[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Matt Tesauro matt.tesauro at owasp.org
Fri Nov 11 21:51:09 UTC 2016


Josh we've known each other for about a decade so you know I'm not trying
to be divisive, I'm simply stating facts right out of the Donation
Scoreboard.  You've been a strong advocate for Chapters and that's great.
I'm outing myself as the person who is going to advocate for projects going
forward.

And whatever the scoreboard says, taking over 20 emails for such a small
amount of money for such a high performing project is just silly.

The thing that inspired my <rant> was how hard it was for an awesome
project that has always done the right thing to do more of the right thing.


Take the sentence above and search & replace "project" with "chapter"
(:1,$s/project/chapter/g) and the statement still holds true.

<aside>
Removing chapters that ran AppSec's from the scorecard isn't the issue - in
fact its a symptom of the different treatment of project and chapters.

Ways to raise money if you're a chapter:
- Put a PayPal button on your Chapter page and hope someone clicks on it.
Maybe get $?
- Ask the people you see on a regular basis to become OWASP members, get a
bit of $
- Ask companies where people work that you see on a regular basis to become
corporate sponsors and tag your chapter, get $$
- Run a local event, training, whatever, get $$$
- Run a regional event that is successful, get $$$$ [*]
- Run an AppSec Conference, get $$$$$$

Yes, those increasing $'s represent increasing work that the chapter must
do but its AVAILABLE to chapters at OWASP.

[*] BTW, if your event flops, the Foundation has your back since it
provides seed money in many cases, plus provides event insurance, staff
time...

Ways to raise money if you're a project leader:
- Sell t-shirt or stickers. Maybe get $ or use it as marketing for your
project and break even
- Put a PayPal button on your project page and hope someone clicks on it.
Maybe get $?
- Ask people you probably never see fact to face to become an OWASP member,
get a bit of $
- Ask people who use your project (and maybe don't interact with OWASP
other then your project) to become an OWASP member, get a bit of $
- Ask a company to select your project when they become an OWASP Corp
member, get $$

When are we going to have a project run conference with the profit splits
that chapters have available to them?

For that matter, what happened to the OWASP Project tracks in our
conferences.  I went to AppSec US a few weeks ago and my talk covered 4
OWASP projects - OWASP WTE, AppSec Pipeline, Zap and Defect Dojo but sure
seemed like the exception.  I've not run though the schedule but I can only
recall one lightning talk mentioning OWASP projects.  That's sad.

My point is that there's lots of strong opportunities for Chapters to raise
funds for themselves - I don't want to see that changed.

What I want to see changed is the ability to raise funds and the level of
support provided to Projects from the Foundation.  I'd like to see that 10x
difference get down to 5x.

Look for 2017 Budget requests geared towards large increases in support
systems for our projects.  I've been running a project since 2008 and its
lonely and hard work.  It's more then time for someone to focus a little
more OWASP Foundation love towards projects.
</aside>

Cheers!


