[Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017

Bil Corry bil.corry at owasp.org
Fri Nov 11 23:31:03 UTC 2016


> taking over 20 emails for such a small amount of money for such a high
performing project is just silly.

Just a clarification as to why I was asking questions - once the bug bounty
program offers a financial reward, it's now obligated to pay for valid
findings.  And while the ask to OWASP BoD for might be small ($2k), if the
bug bounty program suddenly gets 20 RCEs, it will greatly exceed the
project's budget and now who is going to pay the $20k?  It seemed prudent
to make sure this was covered.

I didn't ask about collusion because it's just a handful of projects, but
that also will be a concern once the financial bounties are expanded to
encompass more projects.  We'll need a way to detect and deter bad
behaviour.


- Bil


On Fri, Nov 11, 2016 at 2:51 PM, Matt Tesauro <matt.tesauro at owasp.org>
wrote:

> Josh we've known each other for about a decade so you know I'm not trying
> to be divisive, I'm simply stating facts right out of the Donation
> Scoreboard.  You've been a strong advocate for Chapters and that's great.
> I'm outing myself as the person who is going to advocate for projects going
> forward.
>
> And whatever the scoreboard says, taking over 20 emails for such a small
> amount of money for such a high performing project is just silly.
>
> The thing that inspired my <rant> was how hard it was for an awesome
> project that has always done the right thing to do more of the right thing.
>
>
> Take the sentence above and search & replace "project" with "chapter"
> (:1,$s/project/chapter/g) and the statement still holds true.
>
> <aside>
> Removing chapters that ran AppSec's from the scorecard isn't the issue -
> in fact its a symptom of the different treatment of project and chapters.
>
> Ways to raise money if you're a chapter:
> - Put a PayPal button on your Chapter page and hope someone clicks on it.
> Maybe get $?
> - Ask the people you see on a regular basis to become OWASP members, get a
> bit of $
> - Ask companies where people work that you see on a regular basis to
> become corporate sponsors and tag your chapter, get $$
> - Run a local event, training, whatever, get $$$
> - Run a regional event that is successful, get $$$$ [*]
> - Run an AppSec Conference, get $$$$$$
>
> Yes, those increasing $'s represent increasing work that the chapter must
> do but its AVAILABLE to chapters at OWASP.
>
> [*] BTW, if your event flops, the Foundation has your back since it
> provides seed money in many cases, plus provides event insurance, staff
> time...
>
> Ways to raise money if you're a project leader:
> - Sell t-shirt or stickers. Maybe get $ or use it as marketing for your
> project and break even
> - Put a PayPal button on your project page and hope someone clicks on it.
> Maybe get $?
> - Ask people you probably never see fact to face to become an OWASP
> member, get a bit of $
> - Ask people who use your project (and maybe don't interact with OWASP
> other then your project) to become an OWASP member, get a bit of $
> - Ask a company to select your project when they become an OWASP Corp
> member, get $$
>
> When are we going to have a project run conference with the profit splits
> that chapters have available to them?
>
> For that matter, what happened to the OWASP Project tracks in our
> conferences.  I went to AppSec US a few weeks ago and my talk covered 4
> OWASP projects - OWASP WTE, AppSec Pipeline, Zap and Defect Dojo but sure
> seemed like the exception.  I've not run though the schedule but I can only
> recall one lightning talk mentioning OWASP projects.  That's sad.
>
> My point is that there's lots of strong opportunities for Chapters to
> raise funds for themselves - I don't want to see that changed.
>
> What I want to see changed is the ability to raise funds and the level of
> support provided to Projects from the Foundation.  I'd like to see that 10x
> difference get down to 5x.
>
> Look for 2017 Budget requests geared towards large increases in support
> systems for our projects.  I've been running a project since 2008 and its
> lonely and hard work.  It's more then time for someone to focus a little
> more OWASP Foundation love towards projects.
> </aside>
>
> Cheers!
