<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div><br>
    </div>
    <div><font color="#500050"><b>> Thats counts for every volunteer
          I assume...</b></font></div>
    <br>
    Of course it does, me too!. :) There are about 10 folks active on
    the wiki who I talk to on a very regular basis. In my experience we
    all really enjoy messin' with the wiki and have a lot of fun
    interacting with each other. It's satisfying and we all learn in the
    process. <br>
    <br>
    Wiki work brings a lot of joy to me in my OWASP interactions so imma
    going to keep doing it. These are folks who are really sharp about
    application security, enjoy debating the finer points and are happy
    to contribute some of their expertise to the foundation. No one
    forced any of the wiki (or project) folks to contribute. They want
    to. :)<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    Not bad traffic for wiki pages<br>
    <br>
    2.1 million
    <a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet</a><br>
    1.9 million
<a class="moz-txt-link-freetext" href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a><br>
    <br>
    <div class="moz-cite-prefix"><br>
      <br>
      <br>
    </div>
    <blockquote
cite="mid:CACxry_2sOGkXeqeFib6UGrWZ443=PACa7HD40gtQ81DPhoPWYw@mail.gmail.com"
      type="cite">
      <div dir="ltr"><span style="color:rgb(80,0,80);font-size:13px">>>I
          am very confused. </span><b
          style="color:rgb(80,0,80);font-size:13px">No one asked you to
          do any work here, am I mistaken? </b><br>
        <div><br>
        </div>
        <div><font color="#500050"><b>Thats counts for every volunteer I
              assume...</b></font></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sat, Feb 20, 2016 at 8:50 PM, Jim
          Manico <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span class=""> > I
                don't think you have read properly what I'm trying to
                say, which is, that these activities, where there seems
                to be a need for operational support, such as reviewing
                or wiki editing , does not have enough traction from
                volunteer efforts and therefore not sustainable. Many
                talk cheap and in the end, not enough people toy backup
                operations.<br>
                <br>
              </span> Right. Wiki could use more help, but the Bug
              Bounty proposals include significant <b>vendor</b>
              support. I think that will work wel<span class=""><br>
                > If you consider the wiki a success, (with XSS
                fiasco included) then you have not read the responses
                people provided on the survey I did where 50 members of
                our community responded.Have you read what they say?<br>
                <br>
              </span> Fiasco? We found and fixed bugs. That's good. The
              world keeps on spinning. Yes, I know of the complains from
              the 50 folks in your survey, and I agree with those
              concerns. But you must have missed the many <b>millions</b>
              of page hits on <b>several</b>  wiki pages and other
              documentation projects...<br>
              <br>
              Johanna, I do not know why you keep targeting me in these
              emails. I am just one board member - one that you
              apparently do not like or have respect for. Maybe consider
              talking to other board members if you are not happy with
              my actions. In the meantime, I am going to do a little
              wiki work tonight.<br>
              <br>
              If you have sustainable ideas for these programs, by all
              means lets hear them. If there are things you need me to
              read, let me know. I am doing my best in my limited time
              as a volunteer.<br>
              <br>
              Aloha,<br>
              - Jim
              <div>
                <div class="h5"><br>
                  <br>
                  <br>
                  <div>On 2/20/16 6:43 PM, johanna curiel curiel wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr"><span style="font-size:13px">>>I
                        am very confused. <b>No one asked you to do any
                          work here, am I mistaken? </b></span><br>
                      <div><span style="font-size:13px"><br>
                        </span></div>
                      <div>Exactly,  <i><u>thank you for making that
                            clear.</u></i></div>
                      <div><br>
                      </div>
                      <div>I don't think you have read properly what I'm
                        trying to say, which is, that these activities,
                        where there seems to be a need for operational
                        support, such as reviewing or wiki editing ,
                        does not have enough traction from volunteer
                        efforts and therefore not sustainable. Many talk
                        cheap and in the end, not enough people toy
                        backup operations.</div>
                      <div><br>
                      </div>
                      <div>If you consider the wiki a success, (with XSS
                        fiasco included) then you have not read the
                        responses people provided on the survey I did
                        where 50 members of our community responded.Have
