<div dir="ltr">Ok, now , I think you understand what I mean, I hope. <div><br></div><div>I feel the pressure because I feel partially responsible to bring a system into OWASP infrastructure, if has little volunteer support. </div><div><br></div><div>I think that Josh and my reaction was because we felt the need to workout more than actually we were willing to, because of vendor neutrality, as you ave mentioned yourself:</div><div>"I <span style="font-size:13px">am grateful you took the time to hear other bounty vendors out, <i>especially since I forced your hand to do so to some degree.</i>"</span></div><div><br></div><div>Wiki and reviews existed before my time, but I see very little volunteer support.<br></div><div><br></div><div>Please, I think you should not confuse Google ad-words success when people hit OWASP pages and gets XSS_Filter evasion at the top.Thats is definitely a success with all those hits.</div><div><br></div><div>But this does not mean that the maintenance of the Wiki has not become an operational burden.And, sometimes you hit some ugly , outdated pages with no relevant content.</div><div><br></div><div>Yes, the bounty was my idea, <b>but to have a 'limited scoped bounty' for only a couple of projects, and now we are talking about Wiki bounties and more.</b></div><div><br></div><div>This was my draft then</div><div><a href="https://docs.google.com/document/d/1Br4I8jKc0tyzdBCq4ohO1LcDNL861xldMBlkA_z6v34/edit?ts=56520142#heading=h.o4xhmfj8z884" target="_blank">https://docs.google.com/document/d/1Br4I8jKc0tyzdBCq4ohO1LcDNL861xldMBlkA_z6v34/edit?ts=56520142#heading=h.o4xhmfj8z884</a><br></div><div><br></div><div>With this limited bounty program I proposed, we only target some libraries. If we go into a barter deal, are we not overpaying?</div><div>I think this is what Paul was trying to say when we wanted PRnewswire. Why pay so much money when we wont be using this?</div><div><br></div><div>I would like to have a serious discussion around sustainability, if we are seriously planning to bring in Wiki into the equation. </div><div><br></div><div>Especially because of the lack of volunteers for these initiatives. </div><div><br></div><div>So yes, I have my doubts and I just expect to get from the board and management some answers regarding this.Thats why we need to see how to make this sustainable before bringing in more systems and barter dealing them.</div><div><br></div><div>BTW, I will run the HackerOne bounty for CRSFGuard as this platform offers me everything we need for free, and I can limit the scope.</div><div><br></div><div>That, I'm happy you forced us to find out more, in name of vendor neutrality. I think Josh was glass about this findings too.</div><div><br></div><div>Cheers</div><div><br></div><div>Johanna</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 20, 2016 at 9:11 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    My apologies, Johanna. What I was trying to say that no one should
    put pressure on you to do work at OWASP as a volunteer, you should
    do work that makes you feel happy!<br>
    <br>
    That is all I was trying to say, my sincerely apologies if I
    offended you, it was not my intention.<span class="HOEnZb"><font color="#888888"><br>
    <br>
    - Jim</font></span><div><div class="h5"><br>
    <br>
    <br>
    <div>On 2/20/16 7:10 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><font color="#000000" face="arial, helvetica,
          sans-serif">>>I am very confused. No one asked you to do
          any work here, am I mistaken? </font>
        <div><font color="#000000" face="arial, helvetica, sans-serif"><br>
          </font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif">BTW
            , there is a nice wiki page asking for people to be
            volunteers:</font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif"><a href="https://www.owasp.org/index.php/Become_an_OWASP_Volunteer" target="_blank"></a><a href="https://www.owasp.org/index.php/Become_an_OWASP_Volunteer" target="_blank">https://www.owasp.org/index.php/Become_an_OWASP_Volunteer</a></font><font color="#500050"><b><br>
            </b></font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif"><br>
          </font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif">Yes,
            I think that quite contradicts that 'no one asked you to do
            any work here'...</font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif"><br>
          </font></div>
        <div><font color="#000000" face="arial, helvetica, sans-serif">Maybe should
            be set as inactive.😁 I would do it will all the
            pleasure...😝</font></div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sat, Feb 20, 2016 at 9:03 PM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> I was not at all
              trying to be mean or hurtful, I was just saying that this
              is all volunteer and you do not have to work on the Bug
              Bounty program. I was worried you felt pressure here, and
              I did not think that was fair.<br>
              <br>
              I was not trying to be mean, at all.<span><font color="#888888"><br>
                  <br>
                  - Jim</font></span>
              <div>
                <div><br>
                  <br>
                  <div>On 2/20/16 7:02 PM, johanna curiel curiel wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr"><span style="color:rgb(80,0,80);font-size:13px">>>I

                        am very confused. </span><b style="color:rgb(80,0,80);font-size:13px">No one
                        asked you to do any work here, am I mistaken? </b><br>
                      <div><b style="color:rgb(80,0,80);font-size:13px"><br>
                        </b></div>
                      <div><font color="#500050">I don't think this is a
                          very nice thing to say to a volunteer.</font></div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Sat, Feb 20, 2016 at
                        9:00 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000"><span>
                              <div><br>
                              </div>
                              <div><font color="#500050"><b>> Thats
                                    counts for every volunteer I
                                    assume...</b></font></div>
                              <br>
                            </span> Of course it does, me too!. :) There
                            are about 10 folks active on the wiki who I
                            talk to on a very regular basis. In my
                            experience we all really enjoy messin' with
                            the wiki and have a lot of fun interacting
                            with each other. It's satisfying and we all
                            learn in the process. <br>
                            <br>