>
>
> --
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
> OWASP WTE Project Lead
> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
> On Fri, Nov 11, 2016 at 12:27 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Matt,
>>
>> I've got nothing but love for you, but turning this into a Chapters vs
>> Projects debate does none of us any good.  When you take the Chapters who
>> are running AppSec conferences out of the equation, the Chapters and
>> Projects are basically on equal footing when it comes to budgets.
>>
>> $276,780 spread across 291 chapters who did not host an AppSec = $951.13
>> avg/chapter
>> $75,736 spread across 61 projects who did not host an AppSec = $1,241.57
>> avg/project
>>
>> And, last year, I pushed, and got approved, a measure to ensure that
>> everyone who did the bare minimum of having at least 2 leaders, got $500
>> from the Foundation in their account.  I'm pushing to do that again this
>> year for this very reason.  I want our Chapters and Projects to feel like
>> they both have money and are empowered to spend it.
>>
>> There is no point in being divisive when in the end we both said the
>> exact same thing.  This needs to be budgeted for 2017.
>>
>> ~josh
>>
>>
>> On Fri, Nov 11, 2016 at 11:26 AM, Matt Tesauro <matt.tesauro at owasp.org>
>> wrote:
>>
>>> I've written this email in my head about 5 times - at this point, I
>>> might as well spill some digital ink and get these thoughts out of my head.
>>>
>>> <rant>
>>>
>>> 21, yeah that's right, 21 emails to request funds that represent a tiny
>>> fraction of the funds that OWASP has to budget for next year.
>>>
>>> In 2016, OWASP budgeted $136K for project outreach. If we do the same
>>> for 2017, and restrict this request to just that pool of funds, this
>>> represents a mere 1.4705882% of that budget.
>>>
>>> 21 emails for 1.4% of a single budget category - 0.09% of the 2016 Net
>>> Income for the Foundation [*
>>> <https://docs.google.com/spreadsheets/d/1tCD2IDtDneI0ZzDeSBehXpaSzTantftUrp_b5YUWsVE/edit#gid=1248581809>
>>> ]
>>>
>>> And this isn't some relatively unknown project, its by far one of our
>>> most popular and best known projects (hard to say for sure but its easily
>>> in the top 3).  Its also crazy mature and doing what I wish all OWASP
>>> projects could do - having the lead paid to make the project better while
>>> bringing on many, many additional contributors, reaching out to devs, etc.
>>>
>>> If one of our rock star projects has to deal with a 21 email thread to
>>> get $2,000 allocated in the 2017 budget something is very broken.
>>>
>>> I'm not going to list this as a plus when I try to recruit new projects
>>> to OWASP.
>>>
>>> @ the donation score board (worst name ever) and unspent funds, I'd like
>>> to provide a different perspective
>>>
>>> Total unspent chapter funds: 758,789.51
>>> Total unspent project funds:  75,735.54
>>>
>>> So let be realistic when we talk about unspent funds - there's *over 10
>>> times*, let me say that again
>>>   10 times  10 times  10 times  10 times  10 times  10 times  10 times
>>>  10 times  10 times  10 times
>>> the amount of unspent chapter funds vs project funds.
>>>
>>> If I were bleeding 10 times more from one wound over the other, guess
>>> where I'd apply pressure.
>>>
>>> Let look at the top 5 largest unspent budgets:
>>>               #1       #2       #3       #4      #5      Total of 1 to 5
>>> ------------------------------------------------------------------
>>> Chapter  | 123,421 | 54,515 | 49,726 | 32,146 | 32,146 | 291,954 |
>>> Projects |  18,972 |  8,373 |  4,939 |  4,116 |  4,000 |  40,400 |
>>> Percent    |       15%      |       15%     |       10%    |       13%
>>>    |        12%    |       14%      |
>>> of Project vs Chapter
>>>
>>> More fun facts:
>>> Chapter with 3 or more digits of unspent funds ($1,000+): 74
>>> Projects with 3 or more digits of unspent funds ($1,000+): 13
>>>
>>> So, in a time where part my job as a full-time OWASP staff is to prepare
>>> and budget for 2017 to try to make projects better, I think it time I
>>> become a strong and vocal advocate for Projects at OWASP.