                        you read what they say?</div>
                      <div><br>
                      </div>
                      <div>I'm looking for a discussion around solutions
                        and creating initiatives that are sustainable. </div>
                      <div><br>
                      </div>
                      <div>Once again Jim, thank you for making it very
                        clear to me how you think. </div>
                      <div><br>
                      </div>
                      <div> I was expecting a some discussions around
                        sustainability.</div>
                      <div><br>
                      </div>
                      <div>Cheers</div>
                      <div><br>
                      </div>
                      <div>Johanna</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Sat, Feb 20, 2016 at
                        8:29 PM, Jim Manico <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:jim.manico@owasp.org"
                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"> Joanna,<br>
                            <br>
                            All I asked is that we give other vendors a
                            chance to propose a bug bounty program
                            instead of just choosing one vendor. I am
                            not "the decider" here. I did not initiate
                            the bug bounty program nor do I disagree
                            with all of your comments below. I am sure
                            we will face several challenges. I still
                            think it's a good idea to try and I'm
                            grateful Josh is taking a leadership
                            position here.<span><br>
                              <br>
                              > I'm out of this equation regarding
                              any decisions of a bounty program and
                              management of it in the future.<br>
                              <br>
                            </span> For someone who is "out of the
                            equation" you sure have a lot to say! No one
                            is asking you to do - any work. You are a
                            volunteer (like me) and you do as you like
                            when you feel like it and that is ok.<br>
                            <br>
                            > Wiki have shown that volunteer based
                            does not work.<br>
                            <br>
                            I strongly disagree. I know the wiki is
                            tough for some to read, and it needs work,
                            but several pages have received millions of
                            hits and have helped many on several issues.
                            I know the wiki needs work, but I am proud
                            of the accomplishments of the thousands of
                            volunteers who have contributed to that
                            knowledge base in some way. <br>
                            <span> <br>
                              > Therefore, I prefer to abstain to
                              participate on this bounty initiative
                              because my workload has multiplied by the
                              dozen, and as a volunteer, I cannot
                              provide any guarantees of my availability
                              in the future.<br>
                              <br>
                            </span> I am very confused. No one asked you
                            to do any work here, am I mistaken? I do not
                            understand why you are upset or are
                            abstaining in something that I did not even
                            know you were a part of. I just recall you
                            (and Josh) getting very upset that I even
                            suggested we look at other vendor
                            proposals.... First you suggest we get a
                            specific vendor for an OWASP bug bounty
                            program, then you get upset that I suggested
                            we discuss this with other vendors, and now
                            you abstaining. It's hard for me to follow
                            what you want here. I have watched you email
                            the world about "taking on an initiative"
                            and then quit several times now, that I am
                            having a lot of trouble following your work
                            and needs. And I have done this a few times
                            myself, I'm not perfect. But I do keep
                            trying.<span><br>
                              <br>
                              > This counts for the review process.
                              This is the reason why we,  Enrico and I,
                              proposed to decentralise and focus on a
                              platform. Even so, this platform is highly
                              dependable on volunteers. So far, only 6
                              members have voted for Graduation of the
                              OWASP security project.We lack
                              participation. I feel like no one cares.