--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site


On Fri, Nov 11, 2016 at 12:27 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Matt,
>
> I've got nothing but love for you, but turning this into a Chapters vs
> Projects debate does none of us any good.  When you take the Chapters who
> are running AppSec conferences out of the equation, the Chapters and
> Projects are basically on equal footing when it comes to budgets.
>
> $276,780 spread across 291 chapters who did not host an AppSec = $951.13
> avg/chapter
> $75,736 spread across 61 projects who did not host an AppSec = $1,241.57
> avg/project
>
> And, last year, I pushed, and got approved, a measure to ensure that
> everyone who did the bare minimum of having at least 2 leaders, got $500
> from the Foundation in their account.  I'm pushing to do that again this
> year for this very reason.  I want our Chapters and Projects to feel like
> they both have money and are empowered to spend it.
>
> There is no point in being divisive when in the end we both said the exact
> same thing.  This needs to be budgeted for 2017.
>
> ~josh
>
>
> On Fri, Nov 11, 2016 at 11:26 AM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>
>> I've written this email in my head about 5 times - at this point, I might
>> as well spill some digital ink and get these thoughts out of my head.
>>
>> <rant>
>>
>> 21, yeah that's right, 21 emails to request funds that represent a tiny
>> fraction of the funds that OWASP has to budget for next year.
>>
>> In 2016, OWASP budgeted $136K for project outreach. If we do the same for
>> 2017, and restrict this request to just that pool of funds, this represents
>> a mere 1.4705882% of that budget.
>>
>> 21 emails for 1.4% of a single budget category - 0.09% of the 2016 Net
>> Income for the Foundation [*
>> <https://docs.google.com/spreadsheets/d/1tCD2IDtDneI0ZzDeSBehXpaSzTantftUrp_b5YUWsVE/edit#gid=1248581809>
>> ]
>>
>> And this isn't some relatively unknown project, its by far one of our
>> most popular and best known projects (hard to say for sure but its easily
>> in the top 3).  Its also crazy mature and doing what I wish all OWASP
>> projects could do - having the lead paid to make the project better while
>> bringing on many, many additional contributors, reaching out to devs, etc.
>>
>> If one of our rock star projects has to deal with a 21 email thread to
>> get $2,000 allocated in the 2017 budget something is very broken.
>>
>> I'm not going to list this as a plus when I try to recruit new projects
>> to OWASP.
>>
>> @ the donation score board (worst name ever) and unspent funds, I'd like
>> to provide a different perspective
>>
>> Total unspent chapter funds: 758,789.51
>> Total unspent project funds:  75,735.54
>>
>> So let be realistic when we talk about unspent funds - there's *over 10
>> times*, let me say that again
>>   10 times  10 times  10 times  10 times  10 times  10 times  10 times
>>  10 times  10 times  10 times
>> the amount of unspent chapter funds vs project funds.
>>
>> If I were bleeding 10 times more from one wound over the other, guess
>> where I'd apply pressure.
>>
>> Let look at the top 5 largest unspent budgets:
>>               #1       #2       #3       #4      #5      Total of 1 to 5
>> ------------------------------------------------------------------
>> Chapter  | 123,421 | 54,515 | 49,726 | 32,146 | 32,146 | 291,954 |
>> Projects |  18,972 |  8,373 |  4,939 |  4,116 |  4,000 |  40,400 |
>> Percent    |       15%      |       15%     |       10%    |       13%
>>  |        12%    |       14%      |
>> of Project vs Chapter
>>
>> More fun facts:
>> Chapter with 3 or more digits of unspent funds ($1,000+): 74
>> Projects with 3 or more digits of unspent funds ($1,000+): 13
>>
>> So, in a time where part my job as a full-time OWASP staff is to prepare
>> and budget for 2017 to try to make projects better, I think it time I
>> become a strong and vocal advocate for Projects at OWASP.
>>
>> I think Chapters are great - I'm involved in 2 of them in Texas - but
>> Chapters don't seem to need a vocal advocate.  Plus, if you think Projects
>> are of equal importance to Chapters at OWASP, we have to seriously
>> reallocate funds in 2017 to get them on equal footing.
>>
>> So, for the Project leaders at OWASP, I'm with you and want to make
>> Projects a great home for your awesome work.  Please let me know what isn't
>> working for you and I'll do everything I can to get your interests
>> represented in the 2017 budget and beyond.
>>
>> Cheers!
>>
>> </rant>
>>
>> --
>> -- Matt Tesauro
>> OWASP AppSec Pipeline Lead
>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>> OWASP WTE Project Lead
>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>> site
>>
>>
>> On Fri, Nov 11, 2016 at 9:18 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>
>>> >>That means that the next question in my mind is does this have to
>>> happen now or can we work this into the 2017 OWASP Foundation budget?