                            Wiki work brings a lot of joy to me in my
                            OWASP interactions so imma going to keep
                            doing it. These are folks who are really
                            sharp about application security, enjoy
                            debating the finer points and are happy to
                            contribute some of their expertise to the
                            foundation. No one forced any of the wiki
                            (or project) folks to contribute. They want
                            to. :)<br>
                            <br>
                            Aloha,<br>
                            Jim<br>
                            <br>
                            Not bad traffic for wiki pages<br>
                            <br>
                            2.1 million <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet</a><br>
                            1.9 million <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a><br>
                            <br>
                            <div><br>
                              <br>
                              <br>
                            </div>
                            <blockquote type="cite"><span>
                                <div dir="ltr"><span style="color:rgb(80,0,80);font-size:13px">>>I


                                    am very confused. </span><b style="color:rgb(80,0,80);font-size:13px">No
                                    one asked you to do any work here,
                                    am I mistaken? </b><br>
                                  <div><br>
                                  </div>
                                  <div><font color="#500050"><b>Thats
                                        counts for every volunteer I
                                        assume...</b></font></div>
                                </div>
                              </span>
                              <div class="gmail_extra"><br>
                                <div class="gmail_quote"><span>On Sat,
                                    Feb 20, 2016 at 8:50 PM, Jim Manico
                                    <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                    wrote:<br>
                                  </span>
                                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                    <div bgcolor="#FFFFFF" text="#000000"><span><span> > I
                                          don't think you have read
                                          properly what I'm trying to
                                          say, which is, that these
                                          activities, where there seems
                                          to be a need for operational
                                          support, such as reviewing or
                                          wiki editing , does not have
                                          enough traction from volunteer
                                          efforts and therefore not
                                          sustainable. Many talk cheap
                                          and in the end, not enough
                                          people toy backup operations.<br>
                                          <br>
                                        </span> Right. Wiki could use
                                        more help, but the Bug Bounty
                                        proposals include significant <b>vendor</b>
                                        support. I think that will work
                                        wel</span>
                                      <div>
                                        <div><span><br>
                                            > If you consider the
                                            wiki a success, (with XSS
                                            fiasco included) then you
                                            have not read the responses
                                            people provided on the
                                            survey I did where 50
                                            members of our community
                                            responded.Have you read what
                                            they say?<br>
                                            <br>
                                          </span> Fiasco? We found and
                                          fixed bugs. That's good. The
                                          world keeps on spinning. Yes,
                                          I know of the complains from
                                          the 50 folks in your survey,
                                          and I agree with those
                                          concerns. But you must have
                                          missed the many <b>millions</b>
                                          of page hits on <b>several</b> 
                                          wiki pages and other
                                          documentation projects...<br>
                                          <br>
                                          Johanna, I do not know why you
                                          keep targeting me in these
                                          emails. I am just one board
                                          member - one that you
                                          apparently do not like or have
                                          respect for. Maybe consider
                                          talking to other board members
                                          if you are not happy with my
                                          actions. In the meantime, I am
                                          going to do a little wiki work
                                          tonight.<br>
                                          <br>
                                          If you have sustainable ideas
                                          for these programs, by all
                                          means lets hear them. If there
                                          are things you need me to
                                          read, let me know. I am doing
                                          my best in my limited time as
                                          a volunteer.<br>
                                          <br>
                                          Aloha,<br>
                                          - Jim
                                          <div>
                                            <div><br>
                                              <br>
                                              <br>
