they do, but I also think OWASP is much 
stronger when vendor neutrality is something we care about deeply. The 
moment we start using BugCrowds service, we tangentially endorse them. 
We need to be careful about this.

Please note, I do not have a conflict of interest here at all. I do not 
compete with BugCrowd in any way. In fact, I have friends who work there 
that I care deeply for.

This is a stance I have held for all OWASP-AppSec vendor relationships 
and I encourage all of us with fiduciary duty to do the same.


On 1/22/16 4:50 PM, Josh Sokol wrote:
> It's not $86k in costs.  It's $86k worth of a service, that Bugcrowd 
> provides customers, which would be donated to OWASP. That is what they 
> would normally charge a customer who was looking at using their platform.
> ~josh
> On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie <paul.ritchie at owasp.org 
> <mailto:paul.ritchie at owasp.org>> wrote:
>     Josh, Kelly, Claudia....this program sounds like it could be a
>     really interesting opportunity and something 'many' on our
>     community are pretty engaged with already.
>     As the next round of details comes up....keep me in the loop.
>     With my Finance Hat on....I'm curious to understand more about the
>     $86K costs and who pays it, and if it is all hard dollars or if
>     that includes some soft dollar barter numbers.
>     Paul
>     Best Regards, Paul Ritchie
>     OWASP Executive Director
>     paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>     On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>         OWASP Board and Paul,
>         Kelly, Claudia, and I took some time this morning to discuss
>         the sponsorship opportunity with Bugcrowd.  What Bugcrowd is
>         offering us is their top-tier program for not only the OWASP
>         website, servers, etc, but also for any project that wants to
>         use it as well.  I believe that this would be a HUGE value-add
>         to our projects platform to have this type of a resource
>         behind them.  We would still need to determine and pay the
>         actual bounties, but the management of the program itself from
>         engaging researchers to triaging submissions to determining
>         the security impact would all be handled by Bugcrowd.  They
>         said that this program runs $86k/yr.
>         I made it a point to ask them "Why Bugcrowd" instead of one of
>         their competitors and their response was good, IMHO.  For one,
>         they are already a sponsor of numerous OWASP events, and for
>         another, they already have employees actively contributing to
>         the OWASP community.
>         Kelly is working with Bugcrowd in order to come up with an
>         all-encompassing sponsorship package.  This would likely
>         include corporate membership at the Silver level and
>         conference sponsorship in exchange for some amount of money to
>         be negotiated.  Assuming that we can come to terms on the
>         sponsorship package, they will throw in the Bugcrowd platform
>         as a "Donation" and it is up to us to decide whether we would
>         like to use it or engage another vendor.
>         Please let me know if you have any questions.
>         ~josh
>         ---------- Forwarded message ----------
>         From: *Oscar Aguilera* <oscar.aguilera at bugcrowd.com
>         <mailto:oscar.aguilera at bugcrowd.com>>
>         Date: Fri, Jan 22, 2016 at 1:39 PM
>         Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
>         To: Josh Sokol <josh.sokol at owasp.org
>         <mailto:josh.sokol at owasp.org>>, Claudia Casanovas
>         <Claudia.Aviles-Casanovas at owasp.org
>         <mailto:Claudia.Aviles-Casanovas at owasp.org>>, Kelly Santalucia
>         <kelly.santalucia at owasp.org
>         <mailto:kelly.santalucia at owasp.org>>, johanna curiel curiel
>         <johanna.curiel at owasp.org <mailto:johanna.curiel at owasp.org>>
>         Cc: Jason Pitzen <jason at bugcrowd.com
>         <mailto:jason at bugcrowd.com>>, Chris Tilton
>         <chris.tilton at bugcrowd.com <mailto:chris.tilton at bugcrowd.com>>
>         Hi Josh, Claudia, Kelly,
>         It was great talking to you all this morning, thanks for
>         taking the time and jumping on the call. All of us here are
>         really excited about the opportunity to increase our
>         sponsorship with OWASP and create this partnership.
>         Below I've outlined what we are proposing and some next steps
>         to ensure we're all armed with the proper info to take back to
>         our perspective teams and board.
>         Bugcrowd will provide OWASP access to our Crowd Control
>         platform, manage all vulnerabilities submitted and will
>         include the following:
>           * *Crowd Control: E*nterprise Class platform to safely
>             engage researchers on each and every submission. OWASP
>             will have visibility into all submitted vulnerabilities,
>             including out of scope, duplicates and validated submissions.
>           * *Triage:* Separation of all submitted vulnerabilities.
>             This means clarifying the vulnerability with the
>             researcher. Determining if the vulnerability is within
>             scope of the bug bounty or if that vulnerability is a
>             duplicate or not.
>           * *Validate: *Reproduce all submissions once they have been
>             determined within scope and not a duplicate. This means
>             going through the replication steps and validating that
>             the vulnerability is a real security threat. (Attached is
>             a one pager on the life cycle of a vulnerability)
>           * *Push Vulnerabilities: *The OWASP security team will
>             receive validated vulnerabilities with recommend levels of
>             critically and our team will monitor the vulnerabilities
>             for high severities to alert the OWASP team.
>           * *Continued Paid Sponsorship: *Along with this service,
>             Bugcrowd will continue to contribute to support OWASP,
>             including with paid sponsorships to various events. (TBD
>             with Chris and Kelly + any additional work they negotiate)
>         Over the past couple of years we have had a lot contribution
>         into the security and education space, not only with OWASP,
>         but also with ISC^2. In the past year we have seen Jason
>         Haddix (director of our technical operations team) Co-Authored
>         the Mobile top 10 and was a project leader for that effort.
>         Bugcrowd has volunteered and sponsored various meet ups and
>         events and will be doing so again for AppSec California, where
>         our Senior Security Engineer Leif Dreizler his
>         helping organize and where we will be sponsoring and
>         volunteering,
>         I say all of this because when the question arises, "why
>         Bugcrowd and not someone else?" We know that our history and
>         continued support of OWASP shows our commitment and dedication
>         to OWASP's efforts and that at partnership between us would be
>         the best fit.
>         Claudia, Johanna, let's hop on a call next week to look at the
>         scope of the bounty.
>         Chris and Kelly, if you two can sync up and work out the
>         logistics of the partnership in the next week that would be
>         awesome.
>         Josh, please let me know if there is any additional
>         information we get over to you, I'm glad to help where ever
>         possible.
>         Let's try to reconvene in the next couple of weeks and map out
>         a path forward.
>         Again, thanks everyone for your time this morning. Look
>         forward to chatting again soon.
>         -- 
>         Best Regards,
>         Oscar Aguilera
>         Enterprise Account Executive - Bugcrowd Inc
>         Web: https://bugcrowd.com
>         <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/c4a3f3bcf3cd06d65ca950b3f44899b1?ytl=https%3A%2F%2Fbugcrowd.com%2F>
>         */Check out some of our happy partners:
>         www.bugcrowd.com/programs
>         <https://t.yesware.com/tl/78ba044a3d24d8b9b252d8d4e9a65f0178e1792b/2ab8a78c0067541a5bd84f157d15c2e1/136baf275f07ec38fd6fd14beb0ccd25?ytl=http%3A%2F%2Fwww.bugcrowd.com%2Fprograms>
>         /*
>         *
>         *
>         Desk: 415.795.7216 <tel:415.795.7216>
>         Cell: 415.304.6926 <tel:415.304.6926>
>         Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/cd2659f1/attachment-0001.html>

More information about the Owasp-board mailing list