<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    >  If we're saying that this is a "pilot" in order to figure out
    if crowd-sourced testing would find issues, I don't think we need a
    pilot for that.  The industry says that it works, but the number of
    submissions is high and companies need a well-defined process (and
    people) to handle them.  <br>
    <br>
    Josh, we are suggesting a very different program. This is not a
    "high volume bounty program" like a traditional bug bounty program.
    This is targeted to a small number of specific issues that we want
    researchers hunting for in a small number of defensive libraries.<br>
    <br>
    - Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 11/24/15 5:59 AM, Josh Sokol wrote:<br>
    </div>
    <blockquote
cite="mid:CAFwvDewjtBGDU5AyqXqv1sNMAy8ahg7D_JtmLbqcXm+U1kDvGg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>A "pilot" means that you are testing something on a smaller
          scale to see if it works at a larger scale.  If you are asking
          for funds for CSRFGuard to check if crypto was implemented
          properly, and have agreement from the project leaders to fix
          any findings, then that sounds like money well spent, but it
          is not a "pilot" because the rules of engagement do not
          scale.  <br>
          <br>
          If we're saying that this is a "pilot" in order to figure out
          if crowd-sourced testing would find issues, I don't think we
          need a pilot for that.  The industry says that it works, but
          the number of submissions is high and companies need a
          well-defined process (and people) to handle them.  <br>
          <br>
          If we're saying that this is a "pilot" to see if we can do bug
          bounties on OWASP projects, then I want to see a higher
          standard for the pilot similar to what I would want from a
          larger execution.  The projects need to show a commitment to
          fixing the easy bugs before we pay to find and/or fix the hard
          ones.  Maybe this makes us "scanner jockeys", Jim, but it also
          provides a base level of security diligence.  Sure, a human
          and a scanner can both effectively find XSS vulnerabilities,
          but I'd take a scanner over a human for that any day because
          it can do the same work in fractions of the time.  <br>
          <br>
          All I'm asking for is that the project shows some basic
          vulnerability validation with simple tools and a commitment to
          fix the discovered issues before we authorize a bounty beyond
          that.  I don't think that's too much to ask for.  My
          recommendation is to revise this proposal for CSRFGuard to be
          a scoped engagement to test it's crypto and nothing more.  For
          any of this "pilot" talk, I would want to see a better plan
          behind, that includes adherence to security basics, before I
          would vote for it.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mon, Nov 23, 2015 at 6:45 PM,
          johanna curiel curiel <span dir="ltr"><<a
              moz-do-not-send="true"
              href="mailto:johanna.curiel@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">Matt , Josh
              <div><br>
              </div>
              <div>I just want to remind that this is a pilot and at the
                same time it can help us check the actual issues with
                the libraries</div>
              <div>I think you do not nee dot agree to invest in 3
                projects, 1 as CRSF Guard will be ok.</div>
              <div><br>
              </div>
              <div>It is narrow, it has a very defined scope and it will
                only be for specific issues found.</div>
              <div><br>
              </div>
              <div>The purpose is verify the actual situation of the
                libraries that participate and I don't think this
                efforts will be wasted, on the contrary.</div>
              <div><br>
              </div>
              <div>Again doing security scans with SWAMP tools do not
                verify the functional security part of the library as
                these AST/DAST tools only find bugs at code with a lot
                of false positives</div>
              <div><br>
              </div>
              <div>I'm attaching the scans and reports we did from
                CRSFGuard and the scan done by Azzedine using Checkmarks
                last year and I think CRSFGuard will benefit quite a lot
                from a Bounty source program, also from OWASP to verify
                that its flagship tools are the best they can</div>
              <div><br>
              </div>
              <div>Regards</div>
              <span class="HOEnZb"><font color="#888888">
                  <div><br>
                  </div>
                  <div>Johanna</div>
                </font></span></div>
            <div class="HOEnZb">
              <div class="h5">
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Mon, Nov 23, 2015 at 7:19
                    PM, Jim Manico <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:jim.manico@owasp.org"
                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0