>>>
>>> As the email title suggest, yes is a budget for 2017. Zap will be using
>>> already part of their funds for their Bounty and we want to set an
>>> additional USD2,000- for 2017 for ZAP as also for other  projects, which
>>> have 0 budget.
>>>
>>> We could indeed conclude that if a project has funds but has allocated
>>> them already, setting a budget for supporting Flagship projects for the
>>> bounty should be part of the support OWASP provides to top projects. To be
>>> discussed next meeting hopefully
>>>
>>> @Seba: Chapters need to come with clear plans on how they will spend
>>> their funds or support relocation for other purposes. The fact is that
>>> Chapters hosting appsec conferences have a great why to generate
>>> substantial funds opposite to projects.
>>>
>>> Cheers
>>>
>>> On Fri, Nov 11, 2016 at 3:56 PM, Seba <seba at owasp.org> wrote:
>>>
>>>> my hope is that we channel a big chunk of unused project/chapter funds
>>>> into the upcoming summit
>>>> https://www.owasp.org/index.php?title=Owasp-DevSecCon-Summit
>>>>
>>>> Seba
>>>>
>>>> On Fri, Nov 11, 2016 at 3:48 PM psiinon <psiinon at gmail.com> wrote:
>>>>
>>>>> I should point out that I completely agree with the push to make sure
>>>>> that chapters and projects actually use their funds.
>>>>> I'm planning on releasing a statement at the end of this year giving
>>>>> an overview of what we've spent ZAP project money on in 2016 and to give an
>>>>> idea of how we plan to allocate our funds for 2017.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Simon
>>>>>
>>>>> On Fri, Nov 11, 2016 at 2:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>> Nobody is saying that Simon/ZAP has to beg for funds.  What I am
>>>>> saying is that this is currently unbudgeted money and it has to come from
>>>>> somewhere.  Right now, the pool of "empowered funds" (ie. the ones these
>>>>> projects can spend on the mission without asking the Foundation) is their
>>>>> account balance.  If they can't or don't want to use those funds, that is
>>>>> fine, but two things need to happen:
>>>>>
>>>>> 1) There needs to be justification as to why they can't or don't want
>>>>> to use their funds.
>>>>>
>>>>> 2) The OWASP Foundation budget is supposed to be a net neutral every
>>>>> year.  That means that in order to fund this now, something else will not
>>>>> receive funds that were allocated.
>>>>>
>>>>> So, let's start over here.  Simon has now provided #1 (haven't heard
>>>>> this yet from the other projects) which sounds reasonable to me.  That
>>>>> means that the next question in my mind is does this have to happen now or
>>>>> can we work this into the 2017 OWASP Foundation budget?  If now, then
>>>>> something else has to get shorted and we need to figure out what that will
>>>>> be.  If 2017, well, we're working on those numbers now so send it to Andrew
>>>>> and we can try to make it happen.  That's not a promise that it will happen
>>>>> as I know he sent an email the other day saying that the numbers are tight,
>>>>> but we can try.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Fri, Nov 11, 2016 at 5:53 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> @Simon:
>>>>> Rest assure that one of the reasons I joined the board was to change
>>>>> this
>>>>>
>>>>> @Josh
>>>>> We cannot expect that top project like ZAP has to go into $0 budget to
>>>>> beg for funds. I don't think this is a respectful treatment for projects of
>>>>> this caliber and category, A project that has done so much for the OWASP
>>>>> image and spreading our mission.
>>>>>
>>>>> There are other ways we can provide support that works for the
>>>>> projects own planning and financial support from OWASP without creating
>>>>> unused funds.
>>>>>
>>>>> I'll put this issue on the next OWASP board agenda
>>>>>
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Fri, Nov 11, 2016 at 12:26 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>> Yes, we do have sufficient fiunds in the ZAP budget. This is why we
>>>>> are the first OWASP project to offer a bug bounty paid for from our funds.
>>>>> But these funds _are_ being used.
>>>>> We have:
>>>>>
>>>>>    - Paid a technical auther to rewrite the ZAP Getting Started Guide
>>>>>    - Commissioned the same author to rewrite the ZAP alerts to make
>>>>>    them more developer friendly
>>>>>    - Set up a bounty for passive scan unit tests:
>>>>>    http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-te
>>>>>    st-bounties.html
>>>>>    <http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-test-bounties.html>
>>>>>    - Reserved money for active scan unit tests
>>>>>    - Reserved over $5000 for specific changes that we are paying to
>>>>>    be developed right now
>>>>>    - Reservered $2000 for the bug bounty
>>>>>
>>>>> That means that most of our funds are allocated, and thats why I
>>>>> suggested OWASP could _contribute_ to the bug bounties in order to increase