                                              <div>On 2/20/16 6:43 PM,
                                                johanna curiel curiel
                                                wrote:<br>
                                              </div>
                                              <blockquote type="cite">
                                                <div dir="ltr"><span style="font-size:13px">>>I

                                                    am very confused. <b>No
                                                      one asked you to
                                                      do any work here,
                                                      am I mistaken? </b></span><br>
                                                  <div><span style="font-size:13px"><br>
                                                    </span></div>
                                                  <div>Exactly,  <i><u>thank
                                                        you for making
                                                        that clear.</u></i></div>
                                                  <div><br>
                                                  </div>
                                                  <div>I don't think you
                                                    have read properly
                                                    what I'm trying to
                                                    say, which is, that
                                                    these activities,
                                                    where there seems to
                                                    be a need for
                                                    operational support,
                                                    such as reviewing or
                                                    wiki editing , does
                                                    not have enough
                                                    traction from
                                                    volunteer efforts
                                                    and therefore not
                                                    sustainable. Many
                                                    talk cheap and in
                                                    the end, not enough
                                                    people toy backup
                                                    operations.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>If you consider
                                                    the wiki a success,
                                                    (with XSS fiasco
                                                    included) then you
                                                    have not read the
                                                    responses people
                                                    provided on the
                                                    survey I did where
                                                    50 members of our
                                                    community
                                                    responded.Have you
                                                    read what they say?</div>
                                                  <div><br>
                                                  </div>
                                                  <div>I'm looking for a
                                                    discussion around
                                                    solutions and
                                                    creating initiatives
                                                    that are
                                                    sustainable. </div>
                                                  <div><br>
                                                  </div>
                                                  <div>Once again Jim,
                                                    thank you for making
                                                    it very clear to me
                                                    how you think. </div>
                                                  <div><br>
                                                  </div>
                                                  <div> I was expecting
                                                    a some discussions
                                                    around
                                                    sustainability.</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Cheers</div>
                                                  <div><br>
                                                  </div>
                                                  <div>Johanna</div>
                                                </div>
                                                <div class="gmail_extra"><br>
                                                  <div class="gmail_quote">On
                                                    Sat, Feb 20, 2016 at
                                                    8:29 PM, Jim Manico
                                                    <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                                    wrote:<br>
                                                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                      <div bgcolor="#FFFFFF" text="#000000">
                                                        Joanna,<br>
                                                        <br>
                                                        All I asked is
                                                        that we give
                                                        other vendors a
                                                        chance to
                                                        propose a bug
                                                        bounty program
                                                        instead of just
                                                        choosing one
                                                        vendor. I am not
                                                        "the decider"
                                                        here. I did not
                                                        initiate the bug
                                                        bounty program
                                                        nor do I
                                                        disagree with
                                                        all of your
                                                        comments below.
