[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Jim Manico jim.manico at owasp.org
Fri Jan 22 23:00:41 UTC 2016


 > .... I would like to propose that we send out an e-mail to the OWASP 
Community simply stating that OWASP is interested in starting a bug 
bounty program.  We would be willing to entertain any and all offers 
from anyone interested in helping with such a program.  Give it a week 
and see if anyone else responds.  If nobody does, then we go with 
Bugcrowd.  If somebody else does, then we evaluate the best deal for 
OWASP.  Fair?

I think that is a very reasonable compromise, Josh. I'm down.

- Jim

On 1/22/16 5:58 PM, Josh Sokol wrote:
>
>     Giving all vendors a fair chance to participate is the only proper
>     answer here.
>
>
> You had me and then you lost me here.  What this says is that we do an 
> RFP process for everything we ever intend to use, regardless of cost, 
> company, etc.  I'm sure you've done plenty of RFP's before so you know 
> how time consuming they are.  They're time consuming for the person 
> assembling them and probably 10x for the person responding to them.  
> Not to mention that the inherent assumption is that you can identify 
> ALL vendors in this space in order to "give all vendors a fair chance 
> to participate".
>
> I'd like to propose an alternative.  In addition to our standard 
> generic disclaimer that OWASP does not endorse vendors, I would like 
> to propose that we send out an e-mail to the OWASP Community simply 
> stating that OWASP is interested in starting a bug bounty program.  We 
> would be willing to entertain any and all offers from anyone 
> interested in helping with such a program.  Give it a week and see if 
> anyone else responds.  If nobody does, then we go with Bugcrowd.  If 
> somebody else does, then we evaluate the best deal for OWASP. Fair?
>
> ~josh
>
> On Fri, Jan 22, 2016 at 4:53 PM, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>
>     > I am all for vendor neutrality, but that doesn't mean that we
>     can't or don't use vendors.
>
>     Not at all. Like I said, vendor neutrality means we treat all
>     vendors, primarily application security vendors, equally.
>
>     > Does our use of MediaWiki imply endorsement of their product? 
>     SalesForce?  Google everything? Mailman?  Ning?  GoToMeeting?
>
>     None of those vendors are application security. We have a
>     different responsibility for application security vendors that we
>     do for other standard service vendors. But frankly, any vendor we
>     pay for should be done in an open, public way. Hiring "friends and
>     family" is called cronyism and is destructive to an open foundation.
>
>     > I know...I know...this is AppSec, so this is different, but is
>     it really?
>
>     Absolutely.
>
>     > There has to be a way for OWASP to be able to engage with
>     vendors in a meaningful way, especially when it results in a net
>     positive for our community.
>
>     Exactly. Giving all vendors a fair chance to participate is the
>     only proper answer here.
>
>     Aloham
>     Jim
>
>
>
>     On 1/22/16 5:49 PM, Josh Sokol wrote:
>>     I'm fine with a generic disclaimer that OWASP's use of any
>>     products or services does not constitute an endorsement. 
>>     Actually, a similar type of generic disclaimer already exists on
>>     owasp.org <http://owasp.org>:
>>
>>         OWASP *does not endorse or recommend commercial products or
>>         services*, allowing our community to remain vendor neutral
>>         with the collective wisdom of the best minds in software
>>         security worldwide.
>>
>>
>>     How about we just add that statement to the bottom of every page
>>     everywhere that OWASP owns so that there is never any confusion? 
>>     We can add it to all e-mail signatures as well just to cross
>>     every "T" and dot all the "I"s. Ultimately, I agree with Johanna
>>     in that we need to define clear rules of engagement and create
>>     whatever disclaimers are necessary so that we don't keep spinning
>>     our wheels.  I am all for vendor neutrality, but that doesn't
>>     mean that we can't or don't use vendors.  Does our use of
>>     MediaWiki imply endorsement of their product? SalesForce?  Google
>>     everything?  Mailman? Ning?  GoToMeeting?  I know...I know...this
>>     is AppSec, so this is different, but is it really? There has to
>>     be a way for OWASP to be able to engage with vendors in a
>>     meaningful way, especially when it results in a net positive for
>>     our community.  Yes, let's disclaim away if that's what it takes
>>     to make this happen!
>>
>>     ~josh
>>
>>     On Fri, Jan 22, 2016 at 4:34 PM, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         Vendor neutrality is just treating all vendors equally and
>>         not giving one preference.
