[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Jim Manico jim.manico at owasp.org
Fri Jan 22 22:34:48 UTC 2016

Vendor neutrality is just treating all vendors equally and not giving 
one preference.

When we accept a barter deal from a AppSec vendor, we tangentially 
endorse them.

So what I'm asking is that we either provide a strong disclaimer that we 
do not endorse BugCrowd, or give other vendors in this space a chance to 
propose a similar offer.

- Jim

On 1/22/16 5:32 PM, johanna curiel curiel wrote:
> Josh, your "why BugCrowd" comments gives me concern. Regardless of 
> their sponsorship, donations or contributions, we still need to 
> maintain a strong commitment to vendor neutrality.
> Hi Jim
> I believe many times these kind of discussions have popped up with 
> regards vendor neutrality like mushrooms ;-)
> Do we have specific rules for these kind of cases?
> If we do, please could you point us to them. If  we don't , I think 
> would be a good idea to set this on the Board agenda and discuss this, 
> in order to have clear guidelines and avoid these discussions again?
> We keep on discussing what is '/vendor/' /neutral/ and what not.
> In the case of a barter deal, seems to me like a grey area that has 
> not been clearly defined.
>   * First, we are not buying a service but a barter deal has been
>     offered by a service provider that used to pay sponsorship marketing
>   * Second , no other similar service provider has offered a barter deal
>   * Conclusion: Do we have to create an RFC to ask for barter deals in
>     exchange of service==> marketing?
> Honestly, this 'RFC' sounds weird.
> I get the point regarding verdor neutrality when buying a service, but 
> I struggle with the fact that this is a barter deal and that we are 
> not buying a service directly.On the contrary, if we had to buy this 
> service, we had to pay USD86K  in exchange of sponsorship? This does 
> not seem like a bad deal at all to be honest.
> if we go into an unclear /RFC barter deal/ offering without even 
> knowing if others will do similar offering can be a waist of time.
> In the end any 'vendor' can be a sponsor right? So what exactly does 
> this has to do with vendor neutrality if all vendors can do a 
> sponsorship?
> The difference here is that instead of sponsoring us with money , they 
> do it with a service worth USD86K and that can help us automate a lot 
> of the QA process we need for projects.
> I hope we can think of concrete solutions instead of keep discussing 
> around vendor neutrality.
> Cheers
> Johanna
> On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>     At the very least, I think we need to say that we do not at all
>     endorse BugCrowd as per the OWASP rules of play.
>     Josh, your "why BugCrowd" comments gives me concern. Regardless of
>     their sponsorship, donations or contributions, we still need to
>     maintain a strong commitment to vendor neutrality. What this means
>     is we need to give all vendors in this space a chance to play or
>     at least treat them all in a equal way. To conflate their (great!)
>     contributions with a preference to chose them as a vendor -
>     donated service or not - is something deeply against the spirit of
>     what vendor neutrality means.
>     I respect BugCrowd and what they do, but I also think OWASP is
>     much stronger when vendor neutrality is something we care about
>     deeply. The moment we start using BugCrowds service, we
>     tangentially endorse them. We need to be careful about this.
>     Please note, I do not have a conflict of interest here at all. I
>     do not compete with BugCrowd in any way. In fact, I have friends
>     who work there that I care deeply for.
>     This is a stance I have held for all OWASP-AppSec vendor
>     relationships and I encourage all of us with fiduciary duty to do
>     the same.
>     Aloha,
>     Jim
>     On 1/22/16 4:50 PM, Josh Sokol wrote:
>>     It's not $86k in costs.  It's $86k worth of a service, that
>>     Bugcrowd provides customers, which would be donated to OWASP. 
>>     That is what they would normally charge a customer who was
>>     looking at using their platform.
>>     ~josh
>>     On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie
>>     <paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>> wrote:
>>         Josh, Kelly, Claudia....this program sounds like it could be
>>         a really interesting opportunity and something 'many' on our
>>         community are pretty engaged with already.
>>         As the next round of details comes up....keep me in the loop.
>>         With my Finance Hat on....I'm curious to understand more
>>         about the $86K costs and who pays it, and if it is all hard
>>         dollars or if that includes some soft dollar barter numbers.
>>         Paul
>>         Best Regards, Paul Ritchie
>>         OWASP Executive Director
>>         paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>         On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol
>>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>             OWASP Board and Paul,
>>             Kelly, Claudia, and I took some time this morning to
>>             discuss the sponsorship opportunity with Bugcrowd.  What
>>             Bugcrowd is offering us is their top-tier program for not
>>             only the OWASP website, servers, etc, but also for any
>>             project that wants to use it as well.  I believe that
>>             this would be a HUGE value-add to our projects platform
>>             to have this type of a resource behind them.  We would
>>             still need to determine and pay the actual bounties, but
>>             the management of the program itself from engaging
>>             researchers to triaging submissions to determining the
>>             security impact would all be handled by Bugcrowd.  They
>>             said that this program runs $86k/yr.
>>             I made it a point to ask them "Why Bugcrowd" instead of
>>             one of their competitors and their response was good,
>>             IMHO.  For one, they are already a sponsor of numerous
>>             OWASP events, and for another, they already have
>>             employees actively contributing to the OWASP community.
>>             Kelly is working with Bugcrowd in order to come up with