                      .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div dir="auto">
                        <div>Matt,</div>
                        <div><br>
                        </div>
                        <div>I just want to say, one more time, that you
                          Josh and Michael have expressed big concerns
                          about an open bounty program. I agree with all
                          of your concerns. It would be a huge waste to
                          do such a thing.</div>
                        <div><br>
                        </div>
                        <div>Thanks very kindly for reconsidering this
                          in the context of a "narrowly scoped bounty
                          program".</div>
                        <span>
                          <div><br>
                          </div>
                          <div>Aloha,<br>
                            <div>--</div>
                            <div>Jim Manico</div>
                            <div>
                              <div>
                                <div style="word-wrap:break-word">
                                  <div><span
                                      style="background-color:rgba(255,255,255,0)">Global
                                      Board Member</span></div>
                                  <span
                                    style="background-color:rgba(255,255,255,0)">OWASP
                                    Foundation</span>
                                  <div><a moz-do-not-send="true"
                                      href="https://www.owasp.org/"
                                      style="background-color:rgba(255,255,255,0)"
                                      target="_blank"><font
                                        color="#000000">https://www.owasp.org</font></a></div>
                                </div>
                              </div>
                              <div><span
                                  style="background-color:rgba(255,255,255,0)">Join
                                  me in Rome for AppSecEU 2016!</span></div>
                            </div>
                          </div>
                        </span>
                        <div>
                          <div>
                            <div><br>
                              On Nov 24, 2015, at 1:15 AM, Matt Konda
                              <<a moz-do-not-send="true"
                                href="mailto:matt.konda@owasp.org"
                                target="_blank">matt.konda@owasp.org</a>>
                              wrote:<br>
                              <br>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div dir="ltr">Jim,
                                  <div><br>
                                  </div>
                                  <div>I have read the doc.  It wasn't
                                    at all clear to me what the full
                                    scope of the bounties would be, I
                                    thought those were just a few
                                    examples.</div>
                                  <div><br>
                                  </div>
                                  <div>I'll stew on it some more ... </div>
                                  <div><br>
                                  </div>
                                  <div>Matt<br>
                                  </div>
                                  <div><br>
                                  </div>
                                </div>
                                <div class="gmail_extra"><br>
                                  <div class="gmail_quote">On Mon, Nov
                                    23, 2015 at 4:42 PM, Jim Manico <span
                                      dir="ltr"><<a
                                        moz-do-not-send="true"
                                        href="mailto:jim.manico@owasp.org"
                                        target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                                    wrote:<br>
                                    <blockquote class="gmail_quote"
                                      style="margin:0 0 0
                                      .8ex;border-left:1px #ccc
                                      solid;padding-left:1ex">
                                      <div dir="auto"><span>
                                          <div>> <span
                                              style="background-color:rgba(255,255,255,0)">Otherwise,
                                              you end up paying bounties
                                              for things that are really
                                              easy to find and look bad
                                              along the way. </span></div>
                                          <div><br>
                                          </div>
                                        </span>
                                        <div>Fair comments, Matt.</div>
                                        <div><br>
                                        </div>
                                        <div>Please read Johannas doc.