                                                        I am sure we
                                                        will face
                                                        several
                                                        challenges. I
                                                        still think it's
                                                        a good idea to
                                                        try and I'm
                                                        grateful Josh is
                                                        taking a
                                                        leadership
                                                        position here.<span><br>
                                                          <br>
                                                          > I'm out
                                                          of this
                                                          equation
                                                          regarding any
                                                          decisions of a
                                                          bounty program
                                                          and management
                                                          of it in the
                                                          future.<br>
                                                          <br>
                                                        </span> For
                                                        someone who is
                                                        "out of the
                                                        equation" you
                                                        sure have a lot
                                                        to say! No one
                                                        is asking you to
                                                        do - any work.
                                                        You are a
                                                        volunteer (like
                                                        me) and you do
                                                        as you like when
                                                        you feel like it
                                                        and that is ok.<br>
                                                        <br>
                                                        > Wiki have
                                                        shown that
                                                        volunteer based
                                                        does not work.<br>
                                                        <br>
                                                        I strongly
                                                        disagree. I know
                                                        the wiki is
                                                        tough for some
                                                        to read, and it
                                                        needs work, but
                                                        several pages
                                                        have received
                                                        millions of hits
                                                        and have helped
                                                        many on several
                                                        issues. I know
                                                        the wiki needs
                                                        work, but I am
                                                        proud of the
                                                        accomplishments
                                                        of the thousands
                                                        of volunteers
                                                        who have
                                                        contributed to
                                                        that knowledge
                                                        base in some
                                                        way. <br>
                                                        <span> <br>
                                                          >
                                                          Therefore, I
                                                          prefer to
                                                          abstain to
                                                          participate on
                                                          this bounty
                                                          initiative
                                                          because my
                                                          workload has
                                                          multiplied by
                                                          the dozen, and
                                                          as a
                                                          volunteer, I
                                                          cannot provide
                                                          any guarantees
                                                          of my
                                                          availability
                                                          in the future.<br>
                                                          <br>
                                                        </span> I am
                                                        very confused.
                                                        No one asked you
                                                        to do any work
                                                        here, am I
                                                        mistaken? I do
                                                        not understand
                                                        why you are
                                                        upset or are
                                                        abstaining in
                                                        something that I
                                                        did not even
                                                        know you were a
                                                        part of. I just
                                                        recall you (and
                                                        Josh) getting
                                                        very upset that
                                                        I even suggested
                                                        we look at other
                                                        vendor
                                                        proposals....
                                                        First you
                                                        suggest we get a
                                                        specific vendor
                                                        for an OWASP bug
                                                        bounty program,
                                                        then you get
                                                        upset that I
                                                        suggested we
                                                        discuss this
                                                        with other
                                                        vendors, and now
                                                        you abstaining.
                                                        It's hard for me
                                                        to follow what
                                                        you want here. I
                                                        have watched you
                                                        email the world
                                                        about "taking on
                                                        an initiative"
                                                        and then quit
                                                        several times
                                                        now, that I am
                                                        having a lot of
                                                        trouble
                                                        following your
                                                        work and needs.
                                                        And I have done
                                                        this a few times
                                                        myself, I'm not
                                                        perfect. But I
                                                        do keep trying.<span><br>
                                                          <br>
                                                          > This
                                                          counts for the
                                                          review
                                                          process. This
                                                          is the reason
                                                          why we,
                                                           Enrico and I,
                                                          proposed to
                                                          decentralise
                                                          and focus on a
                                                          platform. Even
                                                          so, this
                                                          platform is
                                                          highly
                                                          dependable on
                                                          volunteers. So
                                                          far, only 6
                                                          members have
                                                          voted for
                                                          Graduation of
                                                          the OWASP
                                                          security
                                                          project.We
                                                          lack
                                                          participation.
