<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Joanna,<br>
    <br>
    All I asked is that we give other vendors a chance to propose a bug
    bounty program instead of just choosing one vendor. I am not "the
    decider" here. I did not initiate the bug bounty program nor do I
    disagree with all of your comments below. I am sure we will face
    several challenges. I still think it's a good idea to try and I'm
    grateful Josh is taking a leadership position here.<br>
    <br>
    > I'm out of this equation regarding any decisions of a bounty
    program and management of it in the future.<br>
    <br>
    For someone who is "out of the equation" you sure have a lot to say!
    No one is asking you to do - any work. You are a volunteer (like me)
    and you do as you like when you feel like it and that is ok.<br>
    <br>
    > Wiki have shown that volunteer based does not work.<br>
    <br>
    I strongly disagree. I know the wiki is tough for some to read, and
    it needs work, but several pages have received millions of hits and
    have helped many on several issues. I know the wiki needs work, but
    I am proud of the accomplishments of the thousands of volunteers who
    have contributed to that knowledge base in some way. <br>
    <br>
    > Therefore, I prefer to abstain to participate on this bounty
    initiative because my workload has multiplied by the dozen, and as a
    volunteer, I cannot provide any guarantees of my availability in the
    future.<br>
    <br>
    I am very confused. No one asked you to do any work here, am I
    mistaken? I do not understand why you are upset or are abstaining in
    something that I did not even know you were a part of. I just recall
    you (and Josh) getting very upset that I even suggested we look at
    other vendor proposals.... First you suggest we get a specific
    vendor for an OWASP bug bounty program, then you get upset that I
    suggested we discuss this with other vendors, and now you
    abstaining. It's hard for me to follow what you want here. I have
    watched you email the world about "taking on an initiative" and then
    quit several times now, that I am having a lot of trouble following
    your work and needs. And I have done this a few times myself, I'm
    not perfect. But I do keep trying.<br>
    <br>
    > This counts for the review process. This is the reason why we,
     Enrico and I, proposed to decentralise and focus on a platform.
    Even so, this platform is highly dependable on volunteers. So far,
    only 6 members have voted for Graduation of the OWASP security
    project.We lack participation. I feel like no one cares. Or people
    just don't want to participate in this kind of thing.I have no
    freaking idea.<br>
    <br>
    Johanna, if you are not satisfied with your volunteer activities,
    then I suggest you find another way to lend support at OWASP (there
    are many many things going on with application security) or <b>take
      a break and take some time off</b>. OWASP is not supposed to get
    your angry or make you feel unsatisfied.  It's Saturday night and
    I'm stuck in Chicago so I'm going to work on a few wiki tasks on my
    plate because that gives me a lot of satisfaction - even in the face
    of other folks, like yourself, who do not see the value in the wiki.
    I do - so I'm going to keep at it.<br>
    <br>
    > Furthermore, you end as a solo-player, nobody gives you thanks,
    when all you are trying to do is help, burning your free time
    chasing waterfalls.(Thats counts for you with the wiki editing of
    +8000 pages, I guess all you hear is criticism just as I do, and
    people just tends to forget we are not OWASP staff, we are
    volunteers)<br>
    <br>
    Yea, I think that if you join OWASP because you want "thanks" -
    you're in it for the wrong reason. Johanna, I have seen folks give
    you MANY compliments - over and over and over - on big public lists
    - from folks all over the world - and it does not seem to be enough
    for you, so I do not know what to tell you. I do the work I do at
    OWASP because I believe it in and find the value in it. I don't want
    thanks - I actually dislike getting public thanks - I just want more
    volunteers involved. And I find that leading by example helps. There
    are quite a few folks working on the wiki with me. I am super
    grateful for them all. Generating new content is not an issue,
    dealing with older content is.<br>
    <br>
    > Whatever the reason , the effect is, volunteered based
    initiatives as wiki, reviews and possibly Bounty program, does not
    seem to work. <br>
    <br>
    This is a fair point regarding the bug bounty program. Please keep
    in mind that several of the bounty programs proposed would be vendor
    driven, not volunteer driven. It's not decided yet nor is it my call
    (or even charge). This thread started because I asked to be vendor
    neutral, and if this was to start over I'd do the same.<br>
    <br>
    Have a nice Saturday night. I'm off to work on the Java wiki page
    and do a little cleanup.<br>
    <br>
    Aloha,<br>
    - Jim<br>
    <br>
    <div class="moz-cite-prefix">On 2/20/16 11:14 AM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote
cite="mid:CACxry_35AnHzR1yThLv2G0ct6=Xz3s0P4Dz7ooJzgmcCEWj5qA@mail.gmail.com"
      type="cite">
      <div dir="ltr">>><span style="font-size:13px">I trust those
          involved will make a good decision here. </span>
        <div><br>
        </div>
        <div>>><span style="font-size:13px">First, the current
            proposal <u>does not include the triage, reproduction, and
              remediation piece</u> (the Bugcrowd one does).  After
            speaking with them about this, they explained that it is
            because there is additional costs involved with that because
            they partner with other companies to provide that service. 