>>>
>>> I think Chapters are great - I'm involved in 2 of them in Texas - but
>>> Chapters don't seem to need a vocal advocate.  Plus, if you think Projects
>>> are of equal importance to Chapters at OWASP, we have to seriously
>>> reallocate funds in 2017 to get them on equal footing.
>>>
>>> So, for the Project leaders at OWASP, I'm with you and want to make
>>> Projects a great home for your awesome work.  Please let me know what isn't
>>> working for you and I'll do everything I can to get your interests
>>> represented in the 2017 budget and beyond.
>>>
>>> Cheers!
>>>
>>> </rant>
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP AppSec Pipeline Lead
>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>> OWASP WTE Project Lead
>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>> http://AppSecLive.org <http://appseclive.org/> - Community and Download
>>> site
>>>
>>>
>>> On Fri, Nov 11, 2016 at 9:18 AM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >>That means that the next question in my mind is does this have to
>>>> happen now or can we work this into the 2017 OWASP Foundation budget?
>>>>
>>>> As the email title suggest, yes is a budget for 2017. Zap will be using
>>>> already part of their funds for their Bounty and we want to set an
>>>> additional USD2,000- for 2017 for ZAP as also for other  projects, which
>>>> have 0 budget.
>>>>
>>>> We could indeed conclude that if a project has funds but has allocated
>>>> them already, setting a budget for supporting Flagship projects for the
>>>> bounty should be part of the support OWASP provides to top projects. To be
>>>> discussed next meeting hopefully
>>>>
>>>> @Seba: Chapters need to come with clear plans on how they will spend
>>>> their funds or support relocation for other purposes. The fact is that
>>>> Chapters hosting appsec conferences have a great why to generate
>>>> substantial funds opposite to projects.
>>>>
>>>> Cheers
>>>>
>>>> On Fri, Nov 11, 2016 at 3:56 PM, Seba <seba at owasp.org> wrote:
>>>>
>>>>> my hope is that we channel a big chunk of unused project/chapter funds
>>>>> into the upcoming summit
>>>>> https://www.owasp.org/index.php?title=Owasp-DevSecCon-Summit
>>>>>
>>>>> Seba
>>>>>
>>>>> On Fri, Nov 11, 2016 at 3:48 PM psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>> I should point out that I completely agree with the push to make sure
>>>>>> that chapters and projects actually use their funds.
>>>>>> I'm planning on releasing a statement at the end of this year giving
>>>>>> an overview of what we've spent ZAP project money on in 2016 and to give an
>>>>>> idea of how we plan to allocate our funds for 2017.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Fri, Nov 11, 2016 at 2:38 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> Nobody is saying that Simon/ZAP has to beg for funds.  What I am
>>>>>> saying is that this is currently unbudgeted money and it has to come from
>>>>>> somewhere.  Right now, the pool of "empowered funds" (ie. the ones these
>>>>>> projects can spend on the mission without asking the Foundation) is their
>>>>>> account balance.  If they can't or don't want to use those funds, that is
>>>>>> fine, but two things need to happen:
>>>>>>
>>>>>> 1) There needs to be justification as to why they can't or don't want
>>>>>> to use their funds.
>>>>>>
>>>>>> 2) The OWASP Foundation budget is supposed to be a net neutral every
>>>>>> year.  That means that in order to fund this now, something else will not
>>>>>> receive funds that were allocated.