                                          The various bounties I'm
                                          suggesting are very narrowly
                                          focused and scoped.</div>
                                        <div><br>
                                        </div>
                                        <div>I agree with your comments
                                          if we were to conduct an "open
                                          bounty" but that is not what
                                          is being scoped.</div>
                                        <div><br>
                                        </div>
                                        <div>For example, I suggest for
                                          CSRF Guard we bounty:</div>
                                        <div>1) Is the token generation
                                          weak crypto (predictable, etc)</div>
                                        <div>2) Is the server side token
                                          verifier not properly
                                          verifying an active and
                                          propely configured endpoint.</div>
                                        <div><br>
                                        </div>
                                        <div>etc.</div>
                                        <div><br>
                                        </div>
                                        <div>By working together with
                                          project owners and security
                                          leaders, we should be able to
                                          define very clear rules of
                                          play so our financial
                                          expenditures on these issues
                                          are clear and useful.</div>
                                        <span>
                                          <div><br>
                                            <div>--</div>
                                            <div>Jim Manico</div>
                                            <div>
                                              <div>
                                                <div
                                                  style="word-wrap:break-word">
                                                  <div><span
                                                      style="background-color:rgba(255,255,255,0)">Global
                                                      Board Member</span></div>
                                                  <span
                                                    style="background-color:rgba(255,255,255,0)">OWASP
                                                    Foundation</span>
                                                  <div><a
                                                      moz-do-not-send="true"
href="https://www.owasp.org/"
                                                      style="background-color:rgba(255,255,255,0)"
                                                      target="_blank"><font
                                                        color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                                </div>
                                              </div>
                                              <div><span
                                                  style="background-color:rgba(255,255,255,0)">Join
                                                  me in Rome for
                                                  AppSecEU 2016!</span></div>
                                            </div>
                                          </div>
                                        </span>
                                        <div>
                                          <div>
                                            <div><br>
                                              On Nov 23, 2015, at 5:44
                                              PM, Matt Konda <<a
                                                moz-do-not-send="true"
                                                href="mailto:matt.konda@owasp.org"
                                                target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:matt.konda@owasp.org">matt.konda@owasp.org</a></a>>
                                              wrote:<br>
                                              <br>
                                            </div>
                                            <blockquote type="cite">
                                              <div>
                                                <div dir="ltr">I have
                                                  also run bounty
                                                  programs and I would
                                                  take what Michael said
                                                  and go a bit further.
                                                  <div>
                                                    <div><br>
                                                    </div>
                                                    <div>I am skeptical
                                                      of this approach
                                                      for OWASP at this
                                                      time.  Generally,
                                                      I support bounty
                                                      programs when an
                                                      organization or
                                                      project is <u>mature</u>
                                                      and basic controls
                                                      have already been
                                                      applied.  This
                                                      implies that tools
                                                      have been run,
                                                      code has been
                                                      reviewed and there
                                                      are things in the
                                                      SDLC that allow
                                                      you to respond in
                                                      a controlled
                                                      manner (eg.
                                                      regular releases,
                                                      resources
                                                      available for
                                                      quick response and
                                                      a solid bug triage
                                                      process).</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Otherwise, you
                                                      end up paying
                                                      bounties for
                                                      things that are
                                                      really easy to
                                                      find and look bad
                                                      along the way. 
                                                      Also, we'll spend
                                                      a lot of time
                                                      dealing with
                                                      communications and
                                                      researchers who
                                                      are only sometimes
                                                      good to work
                                                      with.  I believe
                                                      that if we spent
                                                      the time (and
                                                      money) on the
                                                      project controls
                                                      instead of
                                                      communicating with
                                                      researchers, we
                                                      would likely have
                                                      better initial
                                                      results.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>I don't have
                                                      access to edit or
                                                      comment upon the
                                                      doc, but I would
                                                      definitely push
                                                      for: </div>
                                                    <div>
                                                      <ul>
                                                        <li>Limits on
                                                          scanner
                                                          findings</li>
                                                        <li>Limits on
                                                          DoS category
                                                          findings</li>
                                                      </ul>
                                                    </div>
                                                    <div>In summary, I
                                                      think there are
                                                      alternative
                                                      approaches that we
                                                      should take on
                                                      before doing a
                                                      bounty program -
                                                      including
                                                      systematically
                                                      engaging with
                                                      volunteers to do
                                                      security audits,
                                                      engaging with
                                                      vendors to get
                                                      their feedback,
                                                      and building
                                                      security
                                                      checkpoints into
                                                      the project
                                                      maturity process.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>I applaud the
                                                      general goal and
                                                      aspiration of
                                                      ensuring rigorous
                                                      security in our
                                                      projects.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Matt</div>
                                                    <div><br>
                                                    </div>
                                                  </div>
                                                </div>
                                                <div class="gmail_extra"><br>
                                                  <div