                                                          I feel like no
                                                          one cares. Or
                                                          people just
                                                          don't want to
                                                          participate in
                                                          this kind of
                                                          thing.I have
                                                          no freaking
                                                          idea.<br>
                                                          <br>
                                                        </span> Johanna,
                                                        if you are not
                                                        satisfied with
                                                        your volunteer
                                                        activities, then
                                                        I suggest you
                                                        find another way
                                                        to lend support
                                                        at OWASP (there
                                                        are many many
                                                        things going on
                                                        with application
                                                        security) or <b>take
                                                          a break and
                                                          take some time
                                                          off</b>. OWASP
                                                        is not supposed
                                                        to get your
                                                        angry or make
                                                        you feel
                                                        unsatisfied. 
                                                        It's Saturday
                                                        night and I'm
                                                        stuck in Chicago
                                                        so I'm going to
                                                        work on a few
                                                        wiki tasks on my
                                                        plate because
                                                        that gives me a
                                                        lot of
                                                        satisfaction -
                                                        even in the face
                                                        of other folks,
                                                        like yourself,
                                                        who do not see
                                                        the value in the
                                                        wiki. I do - so
                                                        I'm going to
                                                        keep at it.<span><br>
                                                          <br>
                                                          >
                                                          Furthermore,
                                                          you end as a
                                                          solo-player,
                                                          nobody gives
                                                          you thanks,
                                                          when all you
                                                          are trying to
                                                          do is help,
                                                          burning your
                                                          free time
                                                          chasing
                                                          waterfalls.(Thats
                                                          counts for you
                                                          with the wiki
                                                          editing of
                                                          +8000 pages, I
                                                          guess all you
                                                          hear is
                                                          criticism just
                                                          as I do, and
                                                          people just
                                                          tends to
                                                          forget we are
                                                          not OWASP
                                                          staff, we are
                                                          volunteers)<br>
                                                          <br>
                                                        </span> Yea, I
                                                        think that if
                                                        you join OWASP
                                                        because you want
                                                        "thanks" -
                                                        you're in it for
                                                        the wrong
                                                        reason. Johanna,
                                                        I have seen
                                                        folks give you
                                                        MANY compliments
                                                        - over and over
                                                        and over - on
                                                        big public lists
                                                        - from folks all
                                                        over the world -
                                                        and it does not
                                                        seem to be
                                                        enough for you,
                                                        so I do not know
                                                        what to tell
                                                        you. I do the
                                                        work I do at
                                                        OWASP because I
                                                        believe it in
                                                        and find the
                                                        value in it. I
                                                        don't want
                                                        thanks - I
                                                        actually dislike
                                                        getting public
                                                        thanks - I just
                                                        want more
                                                        volunteers
                                                        involved. And I
                                                        find that
                                                        leading by
                                                        example helps.
                                                        There are quite
                                                        a few folks
                                                        working on the
                                                        wiki with me. I
                                                        am super
                                                        grateful for
                                                        them all.
                                                        Generating new
                                                        content is not
                                                        an issue,
                                                        dealing with
                                                        older content
                                                        is.<span><br>
                                                          <br>
                                                          > Whatever
                                                          the reason ,
                                                          the effect is,
                                                          volunteered
                                                          based
                                                          initiatives as
                                                          wiki, reviews
                                                          and possibly
                                                          Bounty
                                                          program, does
                                                          not seem to
                                                          work. <br>
                                                          <br>
                                                        </span> This is
                                                        a fair point
                                                        regarding the
                                                        bug bounty
                                                        program. Please
                                                        keep in mind
                                                        that several of
                                                        the bounty
                                                        programs
                                                        proposed would
                                                        be vendor
                                                        driven, not
                                                        volunteer
                                                        driven. It's not
                                                        decided yet nor
                                                        is it my call
                                                        (or even
                                                        charge). This
                                                        thread started
                                                        because I asked
                                                        to be vendor
                                                        neutral, and if
                                                        this was to
                                                        start over I'd
                                                        do the same.<br>
                                                        <br>
                                                        Have a nice
                                                        Saturday night.