>>             an all-encompassing sponsorship package.  This would
>>             likely include corporate membership at the Silver level
>>             and conference sponsorship in exchange for some amount of
>>             money to be negotiated. Assuming that we can come to
>>             terms on the sponsorship package, they will throw in the
>>             Bugcrowd platform as a "Donation" and it is up to us to
>>             decide whether we would like to use it or engage another
>>             vendor.
>>             Please let me know if you have any questions.
>>             ~josh
>>             ---------- Forwarded message ----------
>>             From: *Oscar Aguilera* <oscar.aguilera at bugcrowd.com
>>             <mailto:oscar.aguilera at bugcrowd.com>>
>>             Date: Fri, Jan 22, 2016 at 1:39 PM
>>             Subject: OWASP + Bugcrowd - Program Proposal Details -
>>             Next Steps
>>             To: Josh Sokol <josh.sokol at owasp.org
>>             <mailto:josh.sokol at owasp.org>>, Claudia Casanovas
>>             <Claudia.Aviles-Casanovas at owasp.org
>>             <mailto:Claudia.Aviles-Casanovas at owasp.org>>, Kelly
>>             Santalucia <kelly.santalucia at owasp.org
>>             <mailto:kelly.santalucia at owasp.org>>, johanna curiel
>>             curiel <johanna.curiel at owasp.org
>>             <mailto:johanna.curiel at owasp.org>>
>>             Cc: Jason Pitzen <jason at bugcrowd.com
>>             <mailto:jason at bugcrowd.com>>, Chris Tilton
>>             <chris.tilton at bugcrowd.com
>>             <mailto:chris.tilton at bugcrowd.com>>
>>             Hi Josh, Claudia, Kelly,
>>             It was great talking to you all this morning, thanks for
>>             taking the time and jumping on the call. All of us here
>>             are really excited about the opportunity to increase our
>>             sponsorship with OWASP and create this partnership.
>>             Below I've outlined what we are proposing and some next
>>             steps to ensure we're all armed with the proper info to
>>             take back to our perspective teams and board.
>>             Bugcrowd will provide OWASP access to our Crowd Control
>>             platform, manage all vulnerabilities submitted and will
>>             include the following:
>>               * *Crowd Control: E*nterprise Class platform to safely
>>                 engage researchers on each and every submission.
>>                 OWASP will have visibility into all submitted
>>                 vulnerabilities, including out of scope, duplicates
>>                 and validated submissions.
>>               * *Triage:* Separation of all submitted
>>                 vulnerabilities. This means clarifying the
>>                 vulnerability with the researcher. Determining if the
>>                 vulnerability is within scope of the bug bounty or if
>>                 that vulnerability is a duplicate or not.
>>               * *Validate: *Reproduce all submissions once they have
>>                 been determined within scope and not a duplicate.
>>                 This means going through the replication steps and
>>                 validating that the vulnerability is a real security
>>                 threat. (Attached is a one pager on the life cycle of
>>                 a vulnerability)
>>               * *Push Vulnerabilities: *The OWASP security team will
>>                 receive validated vulnerabilities with recommend
>>                 levels of critically and our team will monitor the
>>                 vulnerabilities for high severities to alert the
>>                 OWASP team.
>>               * *Continued Paid Sponsorship: *Along with this
>>                 service, Bugcrowd will continue to contribute to
>>                 support OWASP, including with paid sponsorships to
>>                 various events. (TBD with Chris and Kelly + any
>>                 additional work they negotiate)
>>             Over the past couple of years we have had a lot
>>             contribution into the security and education space, not
>>             only with OWASP, but also with ISC^2. In the past year we
>>             have seen Jason Haddix (director of our technical
>>             operations team) Co-Authored the Mobile top 10 and was a
>>             project leader for that effort. Bugcrowd has volunteered
>>             and sponsored various meet ups and events and will be
>>             doing so again for AppSec California, where our Senior
>>             Security Engineer Leif Dreizler his helping organize and
>>             where we will be sponsoring and volunteering,
>>             I say all of this because when the question arises, "why
>>             Bugcrowd and not someone else?" We know that our history
>>             and continued support of OWASP shows our commitment and
>>             dedication to OWASP's efforts and that at partnership
>>             between us would be the best fit.
>>             Claudia, Johanna, let's hop on a call next week to look
>>             at the scope of the bounty.
>>             Chris and Kelly, if you two can sync up and work out the
>>             logistics of the partnership in the next week that would
>>             be awesome.
>>             Josh, please let me know if there is any additional
>>             information we get over to you, I'm glad to help where
>>             ever possible.
>>             Let's try to reconvene in the next couple of weeks and
>>             map out a path forward.
>>             Again, thanks everyone for your time this morning. Look
>>             forward to chatting again soon.
>>             -- 
>>             Best Regards,
>>             Oscar Aguilera
>>             Enterprise Account Executive - Bugcrowd Inc
>>             Web: https://bugcrowd.com
>>             */Check out some of our happy partners:
>>             www.bugcrowd.com/programs
>>             <http://www.bugcrowd.com/programs> /*
>>             *
>>             *
>>             Desk: 415.795.7216 <tel:415.795.7216>
>>             Cell: 415.304.6926 <tel:415.304.6926>
>>             Linkedin
>>             <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/efa96e4b/attachment-0001.html>

More information about the Owasp-board mailing list