[Owasp-board] OWASP + Bugcrowd - Program Proposal Details - Next Steps

Josh Sokol josh.sokol at owasp.org
Fri Jan 22 23:11:29 UTC 2016


Done.

OWASP Community,
>
> There has been a lot of discussion lately about the possibility of
> starting a Bug Bounty program here at OWASP.  It could cover OWASP
> Foundation assets (the website, servers, etc) as well as interested OWASP
> Projects.  The scope, payout, and even the types of vulnerabilities that we
> honor is yet to be determined.  Please consider this an open call that, as
> our ED, the OWASP Board, and our Projects Team contemplate what a Bug
> Bounty program would mean to OWASP, we are willing to entertain any and all
> offers from anyone interested in helping with such a program.  Please reach
> out to us over the next week or so if you are interested.  Thanks!
>
> Sincerely,
>
> Josh Sokol
> Vice Chair, OWASP Foundation Board of Directors
>

On Fri, Jan 22, 2016 at 5:00 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > .... I would like to propose that we send out an e-mail to the OWASP
> Community simply stating that OWASP is interested in starting a bug bounty
> program.  We would be willing to entertain any and all offers from anyone
> interested in helping with such a program.  Give it a week and see if
> anyone else responds.  If nobody does, then we go with Bugcrowd.  If
> somebody else does, then we evaluate the best deal for OWASP.  Fair?
>
> I think that is a very reasonable compromise, Josh. I'm down.
>
> - Jim
>
>
> On 1/22/16 5:58 PM, Josh Sokol wrote:
>
> Giving all vendors a fair chance to participate is the only proper answer
>> here.
>>
>
> You had me and then you lost me here.  What this says is that we do an RFP
> process for everything we ever intend to use, regardless of cost, company,
> etc.  I'm sure you've done plenty of RFP's before so you know how time
> consuming they are.  They're time consuming for the person assembling them
> and probably 10x for the person responding to them.  Not to mention that
> the inherent assumption is that you can identify ALL vendors in this space
> in order to "give all vendors a fair chance to participate".
>
> I'd like to propose an alternative.  In addition to our standard generic
> disclaimer that OWASP does not endorse vendors, I would like to propose
> that we send out an e-mail to the OWASP Community simply stating that OWASP
> is interested in starting a bug bounty program.  We would be willing to
> entertain any and all offers from anyone interested in helping with such a
> program.  Give it a week and see if anyone else responds.  If nobody does,
> then we go with Bugcrowd.  If somebody else does, then we evaluate the best
> deal for OWASP.  Fair?
>
> ~josh
>
> On Fri, Jan 22, 2016 at 4:53 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> > I am all for vendor neutrality, but that doesn't mean that we can't or
>> don't use vendors.
>>
>> Not at all. Like I said, vendor neutrality means we treat all vendors,
>> primarily application security vendors, equally.
>>
>> > Does our use of MediaWiki imply endorsement of their product?
>> SalesForce?  Google everything?  Mailman?  Ning?  GoToMeeting?
>>
>> None of those vendors are application security. We have a different
>> responsibility for application security vendors that we do for other
>> standard service vendors. But frankly, any vendor we pay for should be done
>> in an open, public way. Hiring "friends and family" is called cronyism and
>> is destructive to an open foundation.
>>
>> > I know...I know...this is AppSec, so this is different, but is it
>> really?
>>
>> Absolutely.
>>
>> > There has to be a way for OWASP to be able to engage with vendors in a
>> meaningful way, especially when it results in a net positive for our
>> community.
>>
>> Exactly. Giving all vendors a fair chance to participate is the only
>> proper answer here.
>>
>> Aloham
>> Jim
>>
>>
>>
>> On 1/22/16 5:49 PM, Josh Sokol wrote:
>>
>> I'm fine with a generic disclaimer that OWASP's use of any products or
>> services does not constitute an endorsement.  Actually, a similar type of
>> generic disclaimer already exists on owasp.org:
>>
>> OWASP *does not endorse or recommend commercial products or services*,
>>> allowing our community to remain vendor neutral with the collective wisdom
>>> of the best minds in software security worldwide.