>>
>>         When we accept a barter deal from a AppSec vendor, we
>>         tangentially endorse them.
>>
>>         So what I'm asking is that we either provide a strong
>>         disclaimer that we do not endorse BugCrowd, or give other
>>         vendors in this space a chance to propose a similar offer.
>>
>>         - Jim
>>
>>
>>         On 1/22/16 5:32 PM, johanna curiel curiel wrote:
>>>         Josh, your "why BugCrowd" comments gives me concern.
>>>         Regardless of their sponsorship, donations or contributions,
>>>         we still need to maintain a strong commitment to vendor
>>>         neutrality.
>>>
>>>         Hi Jim
>>>
>>>         I believe many times these kind of discussions have popped
>>>         up with regards vendor neutrality like mushrooms ;-)
>>>
>>>         Do we have specific rules for these kind of cases?
>>>         If we do, please could you point us to them. If  we don't ,
>>>         I think would be a good idea to set this on the Board agenda
>>>         and discuss this, in order to have clear guidelines and
>>>         avoid these discussions again?
>>>
>>>         We keep on discussing what is '/vendor/' /neutral/ and what
>>>         not.
>>>         In the case of a barter deal, seems to me like a grey area
>>>         that has not been clearly defined.
>>>
>>>           * First, we are not buying a service but a barter deal has
>>>             been offered by a service provider that used to pay
>>>             sponsorship marketing
>>>           * Second , no other similar service provider has offered a
>>>             barter deal
>>>           * Conclusion: Do we have to create an RFC to ask for
>>>             barter deals in exchange of service==> marketing?
>>>
>>>         Honestly, this 'RFC' sounds weird.
>>>
>>>         I get the point regarding verdor neutrality when buying a
>>>         service, but I struggle with the fact that this is a barter
>>>         deal and that we are not buying a service directly.On the
>>>         contrary, if we had to buy this service, we had to pay
>>>         USD86K  in exchange of sponsorship? This does not seem like
>>>         a bad deal at all to be honest.
>>>
>>>
>>>         if we go into an unclear /RFC barter deal/ offering without
>>>         even knowing if others will do similar offering can be a
>>>         waist of time.
>>>
>>>         In the end any 'vendor' can be a sponsor right? So what
>>>         exactly does this has to do with vendor neutrality if all
>>>         vendors can do a sponsorship?
>>>
>>>         The difference here is that instead of sponsoring us with
>>>         money , they do it with a service worth USD86K and that can
>>>         help us automate a lot of the QA process we need for projects.
>>>
>>>         I hope we can think of concrete solutions instead of keep
>>>         discussing around vendor neutrality.
>>>
>>>         Cheers
>>>
>>>         Johanna
>>>
>>>         On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico
>>>         <jim.manico at owasp.org <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>             At the very least, I think we need to say that we do not
>>>             at all endorse BugCrowd as per the OWASP rules of play.
>>>
>>>             Josh, your "why BugCrowd" comments gives me concern.
>>>             Regardless of their sponsorship, donations or
>>>             contributions, we still need to maintain a strong
>>>             commitment to vendor neutrality. What this means is we
>>>             need to give all vendors in this space a chance to play
>>>             or at least treat them all in a equal way. To conflate
>>>             their (great!) contributions with a preference to chose
>>>             them as a vendor - donated service or not - is something
>>>             deeply against the spirit of what vendor neutrality means.
>>>
>>>             I respect BugCrowd and what they do, but I also think
>>>             OWASP is much stronger when vendor neutrality is
>>>             something we care about deeply. The moment we start
>>>             using BugCrowds service, we tangentially endorse them.
>>>             We need to be careful about this.
>>>
>>>             Please note, I do not have a conflict of interest here
>>>             at all. I do not compete with BugCrowd in any way. In
>>>             fact, I have friends who work there that I care deeply for.
>>>
>>>             This is a stance I have held for all OWASP-AppSec vendor
>>>             relationships and I encourage all of us with fiduciary
>>>             duty to do the same.
>>>
>>>             Aloha,
>>>             Jim
>>>
>>>
>>>
>>>             On 1/22/16 4:50 PM, Josh Sokol wrote:
>>>>             It's not $86k in costs.  It's $86k worth of a service,
>>>>             that Bugcrowd provides customers, which would be
>>>>             donated to OWASP. That is what they would normally
>>>>             charge a customer who was looking at using their platform.