                                                    class="gmail_quote">On
                                                    Mon, Nov 23, 2015 at
                                                    7:15 AM, johanna
                                                    curiel curiel <span
                                                      dir="ltr"><<a
                                                        moz-do-not-send="true"
href="mailto:johanna.curiel@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                                    wrote:<br>
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">
                                                      <div dir="ltr">Hi
                                                        All,
                                                        <div><br>
                                                        </div>
                                                        <div>The idea is
                                                          to finalised
                                                          working out
                                                          the items
                                                          scope for each
                                                          project. Like
                                                          mentioned in
                                                          the proposal,
                                                          I think is a
                                                          good idea to
                                                          take 3
                                                          projects
                                                          (Flagship,Lab,Incubator)
                                                          and workout
                                                          through a
                                                          series of
                                                          items for each
                                                          one.</div>
                                                        <div><br>
                                                        </div>
                                                        <div>From Jim's
                                                          experience in
                                                          defenders
                                                          library, we
                                                          can help
                                                          define clear
                                                          scopes and
                                                          with the
                                                          project
                                                          leaders input
                                                          also, we need
                                                          to define the
                                                          most important
                                                          issues that
                                                          will make the
                                                          libraries weak
                                                          on protection </div>
                                                        <div><br>
                                                        </div>
                                                        <div>A set of
                                                          steps here</div>
                                                        <div>
                                                          <ul>
                                                          <li>Finalise
                                                          the items
                                                          within the
                                                          scope for each
                                                          project part
                                                          of the pilot<br>
                                                          </li>
                                                          <li>Touch
                                                          based with the
                                                          project
                                                          leaders
                                                          regarding
                                                          their
                                                          availability
                                                          for feedback</li>
                                                          <li>Deploy a
                                                          couple of
                                                          websites
                                                          (simple ones)
                                                          that have the
libraries configured<br>
                                                          </li>
                                                          <li>Deploy on
                                                          a VM server
                                                          and host a
                                                          couple of
                                                          domains for
                                                          them for the
                                                          researchers to
                                                          test example:</li>
                                                          <ul>
                                                          <li><a
                                                          moz-do-not-send="true"
href="http://crsfguard.owasp.org" target="_blank">crsfguard.owasp.org</a></li>
                                                          <li><a
                                                          moz-do-not-send="true"
href="http://xxxx.owasp.org" target="_blank">xxxx.owasp.org</a></li>
                                                          </ul>
                                                          <li>Setup  and
                                                          configure an
                                                          account in <a
moz-do-not-send="true" href="http://hackerone.com" target="_blank">hackerone.com</a></li>
                                                          <li>Setup and
                                                          configure an
                                                          account <a
                                                          moz-do-not-send="true"
href="http://bountysource.com" target="_blank">bountysource.com</a></li>
                                                          </ul>
                                                          <div><br>
                                                          </div>
                                                        </div>
                                                        <div>From there
                                                          on is a
                                                          management of
                                                          the process,
                                                          as researchers
                                                          will submit
                                                          issues and we
                                                          need to
                                                          re-test them
                                                          and validate
                                                          them for this
                                                          part</div>
                                                        <div>
                                                          <ul>
                                                          <li>Researcher
                                                          submits issue<br>
                                                          </li>
                                                          <li>retest and
                                                          verify the
                                                          severity (Jim,
                                                          me , Project
                                                          leader)<br>
                                                          </li>
                                                          <li>feedback
                                                          with Jim and
                                                          Project
                                                          leaders
                                                          regarding the
                                                          severity of
                                                          the issue, all
                                                          reports are
                                                          available in
                                                          hacker one as
                                                          a
                                                          Hacker/researcher
                                                          submits the
                                                          issue, if
                                                          possible more
                                                          people should
                                                          retest to
                                                          confirm the
                                                          bug</li>
                                                          <li>determine
                                                          together if
                                                          indeed a bug
                                                          has been
                                                          confirmed (
                                                          Jim,  the
                                                          project leader
                                                          and me)<br>
                                                          </li>
                                                          <li>Once
                                                          confirmed, log
                                                          the bug in the
                                                          projects
                                                          Github</li>
                                                          <li>Make the
                                                          payment to the
                                                          researcher
                                                          with approval
                                                          of 3 members (
                                                          Jim,  the
                                                          project leader
                                                          and me)<br>
                                                          </li>
                                                          <li>Publicise
                                                          the bug issue
                                                          through wiki
