[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Josh Sokol josh.sokol at owasp.org
Fri Jan 22 22:49:14 UTC 2016

I'm fine with a generic disclaimer that OWASP's use of any products or
services does not constitute an endorsement.  Actually, a similar type of
generic disclaimer already exists on owasp.org:

OWASP *does not endorse or recommend commercial products or services*,
> allowing our community to remain vendor neutral with the collective wisdom
> of the best minds in software security worldwide.

How about we just add that statement to the bottom of every page everywhere
that OWASP owns so that there is never any confusion?  We can add it to all
e-mail signatures as well just to cross every "T" and dot all the "I"s.
Ultimately, I agree with Johanna in that we need to define clear rules of
engagement and create whatever disclaimers are necessary so that we don't
keep spinning our wheels.  I am all for vendor neutrality, but that doesn't
mean that we can't or don't use vendors.  Does our use of MediaWiki imply
endorsement of their product?  SalesForce?  Google everything?  Mailman?
Ning?  GoToMeeting?  I know...I know...this is AppSec, so this is
different, but is it really?  There has to be a way for OWASP to be able to
engage with vendors in a meaningful way, especially when it results in a
net positive for our community.  Yes, let's disclaim away if that's what it
takes to make this happen!


On Fri, Jan 22, 2016 at 4:34 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Vendor neutrality is just treating all vendors equally and not giving one
> preference.
> When we accept a barter deal from a AppSec vendor, we tangentially endorse
> them.
> So what I'm asking is that we either provide a strong disclaimer that we
> do not endorse BugCrowd, or give other vendors in this space a chance to
> propose a similar offer.
> - Jim
> On 1/22/16 5:32 PM, johanna curiel curiel wrote:
> Josh, your "why BugCrowd" comments gives me concern. Regardless of their
> sponsorship, donations or contributions, we still need to maintain a strong
> commitment to vendor neutrality.
> Hi Jim
> I believe many times these kind of discussions have popped up with regards
> vendor neutrality like mushrooms ;-)
> Do we have specific rules for these kind of cases?
> If we do, please could you point us to them. If  we don't , I think would
> be a good idea to set this on the Board agenda and discuss this, in order
> to have clear guidelines and avoid these discussions again?
> We keep on discussing what is '*vendor*' *neutral* and what not.
> In the case of a barter deal, seems to me like a grey area that has not
> been clearly defined.
>    - First, we are not buying a service but a barter deal has been
>    offered by a service provider that used to pay sponsorship marketing
>    - Second , no other similar service provider has offered a barter deal
>    - Conclusion: Do we have to create an RFC to ask for barter deals in
>    exchange of service==> marketing?
> Honestly, this 'RFC' sounds weird.
> I get the point regarding verdor neutrality when buying a service, but I
> struggle with the fact that this is a barter deal and that we are not
> buying a service directly.On the contrary, if we had to buy this service,
> we had to pay USD86K  in exchange of sponsorship? This does not seem like a
> bad deal at all to be honest.
> if we go into an unclear *RFC barter deal* offering without even knowing
> if others will do similar offering can be a waist of time.
> In the end any 'vendor' can be a sponsor right? So what exactly does this
> has to do with vendor neutrality if all vendors can do a sponsorship?
> The difference here is that instead of sponsoring us with money , they do
> it with a service worth USD86K and that can help us automate a lot of the
> QA process we need for projects.
> I hope we can think of concrete solutions instead of keep discussing
> around vendor neutrality.
> Cheers
> Johanna
> On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> At the very least, I think we need to say that we do not at all endorse
>> BugCrowd as per the OWASP rules of play.
>> Josh, your "why BugCrowd" comments gives me concern. Regardless of their
>> sponsorship, donations or contributions, we still need to maintain a strong
>> commitment to vendor neutrality. What this means is we need to give all
>> vendors in this space a chance to play or at least treat them all in a
>> equal way. To conflate their (great!) contributions with a preference to
>> chose them as a vendor - donated service or not - is something deeply
>> against the spirit of what vendor neutrality means.
>> I respect BugCrowd and what they do, but I also think OWASP is much
>> stronger when vendor neutrality is something we care about deeply. The
>> moment we start using BugCrowds service, we tangentially endorse them. We
>> need to be careful about this.
>> Please note, I do not have a conflict of interest here at all. I do not
>> compete with BugCrowd in any way. In fact, I have friends who work there
>> that I care deeply for.
>> This is a stance I have held for all OWASP-AppSec vendor relationships
>> and I encourage all of us with fiduciary duty to do the same.
>> Aloha,
>> Jim
>> On 1/22/16 4:50 PM, Josh Sokol wrote:
>> It's not $86k in costs.  It's $86k worth of a service, that Bugcrowd
>> provides customers, which would be donated to OWASP.  That is what they
>> would normally charge a customer who was looking at using their platform.
>> ~josh
>> On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie < <paul.ritchie at owasp.org>
>> paul.ritchie at owasp.org> wrote:
>>> Josh, Kelly, Claudia....this program sounds like it could be a really
>>> interesting opportunity and something 'many' on our community are pretty
>>> engaged with already.
>>> As the next round of details comes up....keep me in the loop.
>>> With my Finance Hat on....I'm curious to understand more about the $86K
>>> costs and who pays it, and if it is all hard dollars or if that includes
>>> some soft dollar barter numbers.
>>> Paul
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol < <josh.sokol at owasp.org>