                              Or people just don't want to participate
                              in this kind of thing.I have no freaking
                              idea.<br>
                              <br>
                            </span> Johanna, if you are not satisfied
                            with your volunteer activities, then I
                            suggest you find another way to lend support
                            at OWASP (there are many many things going
                            on with application security) or <b>take a
                              break and take some time off</b>. OWASP is
                            not supposed to get your angry or make you
                            feel unsatisfied.  It's Saturday night and
                            I'm stuck in Chicago so I'm going to work on
                            a few wiki tasks on my plate because that
                            gives me a lot of satisfaction - even in the
                            face of other folks, like yourself, who do
                            not see the value in the wiki. I do - so I'm
                            going to keep at it.<span><br>
                              <br>
                              > Furthermore, you end as a
                              solo-player, nobody gives you thanks, when
                              all you are trying to do is help, burning
                              your free time chasing waterfalls.(Thats
                              counts for you with the wiki editing of
                              +8000 pages, I guess all you hear is
                              criticism just as I do, and people just
                              tends to forget we are not OWASP staff, we
                              are volunteers)<br>
                              <br>
                            </span> Yea, I think that if you join OWASP
                            because you want "thanks" - you're in it for
                            the wrong reason. Johanna, I have seen folks
                            give you MANY compliments - over and over
                            and over - on big public lists - from folks
                            all over the world - and it does not seem to
                            be enough for you, so I do not know what to
                            tell you. I do the work I do at OWASP
                            because I believe it in and find the value
                            in it. I don't want thanks - I actually
                            dislike getting public thanks - I just want
                            more volunteers involved. And I find that
                            leading by example helps. There are quite a
                            few folks working on the wiki with me. I am
                            super grateful for them all. Generating new
                            content is not an issue, dealing with older
                            content is.<span><br>
                              <br>
                              > Whatever the reason , the effect is,
                              volunteered based initiatives as wiki,
                              reviews and possibly Bounty program, does
                              not seem to work. <br>
                              <br>
                            </span> This is a fair point regarding the
                            bug bounty program. Please keep in mind that
                            several of the bounty programs proposed
                            would be vendor driven, not volunteer
                            driven. It's not decided yet nor is it my
                            call (or even charge). This thread started
                            because I asked to be vendor neutral, and if
                            this was to start over I'd do the same.<br>
                            <br>
                            Have a nice Saturday night. I'm off to work
                            on the Java wiki page and do a little
                            cleanup.<br>
                            <br>
                            Aloha,<br>
                            - Jim
                            <div>
                              <div><br>
                                <br>
                                <div>On 2/20/16 11:14 AM, johanna curiel
                                  curiel wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">>><span
                                      style="font-size:13px">I trust
                                      those involved will make a good
                                      decision here. </span>
                                    <div><br>
                                    </div>
                                    <div>>><span
                                        style="font-size:13px">First,
                                        the current proposal <u>does
                                          not include the triage,
                                          reproduction, and remediation
                                          piece</u> (the Bugcrowd one
                                        does).  After speaking with them
                                        about this, they explained that
                                        it is because there is
                                        additional costs involved with
                                        that because they partner with
                                        other companies to provide that
                                        service.  That said, they
                                        offered to talk to one of their
                                        partners and had a strong belief
                                        that they could offer this to us
                                        as well.</span><br>
                                      <div><span style="font-size:13px"><br>
                                        </span></div>
                                      <div><span style="font-size:13px">Hi
                                          Jim.</span></div>
                                      <div><span style="font-size:13px"><br>
                                        </span></div>
                                      <div>I'm all in favour of vendor
                                        neutrality at all times.I admire
                                        your pro-activeness in these
                                        matters, however, at this point,
                                        I'm out of this equation
                                        regarding any decisions of a
                                        bounty program and management of
                                        it in the future.</div>
                                      <div><br>
                                      </div>
                                      <div>One of the major problems we
                                        have, is to create sustainable
                                        initiatives. I'm a volunteer
                                        with limited time. My
                                        availability will vary a lot and
                                        this is common for volunteers.</div>
                                      <div><br>
                                      </div>
                                      <div>I think is important that we
                                        ask ourselves who will be
                                        accountable for the system we
                                        bring in and able to manage this
                                        continuously. Volunteer based,
                                        I'm not convinced. </div>
                                      <div><br>
                                      </div>
                                      <div>Wiki and Reviews have shown
                                        that volunteer based does not
                                        work. Therefore, I prefer to
                                        abstain to participate on this
                                        bounty initiative because my
                                        workload has multiplied by the
                                        dozen, and as a volunteer, I
                                        cannot provide any guarantees of
                                        my availability in the future.</div>
                                      <div><br>
                                      </div>