>>>>> the amount would be able to pay out.
>>>>>
>>>>> But OWASP (as an organisation) hasnt really helped ZAP (or other
>>>>> projects) that much historically, so why should it now?
>>>>>
>>>>> In case you hadnt noticed I have stepped back my involvement in OWASP
>>>>> and have just been concentrating on ZAP. The lack of support for projects
>>>>> is one of the reasons why. I'll now go back to lurking.
>>>>>
>>>>> Yours disappointedly (but not surprised),
>>>>>
>>>>> Simon
>>>>>
>>>>> On Thu, Nov 10, 2016 at 8:43 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put up
>>>>> the money when ZAP has more than enough currently to cover its bounties?
>>>>>
>>>>> Java Encoder and Java Sanitizer each have $500.  Can we start with
>>>>> that and see if we need more funds after that?  Keep in mind that the $500
>>>>> was a grant from the Foundation to empower these projects to do things
>>>>> exactly like this.  Why would they not be spending it?
>>>>>
>>>>> I don't see CSRFGuard in the donation scoreboard which likely means
>>>>> that they don't have any funds.  That also likely means that they don't
>>>>> have at least two active leaders or else they would have received the $500
>>>>> stipend.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Hi Bil
>>>>>
>>>>> >>What are the proposed bounty amounts?
>>>>> >>Who decides which bugs qualify and how much is paid?  What happens
>>>>> when the $6k runs out?
>>>>>
>>>>> That mostly depends on the type of Bug. For example ZAP team can
>>>>> decide how much they will pay for a certain bug. Each bug can be classified
>>>>> from low to High, being high the highest you can pay, but the amount can be
>>>>> defined by ourselves
>>>>>
>>>>> Example
>>>>>
>>>>> Low ==>USD50
>>>>> medium==> USD 100
>>>>> High==> USD 500
>>>>>
>>>>> First come first served. The first one to report gets the prize.Old
>>>>> bugs do not count.
>>>>>
>>>>> If we run out of budget this year we can:
>>>>> Make a new request or
>>>>> we go back to Kudos ;-P .
>>>>>
>>>>> It can also happen that no-one finds anything and the money will be
>>>>> reserved until it is.
>>>>>
>>>>> >>And to gauge the flow of funds, pretend you had been paying a
>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>
>>>>> Nothing, since the program at that moment was running on Kudos. The
>>>>> bug hunters receive Points that help their ranking, that was the initial
>>>>> motivation but many do not just do it for these purpose but financially.
>>>>> Cheers
>>>>>
>>>>> Johanna
>>>>>
>>>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>> Oh, and I dont think that any of the previously reported bugs would
>>>>> qualify for the bounty.
>>>>>
>>>>> Simon
>>>>>
>>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>> The change to pay out money has only just been made today so we have
>>>>> not paid anything out yet.
>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>> bugcrowd.
>>>>> We are planning on paying for any bounties from the ZAP project funds,
>>>>> although obviously any help from OWASP would be appreciated :)
>>>>> If we receive so many valid submissions that we run out of project
>>>>> funds then we will either need to raise more funds or change the program to
>>>>> reduce / remove the bounty.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Simon
>>>>>
>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>> wrote:
>>>>>
>>>>> What are the proposed bounty amounts?  Who decides which bugs qualify
>>>>> and how much is paid?  What happens when the $6k runs out?
>>>>>
>>>>> And to gauge the flow of funds, pretend you had been paying a bounty,
>>>>> how much would you have paid so far on the already-received bugs?
>>>>>
>>>>>
>>>>> - Bil
>>>>>
>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>> Dear Board,
>>>>>
>>>>> So far the bug bounty is running since May , and I believe one of the
>>>>> projects that have benefit most from this program is ZAP.
>>>>>
>>>>> Others projects which are less popular have not received many
>>>>> submissions, still valuable feedback.
>>>>>
>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>
>>>>> My request is to have a Budget of USD 6000 for the Bounty as a support
>>>>> for projects that are working proactively in their security. ZAP is sure
>>>>> leading by example and with this budget, we can have the existing
>>>>> participating projects   being challenged by this
>>>>>
>>>>> For the budget , it will be break down as follows
>>>>>
>>>>>    - ZAP==>USD 2000
>>>>>    - Java Encoder==>USD1000
>>>>>    - Java Sanitizer==> USD 1000
>>>>>    - CRSFGuard==>USD 1000
>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>
>>>>> We can discuss this during the next OWASP meeting
>>>>>
>>>>> Regards
>>>>>
>>>>> Johanna
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Johanna Curiel
>>>>> OWASP Volunteer
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161111/8acde880/attachment-0001.html>


More information about the Owasp-board mailing list