>>>
>>
>> How about we just add that statement to the bottom of every page
>> everywhere that OWASP owns so that there is never any confusion?  We can
>> add it to all e-mail signatures as well just to cross every "T" and dot all
>> the "I"s.  Ultimately, I agree with Johanna in that we need to define clear
>> rules of engagement and create whatever disclaimers are necessary so that
>> we don't keep spinning our wheels.  I am all for vendor neutrality, but
>> that doesn't mean that we can't or don't use vendors.  Does our use of
>> MediaWiki imply endorsement of their product?  SalesForce?  Google
>> everything?  Mailman?  Ning?  GoToMeeting?  I know...I know...this is
>> AppSec, so this is different, but is it really?  There has to be a way for
>> OWASP to be able to engage with vendors in a meaningful way, especially
>> when it results in a net positive for our community.  Yes, let's disclaim
>> away if that's what it takes to make this happen!
>>
>> ~josh
>>
>> On Fri, Jan 22, 2016 at 4:34 PM, Jim Manico < <jim.manico at owasp.org>
>> jim.manico at owasp.org> wrote:
>>
>>> Vendor neutrality is just treating all vendors equally and not giving
>>> one preference.
>>>
>>> When we accept a barter deal from a AppSec vendor, we tangentially
>>> endorse them.
>>>
>>> So what I'm asking is that we either provide a strong disclaimer that we
>>> do not endorse BugCrowd, or give other vendors in this space a chance to
>>> propose a similar offer.
>>>
>>> - Jim
>>>
>>>
>>> On 1/22/16 5:32 PM, johanna curiel curiel wrote:
>>>
>>> Josh, your "why BugCrowd" comments gives me concern. Regardless of their
>>> sponsorship, donations or contributions, we still need to maintain a strong
>>> commitment to vendor neutrality.
>>>
>>> Hi Jim
>>>
>>> I believe many times these kind of discussions have popped up with
>>> regards vendor neutrality like mushrooms ;-)
>>>
>>> Do we have specific rules for these kind of cases?
>>> If we do, please could you point us to them. If  we don't , I think
>>> would be a good idea to set this on the Board agenda and discuss this, in
>>> order to have clear guidelines and avoid these discussions again?
>>>
>>> We keep on discussing what is '*vendor*' *neutral* and what not.
>>> In the case of a barter deal, seems to me like a grey area that has not
>>> been clearly defined.
>>>
>>>    - First, we are not buying a service but a barter deal has been
>>>    offered by a service provider that used to pay sponsorship marketing
>>>    - Second , no other similar service provider has offered a barter
>>>    deal
>>>    - Conclusion: Do we have to create an RFC to ask for barter deals in
>>>    exchange of service==> marketing?
>>>
>>> Honestly, this 'RFC' sounds weird.
>>>
>>> I get the point regarding verdor neutrality when buying a service, but I
>>> struggle with the fact that this is a barter deal and that we are not
>>> buying a service directly.On the contrary, if we had to buy this service,
>>> we had to pay USD86K  in exchange of sponsorship? This does not seem like a
>>> bad deal at all to be honest.
>>>
>>>
>>> if we go into an unclear *RFC barter deal* offering without even
>>> knowing if others will do similar offering can be a waist of time.
>>>
>>> In the end any 'vendor' can be a sponsor right? So what exactly does
>>> this has to do with vendor neutrality if all vendors can do a sponsorship?
>>>
>>> The difference here is that instead of sponsoring us with money , they
>>> do it with a service worth USD86K and that can help us automate a lot of
>>> the QA process we need for projects.
>>>
>>> I hope we can think of concrete solutions instead of keep discussing
>>> around vendor neutrality.
>>>
>>> Cheers
>>>
>>> Johanna
>>>
>>> On Fri, Jan 22, 2016 at 6:02 PM, Jim Manico < <jim.manico at owasp.org>
>>> jim.manico at owasp.org> wrote:
>>>
>>>> At the very least, I think we need to say that we do not at all endorse
>>>> BugCrowd as per the OWASP rules of play.
>>>>
>>>> Josh, your "why BugCrowd" comments gives me concern. Regardless of
>>>> their sponsorship, donations or contributions, we still need to maintain a
>>>> strong commitment to vendor neutrality. What this means is we need to give
>>>> all vendors in this space a chance to play or at least treat them all in a
>>>> equal way. To conflate their (great!) contributions with a preference to
>>>> chose them as a vendor - donated service or not - is something deeply
>>>> against the spirit of what vendor neutrality means.
>>>>
>>>> I respect BugCrowd and what they do, but I also think OWASP is much
>>>> stronger when vendor neutrality is something we care about deeply. The
>>>> moment we start using BugCrowds service, we tangentially endorse them. We
>>>> need to be careful about this.