                                      <div>This counts for the review
                                        process. This is the reason why
                                        we,  Enrico and I, proposed to
                                        decentralise and focus on a
                                        platform. Even so, this platform
                                        is highly dependable on
                                        volunteers. So far, only 6
                                        members have voted for
                                        Graduation of the OWASP security
                                        project.We lack participation. I
                                        feel like no one cares. Or
                                        people just don't want to
                                        participate in this kind of
                                        thing.I have no freaking idea.</div>
                                      <div><br>
                                      </div>
                                      <div>So far, there has not been
                                        any reviewers that have worked
                                        on reviews since we restarted
                                        this initiative.Even before,
                                        when Claudia start offering
                                        amazon cards in exchange for
                                        reviews, only 2 persons
                                        participated for 2 reviews one
                                        different projects. We keep on
                                        looking, I believe Claudia has
                                        contact them, but in the end,
                                        nothing.</div>
                                      <div><br>
                                      </div>
                                      <div> I took many hours to build
                                        that criteria and let people
                                        comment and collaborate, so we
                                        make this process easier. There
                                        has been some participation ,
                                        but from very few. We provide
                                        the community with all the
                                        opportunities to participate but
                                        still, there is a lack of
                                        interested in this subject.</div>
                                      <div><br>
                                      </div>
                                      <div>I spoke with Jason Li, and
                                        even on an interview you did to
                                        him in 2008, he had the same
                                        idea of providing a platform for
                                        participation, but people don't
                                        want to volunteer to for these
                                        kind of tasks, just as happens
                                        with the wiki.</div>
                                      <div><br>
                                      </div>
                                      <div>Furthermore, you end as a
                                        solo-player, nobody gives you
                                        thanks, when all you are trying
                                        to do is help, burning your free
                                        time chasing waterfalls.(Thats
                                        counts for you with the wiki
                                        editing of +8000 pages, I guess
                                        all you hear is criticism just
                                        as I do, and people just tends
                                        to forget we are not OWASP
                                        staff, we are volunteers)</div>
                                      <div><br>
                                      </div>
                                      <div>I think is time that, from
                                        the operational management point
                                        of view, to revise all these
                                        actions and have a very serious
                                        talk about this.</div>
                                      <div>
                                        <ul>
                                          <li>Are they sustainable only
                                            volunteer based?<br>
                                          </li>
                                          <li>What has the experience
                                            shown?<br>
                                          </li>
                                          <li>Why does owasp lack
                                            volunteers to help on these
                                            tasks?<br>
                                          </li>
                                          <li>Is the workload to big to
                                            expect volunteers to do
                                            this?</li>
                                          <li>Is this a community that
                                            has not time to do this kind
                                            of work?</li>
                                          <li>Do they actually want to
                                            do these kind of tasks?</li>
                                        </ul>
                                      </div>
                                      <div>Volunteers are volunteers,
                                        they are not workforce nor can
                                        you expect the same output.You
                                        cannot expect anything from
                                        them.</div>
                                      <div><br>
                                      </div>
                                      <div>A volunteer must feel he
                                        gains something back for giving
                                        his time. If there is no
                                        exchange on this part, if he
                                        does not feel valued or that his
                                        work matters,  or enjoys what he
                                        does, then , I think , volunteer
                                        work stops. For me , it must
                                        have a meaning, that what I do ,
                                        matters.</div>
                                      <div><br>
                                      </div>
                                      <div>Whatever the reason , the
                                        effect is, volunteered based
                                        initiatives as wiki, reviews and
                                        possibly Bounty program, does
                                        not seem to work. </div>
                                      <div><br>
                                      </div>
                                      <div>We should evaluate this
                                        before we keep bringing systems
                                        that cannot be volunteered-based
                                        sustained.</div>
                                      <div><br>
                                      </div>
                                      <div>Cheers</div>
                                      <div><br>
                                      </div>
                                      <div>Johanna</div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                      <div><br>
                                      </div>
                                    </div>
                                    <div class="gmail_extra"><br>
                                      <div class="gmail_quote">On Sat,
                                        Feb 20, 2016 at 12:17 AM, Jim
                                        Manico <span dir="ltr"><<a
                                            moz-do-not-send="true"
                                            href="mailto:jim.manico@owasp.org"