                                                          project page,
                                                          github issues
                                                          section and
                                                          eventually if
                                                          it is high
                                                          risk, the
                                                          leader will
                                                          have to set a
                                                          warning on its
                                                          Github
                                                          repository</li>
                                                          <li>Project
                                                          leader must
                                                          provide
                                                          feedback on
                                                          his
                                                          availability
                                                          with the
                                                          projects
                                                          volunteers on
                                                          fixing the
                                                          issue</li>
                                                          <li>If this is
                                                          not fixable or
                                                          too complex
                                                          for the leader
                                                          to fix, we
                                                          attempt a <a
moz-do-not-send="true" href="http://bountysource.com" target="_blank">bountysource.com</a>
                                                          fix</li>
                                                          <li>If someone
                                                          fixes the
                                                          issue through
                                                          <a
                                                          moz-do-not-send="true"
href="http://bountysource.com" target="_blank">bountysource.com</a>, it
                                                          must be
                                                          retested and
                                                          confirmed </li>
                                                          <li>Can run
                                                          again in
                                                          hackerone to
                                                          verify that
                                                          specific bug
                                                          fix after
                                                          deployment
                                                          (payment
                                                          amount to be
                                                          determined)</li>
                                                          <li>The fix
                                                          must be merged
                                                          into the
                                                          master branch
                                                          of the
                                                          repository
                                                          and  incorporated
                                                          into a new
                                                          release</li>
                                                          <li>It project
                                                          is updated
                                                          with fix</li>
                                                          </ul>
                                                          <div><i><br>
                                                          </i></div>
                                                          <div><i>Conditions
                                                          for the
                                                          participating
                                                          owasp project:</i></div>
                                                        </div>
                                                        <div>Must have
                                                          an active
                                                          leader we can
                                                          feedback with
                                                          regarding the
                                                          issues found.
                                                          I think this
                                                          is essential
                                                          for the
                                                          completeness
                                                          of the
                                                          project's
                                                          definition of
                                                          bugs and later
                                                          fixes</div>
                                                        <div><br>
                                                        </div>
                                                        <div>These are
                                                          just some
                                                          draft steps
                                                          part of the
                                                          proposal and
                                                          process, if
                                                          you have any
                                                          advice
                                                          regarding
                                                          this, please
                                                          let us know</div>
                                                        <div><br>
                                                        </div>
                                                        <div>regards</div>
                                                        <span><font
                                                          color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          <div><br>
                                                          </div>
                                                          </font></span></div>
                                                      <div>
                                                        <div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Nov 23,
                                                          2015 at 3:48
                                                          AM, Jim Manico
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:jim.manico@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div
                                                          dir="auto">
                                                          <div>Thanks
                                                          Michael and
                                                          Josh for your
                                                          astute
                                                          feedback.
                                                          Johanna
                                                          already has a
                                                          decent
                                                          proposal on
                                                          the block and
                                                          I've provided
                                                          several edits
                                                          and issues to
                                                          consider.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>If you
                                                          have time,
                                                          would love to
                                                          have you both
                                                          mark up the
                                                          doc directly
                                                          with your
                                                          comments and
                                                          thoughts. :)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Thanks
                                                          and Aloha,</div>
                                                          <span>
                                                          <div>
                                                          <div>--</div>
                                                          <div>Jim
                                                          Manico</div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          style="word-wrap:break-word">
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Global
                                                          Board Member</span></div>
                                                          <span
                                                          style="background-color:rgba(255,255,255,0)">OWASP
                                                          Foundation</span>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                                          </div>
                                                          </div>
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Join
                                                          me in Rome for
                                                          AppSecEU 2016!</span></div>
                                                          </div>
                                                          </div>
                                                          </span>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          On Nov 23,
                                                          2015, at 1:42
                                                          AM, Michael
                                                          Coates <<a
moz-do-not-send="true" href="mailto:michael.coates@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:michael.coates@owasp.org">michael.coates@owasp.org</a></a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote
                                                          type="cite">
                                                          <div>Awesome
                                                          stuff. I've
                                                          run teams on
                                                          the receiving
                                                          end of bug
                                                          bounties at
                                                          both Mozilla
                                                          and Twitter.
