[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps
Jim Manico
jim.manico at owasp.org
Fri Jan 22 22:34:48 UTC 2016
Vendor neutrality is just treating all vendors equally and not giving
one preference.
When we accept a barter deal from a AppSec vendor, we tangentially
endorse them.
So what I'm asking is that we either provide a strong disclaimer that we
do not endorse BugCrowd, or give other vendors in this space a chance to
propose a similar offer.
- Jim
On 1/22/16 5:32 PM, johanna curiel curiel wrote:
> Josh, your "why BugCrowd" comments gives me concern. Regardless of
> their sponsorship, donations or contributions, we still need to
> maintain a strong commitment to vendor neutrality.
>
> Hi Jim
>
> I believe many times these kind of discussions have popped up with
> regards vendor neutrality like mushrooms ;-)
>
> Do we have specific rules for these kind of cases?
> If we do, please could you point us to them. If we don't , I think
> would be a good idea to set this on the Board agenda and discuss this,
> in order to have clear guidelines and avoid these discussions again?
>
> We keep on discussing what is '/vendor/' /neutral/ and what not.
> In the case of a barter deal, seems to me like a grey area that has
> not been clearly defined.
>
> * First, we are not buying a service but a barter deal has been
> offered by a service provider that used to pay sponsorship marketing
> * Second , no other similar service provider has offered a barter deal
> * Conclusion: Do we have to create an RFC to ask for barter deals in
> exchange of service==> marketing?
>
> Honestly, this 'RFC' sounds weird.
>
> I get the point regarding verdor neutrality when buying a service, but
> I struggle with the fact that this is a barter deal and that we are
> not buying a service directly.On the contrary, if we had to buy this
> service, we had to pay USD86K in exchange of sponsorship? This does
> not seem like a bad deal at all to be honest.
>
>
> if we go into an unclear /RFC barter deal/ offering without even
> knowing if others will do similar offering can be a waist of time.
>
> In the end any 'vendor' can be a sponsor right? So what exactly does
> this has to do with vendor neutrality if all vendors can do a
> sponsorship?
>
> The difference here is that instead of sponsoring us with money , they
> do it with a service worth USD86K and that can help us automate a lot
> of the QA process we need for projects.
>
> I hope we can think of concrete solutions instead of keep discussing
> around vendor neutrality.
>
> Cheers
>
> Johanna
>
> On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
>
> At the very least, I think we need to say that we do not at all
> endorse BugCrowd as per the OWASP rules of play.
>
> Josh, your "why BugCrowd" comments gives me concern. Regardless of
> their sponsorship, donations or contributions, we still need to
> maintain a strong commitment to vendor neutrality. What this means
> is we need to give all vendors in this space a chance to play or
> at least treat them all in a equal way. To conflate their (great!)
> contributions with a preference to chose them as a vendor -
> donated service or not - is something deeply against the spirit of
> what vendor neutrality means.
>
> I respect BugCrowd and what they do, but I also think OWASP is
> much stronger when vendor neutrality is something we care about
> deeply. The moment we start using BugCrowds service, we
> tangentially endorse them. We need to be careful about this.
>
> Please note, I do not have a conflict of interest here at all. I
> do not compete with BugCrowd in any way. In fact, I have friends
> who work there that I care deeply for.
>
> This is a stance I have held for all OWASP-AppSec vendor
> relationships and I encourage all of us with fiduciary duty to do
> the same.
>
> Aloha,
> Jim
>
>
>
> On 1/22/16 4:50 PM, Josh Sokol wrote:
>> It's not $86k in costs. It's $86k worth of a service, that
>> Bugcrowd provides customers, which would be donated to OWASP.
>> That is what they would normally charge a customer who was
>> looking at using their platform.
>>
>> ~josh
>>
>> On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie
>> <paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>> wrote:
>>
>> Josh, Kelly, Claudia....this program sounds like it could be
>> a really interesting opportunity and something 'many' on our
>> community are pretty engaged with already.
>>
>> As the next round of details comes up....keep me in the loop.
>> With my Finance Hat on....I'm curious to understand more
>> about the $86K costs and who pays it, and if it is all hard
>> dollars or if that includes some soft dollar barter numbers.
>>
>> Paul
>>
>>
>>
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>
>>
>> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol
>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>
>> OWASP Board and Paul,
>>
>> Kelly, Claudia, and I took some time this morning to
>> discuss the sponsorship opportunity with Bugcrowd. What
>> Bugcrowd is offering us is their top-tier program for not
>> only the OWASP website, servers, etc, but also for any
>> project that wants to use it as well. I believe that
>> this would be a HUGE value-add to our projects platform
>> to have this type of a resource behind them. We would
>> still need to determine and pay the actual bounties, but
>> the management of the program itself from engaging
>> researchers to triaging submissions to determining the
>> security impact would all be handled by Bugcrowd. They
>> said that this program runs $86k/yr.
>>
>> I made it a point to ask them "Why Bugcrowd" instead of
>> one of their competitors and their response was good,
>> IMHO. For one, they are already a sponsor of numerous
>> OWASP events, and for another, they already have
>> employees actively contributing to the OWASP community.