            That said, they offered to talk to one of their partners and
            had a strong belief that they could offer this to us as
            well.</span><br>
          <div><span style="font-size:13px"><br>
            </span></div>
          <div><span style="font-size:13px">Hi Jim.</span></div>
          <div><span style="font-size:13px"><br>
            </span></div>
          <div>I'm all in favour of vendor neutrality at all times.I
            admire your pro-activeness in these matters, however, at
            this point, I'm out of this equation regarding any decisions
            of a bounty program and management of it in the future.</div>
          <div><br>
          </div>
          <div>One of the major problems we have, is to create
            sustainable initiatives. I'm a volunteer with limited time.
            My availability will vary a lot and this is common for
            volunteers.</div>
          <div><br>
          </div>
          <div>I think is important that we ask ourselves who will be
            accountable for the system we bring in and able to manage
            this continuously. Volunteer based, I'm not convinced. </div>
          <div><br>
          </div>
          <div>Wiki and Reviews have shown that volunteer based does not
            work. Therefore, I prefer to abstain to participate on this
            bounty initiative because my workload has multiplied by the
            dozen, and as a volunteer, I cannot provide any guarantees
            of my availability in the future.</div>
          <div><br>
          </div>
          <div>This counts for the review process. This is the reason
            why we,  Enrico and I, proposed to decentralise and focus on
            a platform. Even so, this platform is highly dependable on
            volunteers. So far, only 6 members have voted for Graduation
            of the OWASP security project.We lack participation. I feel
            like no one cares. Or people just don't want to participate
            in this kind of thing.I have no freaking idea.</div>
          <div><br>
          </div>
          <div>So far, there has not been any reviewers that have worked
            on reviews since we restarted this initiative.Even before,
            when Claudia start offering amazon cards in exchange for
            reviews, only 2 persons participated for 2 reviews one
            different projects. We keep on looking, I believe Claudia
            has contact them, but in the end, nothing.</div>
          <div><br>
          </div>
          <div> I took many hours to build that criteria and let people
            comment and collaborate, so we make this process easier.