                                            target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote"
                                          style="margin:0 0 0
                                          .8ex;border-left:1px #ccc
                                          solid;padding-left:1ex">
                                          <div bgcolor="#FFFFFF"
                                            text="#000000"> Josh,<br>
                                            <br>
                                            I am grateful you took the
                                            time to hear other bounty
                                            vendors out, especially
                                            since I forced your hand to
                                            do so to some degree.<br>
                                            <br>
                                            I trust those involved will
                                            make a good decision here. <br>
                                            <br>
                                            I do not have a charge over
                                            this and do not want to
                                            interfere, but if you want
                                            my assistance just ask.<br>
                                            <br>
                                            Aloha,<br>
                                            Jim
                                            <div>
                                              <div><br>
                                                <br>
                                                <br>
                                                <div>On 2/19/16 4:07 PM,
                                                  Josh Sokol wrote:<br>
                                                </div>
                                                <blockquote type="cite">
                                                  <div dir="ltr">
                                                    <div>
                                                      <div>
                                                        <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>I went
                                                          ahead and
                                                          spoke with
                                                          HackerOne this
                                                          afternoon even
                                                          though others
                                                          were unable to
                                                          make it.  I'm
                                                          going to be
                                                          mostly
                                                          out-of-pocket
                                                          over the next
                                                          couple of
                                                          weeks, but at
                                                          least wanted
                                                          to be
                                                          informed.  I
                                                          took some
                                                          notes,
                                                          included
                                                          below, but had
                                                          a couple of
                                                          things that
                                                          are worth
                                                          mentioning
                                                          here.  First,
                                                          the current
                                                          proposal does
                                                          not include
                                                          the triage,
                                                          reproduction,
                                                          and
                                                          remediation
                                                          piece (the
                                                          Bugcrowd one
                                                          does).  After
                                                          speaking with
                                                          them about
                                                          this, they
                                                          explained that
                                                          it is because
                                                          there is
                                                          additional
                                                          costs involved
                                                          with that
                                                          because they
                                                          partner with
                                                          other
                                                          companies to
                                                          provide that
                                                          service.  That
                                                          said, they
                                                          offered to
                                                          talk to one of
                                                          their partners
                                                          and had a
                                                          strong belief
                                                          that they
                                                          could offer
                                                          this to us as
                                                          well.  With
                                                          that, I think
                                                          that what they
                                                          are offering
                                                          is pretty much
                                                          equivalent to
                                                          what Bugcrowd
                                                          is offering. 
                                                          That said, the
                                                          ask is
                                                          **VERY**
                                                          different. 
                                                          While Bugcrowd
                                                          is looking for
                                                          an OWASP
                                                          Platinum
                                                          sponsorship
                                                          package in
                                                          exchange for
                                                          their
                                                          services,
                                                          HackerOne is
                                                          literally
                                                          asking for
                                                          nothing.  They
                                                          said that they
                                                          are big
                                                          supporters of
                                                          the OWASP
                                                          Foundation and
                                                          what we stand
                                                          for and want
                                                          to do this to
                                                          help us out. 