>>>>
>>>>             ~josh
>>>>
>>>>             On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie
>>>>             <paul.ritchie at owasp.org
>>>>             <mailto:paul.ritchie at owasp.org>> wrote:
>>>>
>>>>                 Josh, Kelly, Claudia....this program sounds like it
>>>>                 could be a really interesting opportunity and
>>>>                 something 'many' on our community are pretty
>>>>                 engaged with already.
>>>>
>>>>                 As the next round of details comes up....keep me in
>>>>                 the loop.
>>>>                 With my Finance Hat on....I'm curious to understand
>>>>                 more about the $86K costs and who pays it, and if
>>>>                 it is all hard dollars or if that includes some
>>>>                 soft dollar barter numbers.
>>>>
>>>>                 Paul
>>>>
>>>>
>>>>
>>>>                 Best Regards, Paul Ritchie
>>>>                 OWASP Executive Director
>>>>                 paul.ritchie at owasp.org <mailto:paul.ritchie at owasp.org>
>>>>
>>>>
>>>>                 On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol
>>>>                 <josh.sokol at owasp.org
>>>>                 <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>>                     OWASP Board and Paul,
>>>>
>>>>                     Kelly, Claudia, and I took some time this
>>>>                     morning to discuss the sponsorship opportunity
>>>>                     with Bugcrowd. What Bugcrowd is offering us is
>>>>                     their top-tier program for not only the OWASP
>>>>                     website, servers, etc, but also for any project
>>>>                     that wants to use it as well.  I believe that
>>>>                     this would be a HUGE value-add to our projects
>>>>                     platform to have this type of a resource behind
>>>>                     them. We would still need to determine and pay
>>>>                     the actual bounties, but the management of the
>>>>                     program itself from engaging researchers to
>>>>                     triaging submissions to determining the
>>>>                     security impact would all be handled by
>>>>                     Bugcrowd. They said that this program runs $86k/yr.
>>>>
>>>>                     I made it a point to ask them "Why Bugcrowd"
>>>>                     instead of one of their competitors and their
>>>>                     response was good, IMHO. For one, they are
>>>>                     already a sponsor of numerous OWASP events, and
>>>>                     for another, they already have employees
>>>>                     actively contributing to the OWASP community.
>>>>
>>>>                     Kelly is working with Bugcrowd in order to come
>>>>                     up with an all-encompassing sponsorship
>>>>                     package.  This would likely include corporate
>>>>                     membership at the Silver level and conference
>>>>                     sponsorship in exchange for some amount of
>>>>                     money to be negotiated. Assuming that we can
>>>>                     come to terms on the sponsorship package, they
>>>>                     will throw in the Bugcrowd platform as a
>>>>                     "Donation" and it is up to us to decide whether
>>>>                     we would like to use it or engage another vendor.
>>>>
>>>>                     Please let me know if you have any questions.
>>>>
>>>>                     ~josh
>>>>
>>>>                     ---------- Forwarded message ----------
>>>>                     From: *Oscar Aguilera*
>>>>                     <oscar.aguilera at bugcrowd.com
>>>>                     <mailto:oscar.aguilera at bugcrowd.com>>
>>>>                     Date: Fri, Jan 22, 2016 at 1:39 PM
>>>>                     Subject: OWASP + Bugcrowd - Program Proposal
>>>>                     Details - Next Steps
>>>>                     To: Josh Sokol <josh.sokol at owasp.org
>>>>                     <mailto:josh.sokol at owasp.org>>, Claudia
>>>>                     Casanovas <Claudia.Aviles-Casanovas at owasp.org
>>>>                     <mailto:Claudia.Aviles-Casanovas at owasp.org>>,
>>>>                     Kelly Santalucia <kelly.santalucia at owasp.org
>>>>                     <mailto:kelly.santalucia at owasp.org>>, johanna
>>>>                     curiel curiel <johanna.curiel at owasp.org
>>>>                     <mailto:johanna.curiel at owasp.org>>
>>>>                     Cc: Jason Pitzen <jason at bugcrowd.com
>>>>                     <mailto:jason at bugcrowd.com>>, Chris Tilton
>>>>                     <chris.tilton at bugcrowd.com
>>>>                     <mailto:chris.tilton at bugcrowd.com>>
>>>>
>>>>
>>>>                     Hi Josh, Claudia, Kelly,
>>>>
>>>>                     It was great talking to you all this morning,
>>>>                     thanks for taking the time and jumping on the
>>>>                     call. All of us here are really excited about
>>>>                     the opportunity to increase our sponsorship
>>>>                     with OWASP and create this partnership.