            There has been some participation , but from very few. We
            provide the community with all the opportunities to
            participate but still, there is a lack of interested in this
            subject.</div>
          <div><br>
          </div>
          <div>I spoke with Jason Li, and even on an interview you did
            to him in 2008, he had the same idea of providing a platform
            for participation, but people don't want to volunteer to for
            these kind of tasks, just as happens with the wiki.</div>
          <div><br>
          </div>
          <div>Furthermore, you end as a solo-player, nobody gives you
            thanks, when all you are trying to do is help, burning your
            free time chasing waterfalls.(Thats counts for you with the
            wiki editing of +8000 pages, I guess all you hear is
            criticism just as I do, and people just tends to forget we
            are not OWASP staff, we are volunteers)</div>
          <div><br>
          </div>
          <div>I think is time that, from the operational management
            point of view, to revise all these actions and have a very
            serious talk about this.</div>
          <div>
            <ul>
              <li>Are they sustainable only volunteer based?<br>
              </li>
              <li>What has the experience shown?<br>
              </li>
              <li>Why does owasp lack volunteers to help on these tasks?<br>
              </li>
              <li>Is the workload to big to expect volunteers to do
                this?</li>
              <li>Is this a community that has not time to do this kind
                of work?</li>
              <li>Do they actually want to do these kind of tasks?</li>
            </ul>
          </div>
          <div>Volunteers are volunteers, they are not workforce nor can
            you expect the same output.You cannot expect anything from
            them.</div>
          <div><br>
          </div>
          <div>A volunteer must feel he gains something back for giving
            his time. If there is no exchange on this part, if he does
            not feel valued or that his work matters,  or enjoys what he
            does, then , I think , volunteer work stops. For me , it
            must have a meaning, that what I do , matters.</div>
          <div><br>
          </div>
          <div>Whatever the reason , the effect is, volunteered based
            initiatives as wiki, reviews and possibly Bounty program,
            does not seem to work. </div>
          <div><br>
          </div>
          <div>We should evaluate this before we keep bringing systems
            that cannot be volunteered-based sustained.</div>
          <div><br>
          </div>
          <div>Cheers</div>
          <div><br>
          </div>
          <div>Johanna</div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
          <div><br>
          </div>
        </div>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On Sat, Feb 20, 2016 at 12:17 AM, Jim
            Manico <span dir="ltr"><<a moz-do-not-send="true"
                href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0
              .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000"> Josh,<br>
                <br>
                I am grateful you took the time to hear other bounty
                vendors out, especially since I forced your hand to do
                so to some degree.<br>
                <br>
                I trust those involved will make a good decision here. <br>
                <br>
                I do not have a charge over this and do not want to
                interfere, but if you want my assistance just ask.<br>
                <br>
                Aloha,<br>
                Jim
                <div>
                  <div class="h5"><br>
                    <br>
                    <br>
                    <div>On 2/19/16 4:07 PM, Josh Sokol wrote:<br>
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div>
                          <div>
                            <div>
                              <div>
                                <div>
                                  <div>
                                    <div>I went ahead and spoke with
                                      HackerOne this afternoon even
                                      though others were unable to make
                                      it.  I'm going to be mostly
                                      out-of-pocket over the next couple
                                      of weeks, but at least wanted to
                                      be informed.  I took some notes,
                                      included below, but had a couple
                                      of things that are worth
                                      mentioning here.  First, the
                                      current proposal does not include
                                      the triage, reproduction, and
                                      remediation piece (the Bugcrowd
                                      one does).  After speaking with
                                      them about this, they explained
                                      that it is because there is
                                      additional costs involved with
                                      that because they partner with
                                      other companies to provide that
                                      service.  That said, they offered
                                      to talk to one of their partners
                                      and had a strong belief that they
                                      could offer this to us as well. 
                                      With that, I think that what they
                                      are offering is pretty much
                                      equivalent to what Bugcrowd is
                                      offering.  That said, the ask is
                                      **VERY** different.  While
                                      Bugcrowd is looking for an OWASP
                                      Platinum sponsorship package in
                                      exchange for their services,
                                      HackerOne is literally asking for
                                      nothing.  They said that they are
                                      big supporters of the OWASP
                                      Foundation and what we stand for
                                      and want to do this to help us
                                      out.  I was not expecting this,
                                      but am extremely happy with what I
                                      heard from them.  We haven't
                                      talked to Cobalt yet, but my gut
                                      at this point is that HackerOne
                                      would make for a great partner on
                                      this and I would recommend, if we
                                      were to accept their offer,
                                      providing them with a logo
                                      placement on the supporter page
                                      (as a minimum) as a token of our
                                      appreciation.  <br>
                                      <br>
                                    </div>
                                    <div>So, I realize that we still
                                      have one more vendor to talk to,
                                      but HackerOne looks really good. 
                                      With Johanna out-of-pocket for the
                                      foreseeable future, I wanted to
                                      make a recommendation to pull
                                      Simon Bennetts (if he is willing)
                                      into this evaluation process.  I
                                      think that a bug bounty program
                                      would be of huge benefit to his
                                      efforts, and would like to get his
                                      impression of the value of such a
                                      tool for his project.  Simon,
                                      would you be willing to hop on a
                                      call with the HackerOne folks to
                                      take a look at their platform? 