                                                          Happy to
                                                          provide any
                                                          feedback if
                                                          helpful. Key
                                                          items are good
                                                          and fast
                                                          responses to
                                                          researchers
                                                          and actually
                                                          closing valid
                                                          issues in a
                                                          timely
                                                          manner. <span></span>If
                                                          we can't
                                                          commit to
                                                          those items
                                                          we'd want to
                                                          reconsider our
                                                          approach. <br>
                                                          <br>
                                                          On Sunday,
                                                          November 22,
                                                          2015, Jim
                                                          Manico <<a
moz-do-not-send="true" href="mailto:jim.manico@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div
                                                          dir="auto">
                                                          <div>We're
                                                          working on a
                                                          proposal and
                                                          plan right
                                                          now. More
                                                          soon.<br>
                                                          <br>
                                                          <div>--</div>
                                                          <div>Jim
                                                          Manico</div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          style="word-wrap:break-word">
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Global
                                                          Board Member</span></div>
                                                          <span
                                                          style="background-color:rgba(255,255,255,0)">OWASP
                                                          Foundation</span>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                                          </div>
                                                          </div>
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Join
                                                          me in Rome for
                                                          AppSecEU 2016!</span></div>
                                                          </div>
                                                          </div>
                                                          <div><br>
                                                          On Nov 22,
                                                          2015, at 12:57
                                                          PM, Josh Sokol
                                                          <<a
                                                          moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:josh.sokol@owasp.org">josh.sokol@owasp.org</a></a>>
                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote
                                                          type="cite">
                                                          <div>
                                                          <div dir="ltr">I
                                                          like the
                                                          concept, but
                                                          have some
                                                          questions
                                                          before the
                                                          Board were to
                                                          approve
                                                          something like
                                                          this:<br>
                                                          <ol>
                                                          <li>Is there
                                                          an actual
                                                          proposal to
                                                          fund a Bug
                                                          Bounty?  If
                                                          so, what is
                                                          the dollar
                                                          amount that
                                                          the Board
                                                          would be
                                                          authorizing
                                                          here?</li>
                                                          <li>A bug
                                                          bounty program
                                                          is more than
                                                          just a dollar
                                                          amount, it's a
                                                          process.  Have
                                                          we created a
                                                          process for
                                                          handling any
                                                          submissions
                                                          that come in
                                                          for bugs?</li>
                                                          <li>Once you
                                                          have a
                                                          submission,
                                                          are we just
                                                          throwing it in
                                                          a database
                                                          somewhere or
                                                          is there an
                                                          expectation
                                                          that someone
                                                          will fix it? 
                                                          Who is
                                                          responsible
                                                          for that?<br>
                                                          </li>
                                                          <li>If the
                                                          answer to #3
                                                          is the project
                                                          team, then
                                                          what happens
                                                          if they do not
                                                          fix it in a
                                                          timely
                                                          manner?  Is
                                                          the project
                                                          demoted?  If
                                                          the bug is
                                                          serious
                                                          enough, do we
                                                          halt all
                                                          downloads of
                                                          the project
                                                          until it is
                                                          fixed?  Do we
                                                          attempt to
                                                          warn users?</li>
                                                          </ol>
                                                          <p>In short, I
                                                          think it's
                                                          great to say
                                                          "We want a bug
                                                          bounty program
                                                          like
                                                          Hackerone",
                                                          but there are
                                                          way more
                                                          details that
                                                          need to be
                                                          hashed out
                                                          here.  I
                                                          recommend
                                                          putting
                                                          together a
                                                          team to assess
                                                          how this would
                                                          work as part
                                                          of an actual
                                                          process for
                                                          OWASP.  I
                                                          wouldn't be
                                                          comfortable
                                                          authorizing
                                                          any funds
                                                          until I had
                                                          that
                                                          information.</p>
                                                          <p>~josh<br>
                                                          </p>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Sun, Nov 22,
                                                          2015 at 12:12
                                                          AM, johanna
                                                          curiel curiel
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">To
                                                          run a
                                                          programma like
                                                          hackerone we
                                                          will need to
                                                          verify the
                                                          bugs found
                                                          <div>We could
                                                          start with a
                                                          pilot For
                                                          CRSFGuard and
                                                          Dependency
                                                          Check projects</div>
                                                          <div>I
                                                          volunteer to
                                                          manage the
                                                          programma For
                                                          these projects</div>
                                                          <div>I can set
                                                          a plan to
                                                          determine the
                                                          scope of the
                                                          program with
                                                          The project
                                                          leaders and
                                                          make sure we
                                                          verify the</div>
                                                          <div>veracity
                                                          of the
                                                          reported bugs</div>
                                                          <div><br>
                                                          </div>
                                                          <div>What does
                                                          The board need
                                                          from me in
                                                          order to
                                                          approve my
                                                          proposal?