>>>>
>>>>                     Below I've outlined what we are proposing and
>>>>                     some next steps to ensure we're all armed with
>>>>                     the proper info to take back to our perspective
>>>>                     teams and board.
>>>>
>>>>                     Bugcrowd will provide OWASP access to our Crowd
>>>>                     Control platform, manage all vulnerabilities
>>>>                     submitted and will include the following:
>>>>
>>>>                       * *Crowd Control: E*nterprise Class platform
>>>>                         to safely engage researchers on each and
>>>>                         every submission. OWASP will have
>>>>                         visibility into all submitted
>>>>                         vulnerabilities, including out of scope,
>>>>                         duplicates and validated submissions.
>>>>                       * *Triage:* Separation of all submitted
>>>>                         vulnerabilities. This means clarifying the
>>>>                         vulnerability with the researcher.
>>>>                         Determining if the vulnerability is within
>>>>                         scope of the bug bounty or if that
>>>>                         vulnerability is a duplicate or not.
>>>>                       * *Validate: *Reproduce all submissions once
>>>>                         they have been determined within scope and
>>>>                         not a duplicate. This means going through
>>>>                         the replication steps and validating that
>>>>                         the vulnerability is a real security
>>>>                         threat. (Attached is a one pager on the
>>>>                         life cycle of a vulnerability)
>>>>                       * *Push Vulnerabilities: *The OWASP security
>>>>                         team will receive validated vulnerabilities
>>>>                         with recommend levels of critically and our
>>>>                         team will monitor the vulnerabilities for
>>>>                         high severities to alert the OWASP team.
>>>>                       * *Continued Paid Sponsorship: *Along with
>>>>                         this service, Bugcrowd will continue to
>>>>                         contribute to support OWASP, including with
>>>>                         paid sponsorships to various events. (TBD
>>>>                         with Chris and Kelly + any additional work
>>>>                         they negotiate)
>>>>
>>>>                     Over the past couple of years we have had a lot
>>>>                     contribution into the security and education
>>>>                     space, not only with OWASP, but also
>>>>                     with ISC^2. In the past year we have seen Jason
>>>>                     Haddix (director of our technical operations
>>>>                     team) Co-Authored the Mobile top 10 and was a
>>>>                     project leader for that effort. Bugcrowd has
>>>>                     volunteered and sponsored various meet ups and
>>>>                     events and will be doing so again for AppSec
>>>>                     California, where our Senior Security Engineer
>>>>                     Leif Dreizler his helping organize and where we
>>>>                     will be sponsoring and volunteering,
>>>>
>>>>                     I say all of this because when the question
>>>>                     arises, "why Bugcrowd and not someone else?" We
>>>>                     know that our history and continued support of
>>>>                     OWASP shows our commitment and dedication to
>>>>                     OWASP's efforts and that at partnership between
>>>>                     us would be the best fit.
>>>>
>>>>                     Claudia, Johanna, let's hop on a call next week
>>>>                     to look at the scope of the bounty.
>>>>
>>>>                     Chris and Kelly, if you two can sync up and
>>>>                     work out the logistics of the partnership in
>>>>                     the next week that would be awesome.
>>>>
>>>>                     Josh, please let me know if there is any
>>>>                     additional information we get over to you, I'm
>>>>                     glad to help where ever possible.
>>>>
>>>>                     Let's try to reconvene in the next couple of
>>>>                     weeks and map out a path forward.
>>>>                     Again, thanks everyone for your time this
>>>>                     morning. Look forward to chatting again soon.
>>>>
>>>>                     -- 
>>>>                     Best Regards,
>>>>
>>>>                     Oscar Aguilera
>>>>                     Enterprise Account Executive - Bugcrowd Inc
>>>>                     Web: https://bugcrowd.com
>>>>
>>>>                     */Check out some of our happy partners:
>>>>                     www.bugcrowd.com/programs
>>>>                     <http://www.bugcrowd.com/programs> /*
>>>>                     *
>>>>                     *
>>>>                     Desk: 415.795.7216 <tel:415.795.7216>
>>>>                     Cell: 415.304.6926 <tel:415.304.6926>
>>>>                     Linkedin
>>>>                     <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Owasp-board mailing list
>>>>             Owasp-board at lists.owasp.org
>>>>             <mailto:Owasp-board at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/e22e02cb/attachment-0001.html>


More information about the Owasp-board mailing list