                                      Or, if you'd prefer, we have
                                      access to the platform already and
                                      can get you an account to poke
                                      around with on your own.  <br>
                                      <br>
                                    </div>
                                    <div>In any case, notes are below. 
                                      Have a great weekend!<br>
                                      <br>
                                    </div>
                                    <div>~josh<br>
                                    </div>
                                    <div><br>
                                      <u><b>Your Platform:</b></u><br>
                                    </div>
                                    <ul>
                                      <li>Workflow & Automation:
                                        Focused on engineering the
                                        world's most advanced
                                        vulnerability coordination
                                        platform.<br>
                                      </li>
                                      <li>Signal: Numerous systems, such
                                        as Reputation and hackbot,
                                        dedicated to ensuring high
                                        signal programs.<br>
                                      </li>
                                      <li>Transparent: All hackers have
                                        a profile, history and
                                        reputation.  Advanced public
                                        disclosure workflow when needed.<br>
                                      </li>
                                    </ul>
                                  </div>
                                </div>
                                <br>
                              </div>
                              <u><b>You are in Control:</b></u><br>
                            </div>
                            <ul>
                              <li>Flexible: Run private or public
                                programs, with or without bounties,
                                managed or unmanaged.<br>
                              </li>
                              <li>Ownership: You own your data. 
                                HackerOne makes no claims on
                                Vulnerability Information.<br>
                              </li>
                              <li>Multiparty Coordination: Easily pull
                                in other vendors or external parties
                                into a case.</li>
                            </ul>
                            <p><u><b>Service Donation:</b></u></p>
                            <ul>
                              <li>Waive bounty service fees</li>
                              <li>Donate HackerOne Enterprise and a
                                dedicated success manager for min 2
                                years.</li>
                            </ul>
                            <p>FREE Program</p>
                            <ul>
                              <li>Security@ Workflow</li>
                              <li>Hacker Reputation</li>
                              <li>Intelligent Duplication Detection</li>
                              <li>Automation</li>
                              <li>Issue Tracker Integration</li>
                              <li>Analytics Dashboard</li>
                            </ul>
                            <p>PROFESSIONAL Program ($2k/mo)</p>
                            <ul>
                              <li>Everything in Free</li>
                              <li>Advanced Hacker Matching</li>
                              <li>Performance Benchmarking</li>
                              <li>Launch & Optimization Guidance</li>
                              <li>Report Mediation</li>
                              <li>Reports API</li>
                            </ul>
                            <p>ENTERPRISE Program:</p>
                            <ul>
                              <li>Everything in Professional<br>
                              </li>
                              <li>Dedicated Success Manager</li>
                              <li>Custom Analytics & Reporting</li>
                              <li>Custom Integrations</li>
                              <li>Custom Branding Theme</li>
                              <li>Communications Guidance</li>
                            </ul>
                            <p>ADD ON: Bug Bounty Global Payments
                              (Included in our deal)<br>
                            </p>
                            <p>ADD ON: HackerOne Managed - Triage,
                              Reproduction & Remediation Guidance
                              (Not included today in the proposal. 
                              Implemented by partners.  Need to
                              negotiate this.)<br>
                            </p>
                            <ul>
                              <li>Would propose to have a separate
                                instance for each project + OWASP
                                Foundation resources</li>
                              <li>Do not want anything in return. 
                                Support the OWASP Foundation and what we
                                are doing.</li>
                              <li>Have a built in leaderboard sortable
                                by timeframe</li>
                              <li>Ranks hackers based on "signal" and
                                "impact"</li>
                              <li>Have an integration with Salesforce
                                ticketing</li>
                              <li>Support a wide range of common
                                disclosure scenarios such as "public
                                disclosure".  By default they are
                                confidential.<br>
                              </li>
                            </ul>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
          <br clear="all">
          <div><br>
          </div>
          -- <br>
          <div class="gmail_signature">
            <div dir="ltr">
              <div>Johanna Curiel </div>
              OWASP Volunteer</div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>