                                                          I was not
                                                          expecting
                                                          this, but am
                                                          extremely
                                                          happy with
                                                          what I heard
                                                          from them.  We
                                                          haven't talked
                                                          to Cobalt yet,
                                                          but my gut at
                                                          this point is
                                                          that HackerOne
                                                          would make for
                                                          a great
                                                          partner on
                                                          this and I
                                                          would
                                                          recommend, if
                                                          we were to
                                                          accept their
                                                          offer,
                                                          providing them
                                                          with a logo
                                                          placement on
                                                          the supporter
                                                          page (as a
                                                          minimum) as a
                                                          token of our
                                                          appreciation. 
                                                          <br>
                                                          <br>
                                                          </div>
                                                          <div>So, I
                                                          realize that
                                                          we still have
                                                          one more
                                                          vendor to talk
                                                          to, but
                                                          HackerOne
                                                          looks really
                                                          good.  With
                                                          Johanna
                                                          out-of-pocket
                                                          for the
                                                          foreseeable
                                                          future, I
                                                          wanted to make
                                                          a
                                                          recommendation
                                                          to pull Simon
                                                          Bennetts (if
                                                          he is willing)
                                                          into this
                                                          evaluation
                                                          process.  I
                                                          think that a
                                                          bug bounty
                                                          program would
                                                          be of huge
                                                          benefit to his
                                                          efforts, and
                                                          would like to
                                                          get his
                                                          impression of
                                                          the value of
                                                          such a tool
                                                          for his
                                                          project. 
                                                          Simon, would
                                                          you be willing
                                                          to hop on a
                                                          call with the
                                                          HackerOne
                                                          folks to take
                                                          a look at
                                                          their
                                                          platform?  Or,
                                                          if you'd
                                                          prefer, we
                                                          have access to
                                                          the platform
                                                          already and
                                                          can get you an
                                                          account to
                                                          poke around
                                                          with on your
                                                          own.  <br>
                                                          <br>
                                                          </div>
                                                          <div>In any
                                                          case, notes
                                                          are below. 
                                                          Have a great
                                                          weekend!<br>
                                                          <br>
                                                          </div>
                                                          <div>~josh<br>
                                                          </div>
                                                          <div><br>
                                                          <u><b>Your
                                                          Platform:</b></u><br>
                                                          </div>
                                                          <ul>
                                                          <li>Workflow
                                                          &
                                                          Automation:
                                                          Focused on
                                                          engineering
                                                          the world's
                                                          most advanced
                                                          vulnerability
                                                          coordination
                                                          platform.<br>
                                                          </li>
                                                          <li>Signal:
                                                          Numerous
                                                          systems, such
                                                          as Reputation
                                                          and hackbot,
                                                          dedicated to
                                                          ensuring high
                                                          signal
                                                          programs.<br>
                                                          </li>
                                                          <li>Transparent:
                                                          All hackers
                                                          have a
                                                          profile,
                                                          history and
                                                          reputation. 
                                                          Advanced
                                                          public
                                                          disclosure
                                                          workflow when
                                                          needed.<br>
                                                          </li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <u><b>You are
                                                          in Control:</b></u><br>
                                                        </div>
                                                        <ul>
                                                          <li>Flexible:
                                                          Run private or
                                                          public
                                                          programs, with
                                                          or without
                                                          bounties,
                                                          managed or
                                                          unmanaged.<br>
                                                          </li>
                                                          <li>Ownership:
                                                          You own your
                                                          data. 