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          On Saturday,
                                                          November 21,
                                                          2015, Michael
                                                          Coates <<a
moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:michael.coates@owasp.org">michael.coates@owasp.org</a></a>> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr">"<span
style="font-size:12.8px">I would say that for the existing Flagship
                                                          & LABS
                                                          (libraries or
                                                          code) we
                                                          should run a
                                                          program
                                                          through
                                                          Hackerone or
                                                          Bugbounty.(off
                                                          course
                                                          insecure
                                                          applications
                                                          as WebGoat are
                                                          out of scope
                                                          ;-))"</span>
                                                          <div><span
                                                          style="font-size:12.8px"><br>
                                                          </span></div>
                                                          <div><span
                                                          style="font-size:12.8px">Yes.
                                                          This would
                                                          generate
                                                          awareness,
                                                          generate
                                                          opportunities
                                                          for new
                                                          volunteers and
                                                          put a better
                                                          control around
                                                          our prominent
                                                          code.</span></div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br
                                                          clear="all">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr"><br>
                                                          --<br>
                                                          Michael Coates
                                                          | <a
                                                          moz-do-not-send="true"
href="https://twitter.com/intent/user?screen_name=_mwc" target="_blank">@_mwc</a><br>
                                                          </div>
                                                          <div>OWASP
                                                          Global Board<br>
                                                          </div>
                                                          <div dir="ltr">
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Sat, Nov 21,
                                                          2015 at 8:34
                                                          AM, johanna
                                                          curiel curiel
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span> wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr">Hi
                                                          Jim &
                                                          Board
                                                          <div><br>
                                                          </div>
                                                          <div>'Developers
                                                          come to us'...
                                                          is indeed a
                                                          moderate
                                                          approach. I
                                                          just finalised
                                                          a security
                                                          project
                                                          reviews
                                                          developed by
                                                          very serious
                                                          companies in
                                                          EU and it
                                                          amazes me that
                                                          they were
                                                          using
                                                          CRSFGuard and
                                                          even ESAPI.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>There is
                                                          a dependency
                                                          and the reason
                                                          why the PHPSEC
                                                          users were
                                                          angry at
                                                          OWASP, they
                                                          were using the
                                                          project for
                                                          some serious
                                                          development of
                                                          financial
                                                          applications
                                                          and counting
                                                          on OWASP to
                                                          secure them. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Since
                                                          OWASP cannot
                                                          offer a QA
                                                          process review
                                                          of its own
                                                          projects, we
                                                          should be
                                                          careful here
                                                          and indeed,
                                                          the approach
                                                          to help
                                                          improve
                                                          existing
                                                          frameworks is
                                                          more realistic
                                                          and has less
                                                          risks
                                                          associated
                                                          with
                                                          reputation
                                                          issues to
                                                          OWASP image </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I would
                                                          say that for
                                                          the existing
                                                          Flagship &
                                                          LABS
                                                          (libraries or
                                                          code) we
                                                          should run a
                                                          program
                                                          through
                                                          Hackerone or
                                                          Bugbounty.(off
                                                          course
                                                          insecure
                                                          applications
                                                          as WebGoat are
                                                          out of scope
                                                          ;-))</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Again,
                                                          maybe the
                                                          focus should
                                                          stop in trying
                                                          to create
                                                          libraries as
                                                          Tim said but
                                                          focus the
                                                          efforts into
                                                          working on
                                                          existing
                                                          frameworks. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>The
                                                          reality is
                                                          that creating
                                                          security
                                                          libraries is
                                                          VERY hard and
                                                          it has a lot
                                                          of
                                                          consequences
                                                          for OWASP
                                                          image if
                                                          serious issues
                                                          are found as
                                                          the case of
                                                          PHPSEC</div>
                                                          <div><br>
                                                          </div>
                                                          <div>regards</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">
                                                          <div>
                                                          <div>On Sat,
                                                          Nov 21, 2015
                                                          at 11:55 AM,
                                                          Jim Manico <span
                                                          dir="ltr"><<a
moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span> wrote:<br>
                                                          </div>
                                                          </div>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div
                                                          dir="auto">
                                                          <div>Folks,</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I'm
                                                          feeling a bit
                                                          more clarity
                                                          on suggesting
                                                          technical
                                                          resource hires
                                                          for 2016.