>>>>>>
>>>>>> So, let's start over here.  Simon has now provided #1 (haven't heard
>>>>>> this yet from the other projects) which sounds reasonable to me.  That
>>>>>> means that the next question in my mind is does this have to happen now or
>>>>>> can we work this into the 2017 OWASP Foundation budget?  If now, then
>>>>>> something else has to get shorted and we need to figure out what that will
>>>>>> be.  If 2017, well, we're working on those numbers now so send it to Andrew
>>>>>> and we can try to make it happen.  That's not a promise that it will happen
>>>>>> as I know he sent an email the other day saying that the numbers are tight,
>>>>>> but we can try.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Fri, Nov 11, 2016 at 5:53 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> @Simon:
>>>>>> Rest assure that one of the reasons I joined the board was to change
>>>>>> this
>>>>>>
>>>>>> @Josh
>>>>>> We cannot expect that top project like ZAP has to go into $0 budget
>>>>>> to beg for funds. I don't think this is a respectful treatment for projects
>>>>>> of this caliber and category, A project that has done so much for the OWASP
>>>>>> image and spreading our mission.
>>>>>>
>>>>>> There are other ways we can provide support that works for the
>>>>>> projects own planning and financial support from OWASP without creating
>>>>>> unused funds.
>>>>>>
>>>>>> I'll put this issue on the next OWASP board agenda
>>>>>>
>>>>>> Cheers
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Fri, Nov 11, 2016 at 12:26 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>> Yes, we do have sufficient fiunds in the ZAP budget. This is why we
>>>>>> are the first OWASP project to offer a bug bounty paid for from our funds.
>>>>>> But these funds _are_ being used.
>>>>>> We have:
>>>>>>
>>>>>>    - Paid a technical auther to rewrite the ZAP Getting Started Guide
>>>>>>    - Commissioned the same author to rewrite the ZAP alerts to make
>>>>>>    them more developer friendly
>>>>>>    - Set up a bounty for passive scan unit tests:
>>>>>>    http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-te
>>>>>>    st-bounties.html
>>>>>>    <http://zaproxy.blogspot.co.uk/2016/08/announcing-zap-unit-test-bounties.html>
>>>>>>    - Reserved money for active scan unit tests
>>>>>>    - Reserved over $5000 for specific changes that we are paying to
>>>>>>    be developed right now
>>>>>>    - Reservered $2000 for the bug bounty
>>>>>>
>>>>>> That means that most of our funds are allocated, and thats why I
>>>>>> suggested OWASP could _contribute_ to the bug bounties in order to increase
>>>>>> the amount would be able to pay out.
>>>>>>
>>>>>> But OWASP (as an organisation) hasnt really helped ZAP (or other
>>>>>> projects) that much historically, so why should it now?
>>>>>>
>>>>>> In case you hadnt noticed I have stepped back my involvement in OWASP
>>>>>> and have just been concentrating on ZAP. The lack of support for projects
>>>>>> is one of the reasons why. I'll now go back to lurking.
>>>>>>
>>>>>> Yours disappointedly (but not surprised),
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 8:43 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> ZAP currently has $8,373.11 in funds.  Why would the Foundation put
>>>>>> up the money when ZAP has more than enough currently to cover its bounties?
>>>>>>
>>>>>> Java Encoder and Java Sanitizer each have $500.  Can we start with
>>>>>> that and see if we need more funds after that?  Keep in mind that the $500
>>>>>> was a grant from the Foundation to empower these projects to do things
>>>>>> exactly like this.  Why would they not be spending it?
>>>>>>
>>>>>> I don't see CSRFGuard in the donation scoreboard which likely means
>>>>>> that they don't have any funds.  That also likely means that they don't
>>>>>> have at least two active leaders or else they would have received the $500
>>>>>> stipend.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 2:31 PM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Hi Bil
>>>>>>
>>>>>> >>What are the proposed bounty amounts?
>>>>>> >>Who decides which bugs qualify and how much is paid?  What happens
>>>>>> when the $6k runs out?
