[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps
jim.manico at owasp.org
Fri Jan 22 22:53:02 UTC 2016
> I am all for vendor neutrality, but that doesn't mean that we can't
or don't use vendors.
Not at all. Like I said, vendor neutrality means we treat all vendors,
primarily application security vendors, equally.
> Does our use of MediaWiki imply endorsement of their product?
SalesForce? Google everything? Mailman? Ning? GoToMeeting?
None of those vendors are application security. We have a different
responsibility for application security vendors that we do for other
standard service vendors. But frankly, any vendor we pay for should be
done in an open, public way. Hiring "friends and family" is called
cronyism and is destructive to an open foundation.
> I know...I know...this is AppSec, so this is different, but is it
> There has to be a way for OWASP to be able to engage with vendors in
a meaningful way, especially when it results in a net positive for our
Exactly. Giving all vendors a fair chance to participate is the only
proper answer here.
On 1/22/16 5:49 PM, Josh Sokol wrote:
> I'm fine with a generic disclaimer that OWASP's use of any products or
> services does not constitute an endorsement. Actually, a similar type
> of generic disclaimer already exists on owasp.org <http://owasp.org>:
> OWASP *does not endorse or recommend commercial products or
> services*, allowing our community to remain vendor neutral with
> the collective wisdom of the best minds in software security
> How about we just add that statement to the bottom of every page
> everywhere that OWASP owns so that there is never any confusion? We
> can add it to all e-mail signatures as well just to cross every "T"
> and dot all the "I"s. Ultimately, I agree with Johanna in that we
> need to define clear rules of engagement and create whatever
> disclaimers are necessary so that we don't keep spinning our wheels.
> I am all for vendor neutrality, but that doesn't mean that we can't or
> don't use vendors. Does our use of MediaWiki imply endorsement of
> their product? SalesForce? Google everything? Mailman? Ning?
> GoToMeeting? I know...I know...this is AppSec, so this is different,
> but is it really? There has to be a way for OWASP to be able to
> engage with vendors in a meaningful way, especially when it results in
> a net positive for our community. Yes, let's disclaim away if that's
> what it takes to make this happen!
> On Fri, Jan 22, 2016 at 4:34 PM, Jim Manico <jim.manico at owasp.org
> <mailto:jim.manico at owasp.org>> wrote:
> Vendor neutrality is just treating all vendors equally and not
> giving one preference.
> When we accept a barter deal from a AppSec vendor, we tangentially
> endorse them.
> So what I'm asking is that we either provide a strong disclaimer
> that we do not endorse BugCrowd, or give other vendors in this
> space a chance to propose a similar offer.
> - Jim
> On 1/22/16 5:32 PM, johanna curiel curiel wrote:
>> Josh, your "why BugCrowd" comments gives me concern. Regardless
>> of their sponsorship, donations or contributions, we still need
>> to maintain a strong commitment to vendor neutrality.
>> Hi Jim
>> I believe many times these kind of discussions have popped up
>> with regards vendor neutrality like mushrooms ;-)
>> Do we have specific rules for these kind of cases?
>> If we do, please could you point us to them. If we don't , I
>> think would be a good idea to set this on the Board agenda and
>> discuss this, in order to have clear guidelines and avoid these
>> discussions again?
>> We keep on discussing what is '/vendor/' /neutral/ and what not.
>> In the case of a barter deal, seems to me like a grey area that
>> has not been clearly defined.
>> * First, we are not buying a service but a barter deal has been
>> offered by a service provider that used to pay sponsorship
>> * Second , no other similar service provider has offered a
>> barter deal
>> * Conclusion: Do we have to create an RFC to ask for barter
>> deals in exchange of service==> marketing?
>> Honestly, this 'RFC' sounds weird.
>> I get the point regarding verdor neutrality when buying a
>> service, but I struggle with the fact that this is a barter deal
>> and that we are not buying a service directly.On the contrary, if
>> we had to buy this service, we had to pay USD86K in exchange of
>> sponsorship? This does not seem like a bad deal at all to be honest.
>> if we go into an unclear /RFC barter deal/ offering without even
>> knowing if others will do similar offering can be a waist of time.