                                                          HackerOne
                                                          makes no
                                                          claims on
                                                          Vulnerability
                                                          Information.<br>
                                                          </li>
                                                          <li>Multiparty
                                                          Coordination:
                                                          Easily pull in
                                                          other vendors
                                                          or external
                                                          parties into a
                                                          case.</li>
                                                        </ul>
                                                        <p><u><b>Service
                                                          Donation:</b></u></p>
                                                        <ul>
                                                          <li>Waive
                                                          bounty service
                                                          fees</li>
                                                          <li>Donate
                                                          HackerOne
                                                          Enterprise and
                                                          a dedicated
                                                          success
                                                          manager for
                                                          min 2 years.</li>
                                                        </ul>
                                                        <p>FREE Program</p>
                                                        <ul>
                                                          <li>Security@
                                                          Workflow</li>
                                                          <li>Hacker
                                                          Reputation</li>
                                                          <li>Intelligent
                                                          Duplication
                                                          Detection</li>
                                                          <li>Automation</li>
                                                          <li>Issue
                                                          Tracker
                                                          Integration</li>
                                                          <li>Analytics
                                                          Dashboard</li>
                                                        </ul>
                                                        <p>PROFESSIONAL
                                                          Program
                                                          ($2k/mo)</p>
                                                        <ul>
                                                          <li>Everything
                                                          in Free</li>
                                                          <li>Advanced
                                                          Hacker
                                                          Matching</li>
                                                          <li>Performance
                                                          Benchmarking</li>
                                                          <li>Launch
                                                          &
                                                          Optimization
                                                          Guidance</li>
                                                          <li>Report
                                                          Mediation</li>
                                                          <li>Reports
                                                          API</li>
                                                        </ul>
                                                        <p>ENTERPRISE
                                                          Program:</p>
                                                        <ul>
                                                          <li>Everything
                                                          in
                                                          Professional<br>
                                                          </li>
                                                          <li>Dedicated
                                                          Success
                                                          Manager</li>
                                                          <li>Custom
                                                          Analytics
                                                          &
                                                          Reporting</li>
                                                          <li>Custom
                                                          Integrations</li>
                                                          <li>Custom
                                                          Branding Theme</li>
                                                          <li>Communications
                                                          Guidance</li>
                                                        </ul>
                                                        <p>ADD ON: Bug
                                                          Bounty Global
                                                          Payments
                                                          (Included in
                                                          our deal)<br>
                                                        </p>
                                                        <p>ADD ON:
                                                          HackerOne
                                                          Managed -
                                                          Triage,
                                                          Reproduction
                                                          &
                                                          Remediation
                                                          Guidance (Not
                                                          included today
                                                          in the
                                                          proposal. 
                                                          Implemented by
                                                          partners. 
                                                          Need to
                                                          negotiate
                                                          this.)<br>
                                                        </p>
                                                        <ul>
                                                          <li>Would
                                                          propose to
                                                          have a
                                                          separate
                                                          instance for
                                                          each project +
                                                          OWASP
                                                          Foundation
                                                          resources</li>
                                                          <li>Do not
                                                          want anything
                                                          in return. 
                                                          Support the
                                                          OWASP
                                                          Foundation and
                                                          what we are
                                                          doing.</li>
                                                          <li>Have a
                                                          built in
                                                          leaderboard
                                                          sortable by
                                                          timeframe</li>
                                                          <li>Ranks
                                                          hackers based
                                                          on "signal"
                                                          and "impact"</li>
                                                          <li>Have an
                                                          integration
                                                          with
                                                          Salesforce
                                                          ticketing</li>
                                                          <li>Support a
                                                          wide range of
                                                          common
                                                          disclosure
                                                          scenarios such
                                                          as "public
                                                          disclosure". 
                                                          By default
                                                          they are
                                                          confidential.<br>
                                                          </li>
                                                        </ul>
                                                      </div>
                                                    </div>
                                                  </div>
                                                </blockquote>
                                                <br>
                                              </div>
                                            </div>
                                          </div>
                                        </blockquote>
                                      </div>
                                      <br>
                                      <br clear="all">
                                      <div><br>
                                      </div>
                                      -- <br>
                                      <div>
                                        <div dir="ltr">
                                          <div>Johanna Curiel </div>
                                          OWASP Volunteer</div>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </blockquote>
                      </div>
                      <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">
                          <div>Johanna Curiel </div>
                          OWASP Volunteer</div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">
            <div>Johanna Curiel </div>
            OWASP Volunteer</div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>