>>> josh.sokol at owasp.org> wrote:
>>>> OWASP Board and Paul,
>>>> Kelly, Claudia, and I took some time this morning to discuss the
>>>> sponsorship opportunity with Bugcrowd.  What Bugcrowd is offering us is
>>>> their top-tier program for not only the OWASP website, servers, etc, but
>>>> also for any project that wants to use it as well.  I believe that this
>>>> would be a HUGE value-add to our projects platform to have this type of a
>>>> resource behind them.  We would still need to determine and pay the actual
>>>> bounties, but the management of the program itself from engaging
>>>> researchers to triaging submissions to determining the security impact
>>>> would all be handled by Bugcrowd.  They said that this program runs $86k/yr.
>>>> I made it a point to ask them "Why Bugcrowd" instead of one of their
>>>> competitors and their response was good, IMHO.  For one, they are already a
>>>> sponsor of numerous OWASP events, and for another, they already have
>>>> employees actively contributing to the OWASP community.
>>>> Kelly is working with Bugcrowd in order to come up with an
>>>> all-encompassing sponsorship package.  This would likely include corporate
>>>> membership at the Silver level and conference sponsorship in exchange for
>>>> some amount of money to be negotiated.  Assuming that we can come to terms
>>>> on the sponsorship package, they will throw in the Bugcrowd platform as a
>>>> "Donation" and it is up to us to decide whether we would like to use it or
>>>> engage another vendor.
>>>> Please let me know if you have any questions.
>>>> ~josh
>>>> ---------- Forwarded message ----------
>>>> From: Oscar Aguilera < <oscar.aguilera at bugcrowd.com>
>>>> oscar.aguilera at bugcrowd.com>
>>>> Date: Fri, Jan 22, 2016 at 1:39 PM
>>>> Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
>>>> To: Josh Sokol < <josh.sokol at owasp.org>josh.sokol at owasp.org>, Claudia
>>>> Casanovas < <Claudia.Aviles-Casanovas at owasp.org>
>>>> Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
>>>> <kelly.santalucia at owasp.org>kelly.santalucia at owasp.org>, johanna
>>>> curiel curiel < <johanna.curiel at owasp.org>johanna.curiel at owasp.org>
>>>> Cc: Jason Pitzen < <jason at bugcrowd.com>jason at bugcrowd.com>, Chris
>>>> Tilton < <chris.tilton at bugcrowd.com>chris.tilton at bugcrowd.com>
>>>> Hi Josh, Claudia, Kelly,
>>>> It was great talking to you all this morning, thanks for taking the
>>>> time and jumping on the call. All of us here are really excited about the
>>>> opportunity to increase our sponsorship with OWASP and create this
>>>> partnership.
>>>> Below I've outlined what we are proposing and some next steps to ensure
>>>> we're all armed with the proper info to take back to our perspective teams
>>>> and board.
>>>> Bugcrowd will provide OWASP access to our Crowd Control platform,
>>>> manage all vulnerabilities submitted and will include the following:
>>>>    - *Crowd Control: E*nterprise Class platform to safely engage
>>>>    researchers on each and every submission. OWASP will have visibility into
>>>>    all submitted vulnerabilities, including out of scope, duplicates and
>>>>    validated submissions.
>>>>    - *Triage:* Separation of all submitted vulnerabilities. This means
>>>>    clarifying the vulnerability with the researcher. Determining if the
>>>>    vulnerability is within scope of the bug bounty or if that vulnerability is
>>>>    a duplicate or not.
>>>>    - *Validate: *Reproduce all submissions once they have been
>>>>    determined within scope and not a duplicate. This means going through the
>>>>    replication steps and validating that the vulnerability is a real security
>>>>    threat. (Attached is a one pager on the life cycle of a vulnerability)
>>>>    - *Push Vulnerabilities: *The OWASP security team will receive
>>>>    validated vulnerabilities with recommend levels of critically and our team
>>>>    will monitor the vulnerabilities for high severities to alert the OWASP
>>>>    team.
>>>>    - *Continued Paid Sponsorship: *Along with this service, Bugcrowd
>>>>    will continue to contribute to support OWASP, including with paid
>>>>    sponsorships to various events. (TBD with Chris and Kelly + any additional
>>>>    work they negotiate)
>>>> Over the past couple of years we have had a lot contribution into the
>>>> security and education space, not only with OWASP, but also with ISC^2. In
>>>> the past year we have seen Jason Haddix (director of our technical
>>>> operations team) Co-Authored the Mobile top 10 and was a project leader for
>>>> that effort. Bugcrowd has volunteered and sponsored various meet ups and
>>>> events and will be doing so again for AppSec California, where our Senior
>>>> Security Engineer Leif Dreizler his helping organize and where we will
>>>> be sponsoring and volunteering,
>>>> I say all of this because when the question arises, "why Bugcrowd and
>>>> not someone else?" We know that our history and continued support of OWASP
>>>> shows our commitment and dedication to OWASP's efforts and that at
>>>> partnership between us would be the best fit.
>>>> Claudia, Johanna, let's hop on a call next week to look at the scope of
>>>> the bounty.
>>>> Chris and Kelly, if you two can sync up and work out the logistics of
>>>> the partnership in the next week that would be awesome.
>>>> Josh, please let me know if there is any additional information we get
>>>> over to you, I'm glad to help where ever possible.
>>>> Let's try to reconvene in the next couple of weeks and map out a path
>>>> forward.
>>>> Again, thanks everyone for your time this morning. Look forward to
>>>> chatting again soon.
>>>> --
>>>> Best Regards,
>>>> Oscar Aguilera
>>>> Enterprise Account Executive - Bugcrowd Inc
>>>> Web:  <https://bugcrowd.com>https://bugcrowd.com
>>>> *Check out some of our happy partners:
>>>> <http://www.bugcrowd.com/programs>www.bugcrowd.com/programs
>>>> <http://www.bugcrowd.com/programs> *
>>>> Desk: 415.795.7216
>>>> Cell:   415.304.6926
>>>> Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/157944f3/attachment-0001.html>

More information about the Owasp-board mailing list