>> In the end any 'vendor' can be a sponsor right? So what exactly
>> does this has to do with vendor neutrality if all vendors can do
>> a sponsorship?
>> The difference here is that instead of sponsoring us with money ,
>> they do it with a service worth USD86K and that can help us
>> automate a lot of the QA process we need for projects.
>> I hope we can think of concrete solutions instead of keep
>> discussing around vendor neutrality.
>> On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico <jim.manico at owasp.org
>> <mailto:jim.manico at owasp.org>> wrote:
>> At the very least, I think we need to say that we do not at
>> all endorse BugCrowd as per the OWASP rules of play.
>> Josh, your "why BugCrowd" comments gives me concern.
>> Regardless of their sponsorship, donations or contributions,
>> we still need to maintain a strong commitment to vendor
>> neutrality. What this means is we need to give all vendors in
>> this space a chance to play or at least treat them all in a
>> equal way. To conflate their (great!) contributions with a
>> preference to chose them as a vendor - donated service or not
>> - is something deeply against the spirit of what vendor
>> neutrality means.
>> I respect BugCrowd and what they do, but I also think OWASP
>> is much stronger when vendor neutrality is something we care
>> about deeply. The moment we start using BugCrowds service, we
>> tangentially endorse them. We need to be careful about this.
>> Please note, I do not have a conflict of interest here at
>> all. I do not compete with BugCrowd in any way. In fact, I
>> have friends who work there that I care deeply for.
>> This is a stance I have held for all OWASP-AppSec vendor
>> relationships and I encourage all of us with fiduciary duty
>> to do the same.
>> On 1/22/16 4:50 PM, Josh Sokol wrote:
>>> It's not $86k in costs. It's $86k worth of a service, that
>>> Bugcrowd provides customers, which would be donated to
>>> OWASP. That is what they would normally charge a customer
>>> who was looking at using their platform.
>>> On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie
>>> <paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>> wrote:
>>> Josh, Kelly, Claudia....this program sounds like it
>>> could be a really interesting opportunity and something
>>> 'many' on our community are pretty engaged with already.
>>> As the next round of details comes up....keep me in the
>>> With my Finance Hat on....I'm curious to understand more
>>> about the $86K costs and who pays it, and if it is all
>>> hard dollars or if that includes some soft dollar barter
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol
>>> <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>> OWASP Board and Paul,
>>> Kelly, Claudia, and I took some time this morning to
>>> discuss the sponsorship opportunity with Bugcrowd.
>>> What Bugcrowd is offering us is their top-tier
>>> program for not only the OWASP website, servers,
>>> etc, but also for any project that wants to use it
>>> as well. I believe that this would be a HUGE
>>> value-add to our projects platform to have this type
>>> of a resource behind them. We would still need to
>>> determine and pay the actual bounties, but the
>>> management of the program itself from engaging
>>> researchers to triaging submissions to determining
>>> the security impact would all be handled by
>>> Bugcrowd. They said that this program runs $86k/yr.
>>> I made it a point to ask them "Why Bugcrowd" instead
>>> of one of their competitors and their response was
>>> good, IMHO. For one, they are already a sponsor of
>>> numerous OWASP events, and for another, they already
>>> have employees actively contributing to the OWASP
>>> Kelly is working with Bugcrowd in order to come up
>>> with an all-encompassing sponsorship package. This
>>> would likely include corporate membership at the
>>> Silver level and conference sponsorship in exchange
>>> for some amount of money to be negotiated. Assuming
>>> that we can come to terms on the sponsorship
>>> package, they will throw in the Bugcrowd platform as
>>> a "Donation" and it is up to us to decide whether we
>>> would like to use it or engage another vendor.
>>> Please let me know if you have any questions.