>>>>
>>>> Please note, I do not have a conflict of interest here at all. I do not
>>>> compete with BugCrowd in any way. In fact, I have friends who work there
>>>> that I care deeply for.
>>>>
>>>> This is a stance I have held for all OWASP-AppSec vendor relationships
>>>> and I encourage all of us with fiduciary duty to do the same.
>>>>
>>>> Aloha,
>>>> Jim
>>>>
>>>>
>>>>
>>>> On 1/22/16 4:50 PM, Josh Sokol wrote:
>>>>
>>>> It's not $86k in costs.  It's $86k worth of a service, that Bugcrowd
>>>> provides customers, which would be donated to OWASP.  That is what they
>>>> would normally charge a customer who was looking at using their platform.
>>>>
>>>> ~josh
>>>>
>>>> On Fri, Jan 22, 2016 at 2:34 PM, Paul Ritchie <
>>>> <paul.ritchie at owasp.org>paul.ritchie at owasp.org> wrote:
>>>>
>>>>> Josh, Kelly, Claudia....this program sounds like it could be a really
>>>>> interesting opportunity and something 'many' on our community are pretty
>>>>> engaged with already.
>>>>>
>>>>> As the next round of details comes up....keep me in the loop.
>>>>> With my Finance Hat on....I'm curious to understand more about the
>>>>> $86K costs and who pays it, and if it is all hard dollars or if that
>>>>> includes some soft dollar barter numbers.
>>>>>
>>>>> Paul
>>>>>
>>>>>
>>>>>
>>>>> Best Regards, Paul Ritchie
>>>>> OWASP Executive Director
>>>>> <paul.ritchie at owasp.org>paul.ritchie at owasp.org
>>>>>
>>>>>
>>>>> On Fri, Jan 22, 2016 at 12:11 PM, Josh Sokol < <josh.sokol at owasp.org>
>>>>> josh.sokol at owasp.org> wrote:
>>>>>
>>>>>> OWASP Board and Paul,
>>>>>>
>>>>>> Kelly, Claudia, and I took some time this morning to discuss the
>>>>>> sponsorship opportunity with Bugcrowd.  What Bugcrowd is offering us is
>>>>>> their top-tier program for not only the OWASP website, servers, etc, but
>>>>>> also for any project that wants to use it as well.  I believe that this
>>>>>> would be a HUGE value-add to our projects platform to have this type of a
>>>>>> resource behind them.  We would still need to determine and pay the actual
>>>>>> bounties, but the management of the program itself from engaging
>>>>>> researchers to triaging submissions to determining the security impact
>>>>>> would all be handled by Bugcrowd.  They said that this program runs $86k/yr.
>>>>>>
>>>>>> I made it a point to ask them "Why Bugcrowd" instead of one of their
>>>>>> competitors and their response was good, IMHO.  For one, they are already a
>>>>>> sponsor of numerous OWASP events, and for another, they already have
>>>>>> employees actively contributing to the OWASP community.
>>>>>>
>>>>>> Kelly is working with Bugcrowd in order to come up with an
>>>>>> all-encompassing sponsorship package.  This would likely include corporate
>>>>>> membership at the Silver level and conference sponsorship in exchange for
>>>>>> some amount of money to be negotiated.  Assuming that we can come to terms
>>>>>> on the sponsorship package, they will throw in the Bugcrowd platform as a
>>>>>> "Donation" and it is up to us to decide whether we would like to use it or
>>>>>> engage another vendor.
>>>>>>
>>>>>> Please let me know if you have any questions.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Oscar Aguilera < <oscar.aguilera at bugcrowd.com>
>>>>>> oscar.aguilera at bugcrowd.com>
>>>>>> Date: Fri, Jan 22, 2016 at 1:39 PM
>>>>>> Subject: OWASP + Bugcrowd - Program Proposal Details - Next Steps
>>>>>> To: Josh Sokol < <josh.sokol at owasp.org>josh.sokol at owasp.org>,
>>>>>> Claudia Casanovas < <Claudia.Aviles-Casanovas at owasp.org>
>>>>>> Claudia.Aviles-Casanovas at owasp.org>, Kelly Santalucia <
>>>>>> <kelly.santalucia at owasp.org>kelly.santalucia at owasp.org>, johanna
>>>>>> curiel curiel < <johanna.curiel at owasp.org>johanna.curiel at owasp.org>
>>>>>> Cc: Jason Pitzen < <jason at bugcrowd.com>jason at bugcrowd.com>, Chris
>>>>>> Tilton < <chris.tilton at bugcrowd.com>chris.tilton at bugcrowd.com>
>>>>>>
>>>>>>
>>>>>> Hi Josh, Claudia, Kelly,
>>>>>>
>>>>>> It was great talking to you all this morning, thanks for taking the
>>>>>> time and jumping on the call. All of us here are really excited about the
>>>>>> opportunity to increase our sponsorship with OWASP and create this
>>>>>> partnership.