                                                          Paul, these
                                                          are just ideas
                                                          to trigger
                                                          strategic
                                                          planning
                                                          discussions
                                                          and ideas. I
                                                          agree that the
                                                          final
                                                          decisions
                                                          around these
                                                          hires is "all
                                                          you".  I hope
                                                          this email is
                                                          taken in the
                                                          spirt of
                                                          "ideas to
                                                          consider".</div>
                                                          <div><br>
                                                          </div>
                                                          <div>1) Wiki
                                                          experts
                                                          (previously
                                                          discussed)</div>
                                                          <div>2) Web
                                                          design expert
                                                          (previously
                                                          discussed)</div>
                                                          <div>3)
                                                          Technical
                                                          contractor or
                                                          bounties to
                                                          help augment
                                                          the security
                                                          of common
                                                          software
                                                          frameworks
                                                          (big potential
                                                          here)</div>
                                                          <div>4)
                                                          Security
                                                          assurance
                                                          contractors or
                                                          bounties to
                                                          help review
                                                          OWASP
                                                          defensive
                                                          projects<br>
                                                          <br>
                                                          The whole
                                                          "developers,
                                                          come to us" is
                                                          only modestly
                                                          effective.
                                                          "Developers,
                                                          we want to
                                                          help and go to
                                                          you" is a much
                                                          more effective
                                                          movement, IMO.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Thinking
                                                          a bit out of
                                                          box here... If
                                                          we spent
                                                          significant
                                                          funds in
                                                          helping
                                                          improve common
                                                          software
                                                          frameworks for
                                                          security - we
                                                          could really
                                                          have a massive
                                                          impact on the
                                                          world at
                                                          large. I'd
                                                          love to see
                                                          serious
                                                          investment in
                                                          this area....</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Aloha,<br>
                                                          <div>--</div>
                                                          <div>Jim
                                                          Manico</div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          style="word-wrap:break-word">
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Global
                                                          Board Member</span></div>
                                                          <span
                                                          style="background-color:rgba(255,255,255,0)">OWASP
                                                          Foundation</span>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font color="#000000"><a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></font></a></div>
                                                          </div>
                                                          </div>
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Join
                                                          me in Rome for
                                                          AppSecEU 2016!</span></div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          <blockquote
                                                          type="cite">
                                                          <div><span>_______________________________________________</span><br>
                                                          <span>Owasp-board
                                                          mailing list</span><br>
                                                          <span><a
                                                          moz-do-not-send="true"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a></span><br>
                                                          <span><a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a></span><br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          <br>
                                                          -- <br>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr">
                                                          <div dir="ltr"><br>
                                                          --<br>
                                                          Michael Coates
                                                          | <a
                                                          moz-do-not-send="true"
href="https://twitter.com/intent/user?screen_name=_mwc" target="_blank">@_mwc</a><br>
                                                          </div>
                                                          <div>OWASP
                                                          Global Board<br>
                                                          </div>
                                                          <div dir="ltr">
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                        </div>
                                                      </div>
                                                      <br>
_______________________________________________<br>
                                                      Owasp-board
                                                      mailing list<br>
                                                      <a
                                                        moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a></a><br>
                                                      <a
                                                        moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                        rel="noreferrer"
                                                        target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a></a><br>
                                                      <br>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                </div>
                                              </div>
                                            </blockquote>
                                          </div>
                                        </div>
                                      </div>
                                    </blockquote>
                                  </div>
                                  <br>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-board mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-board"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a></pre>
  </body>
</html>