>>> ---------- Forwarded message ----------
>>> From: *Oscar Aguilera* <oscar.aguilera at bugcrowd.com
>>> <mailto:oscar.aguilera at bugcrowd.com>>
>>> Date: Fri, Jan 22, 2016 at 1:39 PM
>>> Subject: OWASP + Bugcrowd - Program Proposal Details
>>> - Next Steps
>>> To: Josh Sokol <josh.sokol at owasp.org
>>> <mailto:josh.sokol at owasp.org>>, Claudia Casanovas
>>> <Claudia.Aviles-Casanovas at owasp.org
>>> <mailto:Claudia.Aviles-Casanovas at owasp.org>>, Kelly
>>> Santalucia <kelly.santalucia at owasp.org
>>> <mailto:kelly.santalucia at owasp.org>>, johanna curiel
>>> curiel <johanna.curiel at owasp.org
>>> <mailto:johanna.curiel at owasp.org>>
>>> Cc: Jason Pitzen <jason at bugcrowd.com
>>> <mailto:jason at bugcrowd.com>>, Chris Tilton
>>> <chris.tilton at bugcrowd.com
>>> <mailto:chris.tilton at bugcrowd.com>>
>>> Hi Josh, Claudia, Kelly,
>>> It was great talking to you all this morning, thanks
>>> for taking the time and jumping on the call. All of
>>> us here are really excited about the opportunity to
>>> increase our sponsorship with OWASP and create this
>>> Below I've outlined what we are proposing and some
>>> next steps to ensure we're all armed with the proper
>>> info to take back to our perspective teams and board.
>>> Bugcrowd will provide OWASP access to our Crowd
>>> Control platform, manage all vulnerabilities
>>> submitted and will include the following:
>>> * *Crowd Control: E*nterprise Class platform to
>>> safely engage researchers on each and every
>>> submission. OWASP will have visibility into all
>>> submitted vulnerabilities, including out of
>>> scope, duplicates and validated submissions.
>>> * *Triage:* Separation of all submitted
>>> vulnerabilities. This means clarifying the
>>> vulnerability with the researcher. Determining
>>> if the vulnerability is within scope of the bug
>>> bounty or if that vulnerability is a duplicate
>>> or not.
>>> * *Validate: *Reproduce all submissions once they
>>> have been determined within scope and not a
>>> duplicate. This means going through the
>>> replication steps and validating that the
>>> vulnerability is a real security threat.
>>> (Attached is a one pager on the life cycle of a
>>> * *Push Vulnerabilities: *The OWASP security team
>>> will receive validated vulnerabilities with
>>> recommend levels of critically and our team will
>>> monitor the vulnerabilities for high severities
>>> to alert the OWASP team.
>>> * *Continued Paid Sponsorship: *Along with this
>>> service, Bugcrowd will continue to contribute to
>>> support OWASP, including with paid sponsorships
>>> to various events. (TBD with Chris and Kelly +
>>> any additional work they negotiate)
>>> Over the past couple of years we have had a lot
>>> contribution into the security and education space,
>>> not only with OWASP, but also with ISC^2. In the
>>> past year we have seen Jason Haddix (director of our
>>> technical operations team) Co-Authored the Mobile
>>> top 10 and was a project leader for that effort.
>>> Bugcrowd has volunteered and sponsored various meet
>>> ups and events and will be doing so again for AppSec
>>> California, where our Senior Security Engineer Leif
>>> Dreizler his helping organize and where we will be
>>> sponsoring and volunteering,
>>> I say all of this because when the question arises,
>>> "why Bugcrowd and not someone else?" We know that
>>> our history and continued support of OWASP shows our
>>> commitment and dedication to OWASP's efforts and
>>> that at partnership between us would be the best fit.
>>> Claudia, Johanna, let's hop on a call next week to
>>> look at the scope of the bounty.
>>> Chris and Kelly, if you two can sync up and work out
>>> the logistics of the partnership in the next week
>>> that would be awesome.
>>> Josh, please let me know if there is any additional
>>> information we get over to you, I'm glad to help
>>> where ever possible.
>>> Let's try to reconvene in the next couple of weeks
>>> and map out a path forward.
>>> Again, thanks everyone for your time this morning.
>>> Look forward to chatting again soon.
>>> Best Regards,
>>> Oscar Aguilera
>>> Enterprise Account Executive - Bugcrowd Inc
>>> Web: https://bugcrowd.com
>>> */Check out some of our happy partners:
>>> <http://www.bugcrowd.com/programs> /*
>>> Desk: 415.795.7216 <tel:415.795.7216>
>>> Cell: 415.304.6926 <tel:415.304.6926>
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board