>>>>>>
>>>>>> Below I've outlined what we are proposing and some next steps to
>>>>>> ensure we're all armed with the proper info to take back to our perspective
>>>>>> teams and board.
>>>>>>
>>>>>> Bugcrowd will provide OWASP access to our Crowd Control platform,
>>>>>> manage all vulnerabilities submitted and will include the following:
>>>>>>
>>>>>>    - *Crowd Control: E*nterprise Class platform to safely engage
>>>>>>    researchers on each and every submission. OWASP will have visibility into
>>>>>>    all submitted vulnerabilities, including out of scope, duplicates and
>>>>>>    validated submissions.
>>>>>>    - *Triage:* Separation of all submitted vulnerabilities. This
>>>>>>    means clarifying the vulnerability with the researcher. Determining if the
>>>>>>    vulnerability is within scope of the bug bounty or if that vulnerability is
>>>>>>    a duplicate or not.
>>>>>>    - *Validate: *Reproduce all submissions once they have been
>>>>>>    determined within scope and not a duplicate. This means going through the
>>>>>>    replication steps and validating that the vulnerability is a real security
>>>>>>    threat. (Attached is a one pager on the life cycle of a vulnerability)
>>>>>>    - *Push Vulnerabilities: *The OWASP security team will receive
>>>>>>    validated vulnerabilities with recommend levels of critically and our team
>>>>>>    will monitor the vulnerabilities for high severities to alert the OWASP
>>>>>>    team.
>>>>>>    - *Continued Paid Sponsorship: *Along with this service, Bugcrowd
>>>>>>    will continue to contribute to support OWASP, including with paid
>>>>>>    sponsorships to various events. (TBD with Chris and Kelly + any additional
>>>>>>    work they negotiate)
>>>>>>
>>>>>> Over the past couple of years we have had a lot contribution into the
>>>>>> security and education space, not only with OWASP, but also with ISC^2. In
>>>>>> the past year we have seen Jason Haddix (director of our technical
>>>>>> operations team) Co-Authored the Mobile top 10 and was a project leader for
>>>>>> that effort. Bugcrowd has volunteered and sponsored various meet ups and
>>>>>> events and will be doing so again for AppSec California, where our Senior
>>>>>> Security Engineer Leif Dreizler his helping organize and where we
>>>>>> will be sponsoring and volunteering,
>>>>>>
>>>>>> I say all of this because when the question arises, "why Bugcrowd and
>>>>>> not someone else?" We know that our history and continued support of OWASP
>>>>>> shows our commitment and dedication to OWASP's efforts and that at
>>>>>> partnership between us would be the best fit.
>>>>>>
>>>>>> Claudia, Johanna, let's hop on a call next week to look at the scope
>>>>>> of the bounty.
>>>>>>
>>>>>> Chris and Kelly, if you two can sync up and work out the logistics of
>>>>>> the partnership in the next week that would be awesome.
>>>>>>
>>>>>> Josh, please let me know if there is any additional information we
>>>>>> get over to you, I'm glad to help where ever possible.
>>>>>>
>>>>>> Let's try to reconvene in the next couple of weeks and map out a path
>>>>>> forward.
>>>>>> Again, thanks everyone for your time this morning. Look forward to
>>>>>> chatting again soon.
>>>>>>
>>>>>> --
>>>>>> Best Regards,
>>>>>>
>>>>>> Oscar Aguilera
>>>>>> Enterprise Account Executive - Bugcrowd Inc
>>>>>> Web:  <https://bugcrowd.com>https://bugcrowd.com
>>>>>>
>>>>>> *Check out some of our happy partners:
>>>>>> <http://www.bugcrowd.com/programs>www.bugcrowd.com/programs
>>>>>> <http://www.bugcrowd.com/programs> *
>>>>>>
>>>>>> Desk: 415.795.7216
>>>>>> Cell:   415.304.6926
>>>>>> Linkedin <https://www.linkedin.com/pub/oscar-aguilera/78/b63/541>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160122/2bd29e65/attachment-0001.html>


More information about the Owasp-board mailing list