>>
>> Kelly is working with Bugcrowd in order to come up with
>> an all-encompassing sponsorship package. This would
>> likely include corporate membership at the Silver level
>> and conference sponsorship in exchange for some amount of
>> money to be negotiated. Assuming that we can come to
>> terms on the sponsorship package, they will throw in the
>> Bugcrowd platform as a "Donation" and it is up to us to
>> decide whether we would like to use it or engage another
>> vendor.
>>
>> Please let me know if you have any questions.
>>
>> ~josh
>>
>> ---------- Forwarded message ----------
>> From: *Oscar Aguilera* <oscar.aguilera at bugcrowd.com
>> <mailto:oscar.aguilera at bugcrowd.com>>
>> Date: Fri, Jan 22, 2016 at 1:39 PM
>> Subject: OWASP + Bugcrowd - Program Proposal Details -
>> Next Steps
>> To: Josh Sokol <josh.sokol at owasp.org
>> <mailto:josh.sokol at owasp.org>>, Claudia Casanovas
>> <Claudia.Aviles-Casanovas at owasp.org
>> <mailto:Claudia.Aviles-Casanovas at owasp.org>>, Kelly
>> Santalucia <kelly.santalucia at owasp.org
>> <mailto:kelly.santalucia at owasp.org>>, johanna curiel
>> curiel <johanna.curiel at owasp.org
>> <mailto:johanna.curiel at owasp.org>>
>> Cc: Jason Pitzen <jason at bugcrowd.com
>> <mailto:jason at bugcrowd.com>>, Chris Tilton
>> <chris.tilton at bugcrowd.com
>> <mailto:chris.tilton at bugcrowd.com>>
>>
>>
>> Hi Josh, Claudia, Kelly,
>>
>> It was great talking to you all this morning, thanks for
>> taking the time and jumping on the call. All of us here
>> are really excited about the opportunity to increase our
>> sponsorship with OWASP and create this partnership.
>>
>> Below I've outlined what we are proposing and some next
>> steps to ensure we're all armed with the proper info to
>> take back to our perspective teams and board.
>>
>> Bugcrowd will provide OWASP access to our Crowd Control
>> platform, manage all vulnerabilities submitted and will
>> include the following:
>>
>> * *Crowd Control: E*nterprise Class platform to safely
>> engage researchers on each and every submission.
>> OWASP will have visibility into all submitted
>> vulnerabilities, including out of scope, duplicates
>> and validated submissions.
>> * *Triage:* Separation of all submitted
>> vulnerabilities. This means clarifying the
>> vulnerability with the researcher. Determining if the
>> vulnerability is within scope of the bug bounty or if
>> that vulnerability is a duplicate or not.
>> * *Validate: *Reproduce all submissions once they have
>> been determined within scope and not a duplicate.
>> This means going through the replication steps and
>> validating that the vulnerability is a real security
>> threat. (Attached is a one pager on the life cycle of
>> a vulnerability)
>> * *Push Vulnerabilities: *The OWASP security team will
>> receive validated vulnerabilities with recommend
>> levels of critically and our team will monitor the
>> vulnerabilities for high severities to alert the
>> OWASP team.
>> * *Continued Paid Sponsorship: *Along with this
>> service, Bugcrowd will continue to contribute to
>> support OWASP, including with paid sponsorships to
>> various events. (TBD with Chris and Kelly + any
>> additional work they negotiate)
>>
>> Over the past couple of years we have had a lot
>> contribution into the security and education space, not
>> only with OWASP, but also with ISC^2. In the past year we
>> have seen Jason Haddix (director of our technical
>> operations team) Co-Authored the Mobile top 10 and was a
>> project leader for that effort. Bugcrowd has volunteered
>> and sponsored various meet ups and events and will be
>> doing so again for AppSec California, where our Senior
>> Security Engineer Leif Dreizler his helping organize and
>> where we will be sponsoring and volunteering,
>>
>> I say all of this because when the question arises, "why
>> Bugcrowd and not someone else?" We know that our history
>> and continued support of OWASP shows our commitment and
>> dedication to OWASP's efforts and that at partnership
>> between us would be the best fit.
>>
>> Claudia, Johanna, let's hop on a call next week to look
>> at the scope of the bounty.
>>
>> Chris and Kelly, if you two can sync up and work out the
>> logistics of the partnership in the next week that would
>> be awesome.
>>
>> Josh, please let me know if there is any additional
>> information we get over to you, I'm glad to help where
>> ever possible.
>>
>> Let's try to reconvene in the next couple of weeks and
>> map out a path forward.
>> Again, thanks everyone for your time this morning. Look
>> forward to chatting again soon.
>>
>> --
>> Best Regards,
>>
>> Oscar Aguilera
>> Enterprise Account Executive - Bugcrowd Inc
>> Web: https://bugcrowd.com
>>
>> */Check out some of our happy partners:
>> www.bugcrowd.com/programs
>> <http://www.bugcrowd.com/programs> /*
>> *
>> *
>> Desk: 415.795.7216 <tel:415.795.7216>
>> Cell: 415.304.6926 <tel:415.304.6926>
>> Linkedin
>> <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/efa96e4b/attachment-0001.html>
More information about the Owasp-board
mailing list