>>>>>>
>>>>>> That mostly depends on the type of Bug. For example ZAP team can
>>>>>> decide how much they will pay for a certain bug. Each bug can be classified
>>>>>> from low to High, being high the highest you can pay, but the amount can be
>>>>>> defined by ourselves
>>>>>>
>>>>>> Example
>>>>>>
>>>>>> Low ==>USD50
>>>>>> medium==> USD 100
>>>>>> High==> USD 500
>>>>>>
>>>>>> First come first served. The first one to report gets the prize.Old
>>>>>> bugs do not count.
>>>>>>
>>>>>> If we run out of budget this year we can:
>>>>>> Make a new request or
>>>>>> we go back to Kudos ;-P .
>>>>>>
>>>>>> It can also happen that no-one finds anything and the money will be
>>>>>> reserved until it is.
>>>>>>
>>>>>> >>And to gauge the flow of funds, pretend you had been paying a
>>>>>> bounty, how much would you have paid so far on the already-received bugs?
>>>>>>
>>>>>> Nothing, since the program at that moment was running on Kudos. The
>>>>>> bug hunters receive Points that help their ranking, that was the initial
>>>>>> motivation but many do not just do it for these purpose but financially.
>>>>>> Cheers
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 5:35 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>> Oh, and I dont think that any of the previously reported bugs would
>>>>>> qualify for the bounty.
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 4:31 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>> At the moment I believe it is only ZAP that is paying any money out.
>>>>>> The change to pay out money has only just been made today so we have
>>>>>> not paid anything out yet.
>>>>>> We will pay $1000 for (just) RCE vulnerabilities in ZAP. There are
>>>>>> various exclusions as detailed on https://bugcrowd.com/owaspzap
>>>>>> The final decision will be made by the ZAP team in conjunction with
>>>>>> bugcrowd.
>>>>>> We are planning on paying for any bounties from the ZAP project
>>>>>> funds, although obviously any help from OWASP would be appreciated :)
>>>>>> If we receive so many valid submissions that we run out of project
>>>>>> funds then we will either need to raise more funds or change the program to
>>>>>> reduce / remove the bounty.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Simon
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 4:07 PM, Bil Corry <bil.corry at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>> What are the proposed bounty amounts?  Who decides which bugs qualify
>>>>>> and how much is paid?  What happens when the $6k runs out?
>>>>>>
>>>>>> And to gauge the flow of funds, pretend you had been paying a bounty,
>>>>>> how much would you have paid so far on the already-received bugs?
>>>>>>
>>>>>>
>>>>>> - Bil
>>>>>>
>>>>>> On Thu, Nov 10, 2016 at 5:22 AM, johanna curiel curiel <
>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>
>>>>>> Dear Board,
>>>>>>
>>>>>> So far the bug bounty is running since May , and I believe one of the
>>>>>> projects that have benefit most from this program is ZAP.
>>>>>>
>>>>>> Others projects which are less popular have not received many
>>>>>> submissions, still valuable feedback.
>>>>>>
>>>>>> So far it is clear that for bug hunters to spent time on this there
>>>>>> must be a financial gain, not just kudos. Zap has recently launched
>>>>>> monetary bounties from their own project budget (USD 1000).
>>>>>>
>>>>>> My request is to have a Budget of USD 6000 for the Bounty as a
>>>>>> support for projects that are working proactively in their security. ZAP is
>>>>>> sure leading by example and with this budget, we can have the existing
>>>>>> participating projects   being challenged by this
>>>>>>
>>>>>> For the budget , it will be break down as follows
>>>>>>
>>>>>>    - ZAP==>USD 2000
>>>>>>    - Java Encoder==>USD1000
>>>>>>    - Java Sanitizer==> USD 1000
>>>>>>    - CRSFGuard==>USD 1000
>>>>>>    - Any new project that wants to participate==>USD 1000
>>>>>>
>>>>>> We can discuss this during the next OWASP meeting
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Johanna
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Johanna Curiel
>>>>>> OWASP Volunteer
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Johanna Curiel
>>>> OWASP Volunteer
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20161111/c824b060/attachment-0001.html>


More information about the Owasp-board mailing list