                                                        I'm off to work
                                                        on the Java wiki
                                                        page and do a
                                                        little cleanup.<br>
                                                        <br>
                                                        Aloha,<br>
                                                        - Jim
                                                        <div>
                                                          <div><br>
                                                          <br>
                                                          <div>On
                                                          2/20/16 11:14
                                                          AM, johanna
                                                          curiel curiel
                                                          wrote:<br>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div dir="ltr">>><span style="font-size:13px">I trust those involved will make a good decision
                                                          here. </span>
                                                          <div><br>
                                                          </div>
                                                          <div>>><span style="font-size:13px">First, the current proposal <u>does not include
                                                          the triage,
                                                          reproduction,
                                                          and
                                                          remediation
                                                          piece</u> (the
                                                          Bugcrowd one
                                                          does).  After
                                                          speaking with
                                                          them about
                                                          this, they
                                                          explained that
                                                          it is because
                                                          there is
                                                          additional
                                                          costs involved
                                                          with that
                                                          because they
                                                          partner with
                                                          other
                                                          companies to
                                                          provide that
                                                          service.  That
                                                          said, they
                                                          offered to
                                                          talk to one of
                                                          their partners
                                                          and had a
                                                          strong belief
                                                          that they
                                                          could offer
                                                          this to us as
                                                          well.</span><br>
                                                          <div><span style="font-size:13px"><br>
                                                          </span></div>
                                                          <div><span style="font-size:13px">Hi


                                                          Jim.</span></div>
                                                          <div><span style="font-size:13px"><br>
                                                          </span></div>
                                                          <div>I'm all
                                                          in favour of
                                                          vendor
                                                          neutrality at
                                                          all times.I
                                                          admire your
                                                          pro-activeness
                                                          in these
                                                          matters,
                                                          however, at
                                                          this point,
                                                          I'm out of
                                                          this equation
                                                          regarding any
                                                          decisions of a
                                                          bounty program
                                                          and management
                                                          of it in the
                                                          future.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>One of
                                                          the major
                                                          problems we
                                                          have, is to
                                                          create
                                                          sustainable
                                                          initiatives.
                                                          I'm a
                                                          volunteer with
                                                          limited time.
                                                          My
                                                          availability
                                                          will vary a
                                                          lot and this
                                                          is common for
                                                          volunteers.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I think
                                                          is important
                                                          that we ask
                                                          ourselves who
                                                          will be
                                                          accountable
                                                          for the system
                                                          we bring in
                                                          and able to
                                                          manage this
                                                          continuously.
                                                          Volunteer
                                                          based, I'm not
                                                          convinced. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Wiki and
                                                          Reviews have
                                                          shown that
                                                          volunteer
                                                          based does not
                                                          work.
                                                          Therefore, I
                                                          prefer to
                                                          abstain to
                                                          participate on
                                                          this bounty
                                                          initiative
                                                          because my
                                                          workload has
                                                          multiplied by
                                                          the dozen, and
                                                          as a
                                                          volunteer, I
                                                          cannot provide
                                                          any guarantees
                                                          of my
                                                          availability
                                                          in the future.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>This
                                                          counts for the
                                                          review
                                                          process. This
                                                          is the reason
                                                          why we,
                                                           Enrico and I,
                                                          proposed to
                                                          decentralise
                                                          and focus on a
                                                          platform. Even
                                                          so, this
                                                          platform is
                                                          highly
                                                          dependable on
                                                          volunteers. So
                                                          far, only 6
                                                          members have
                                                          voted for
                                                          Graduation of
                                                          the OWASP
                                                          security
                                                          project.We
                                                          lack
                                                          participation.
                                                          I feel like no
                                                          one cares. Or
                                                          people just
                                                          don't want to
                                                          participate in
                                                          this kind of
                                                          thing.I have
                                                          no freaking
                                                          idea.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>So far,
                                                          there has not
                                                          been any
                                                          reviewers that
                                                          have worked on
                                                          reviews since
                                                          we restarted
                                                          this
                                                          initiative.Even
                                                          before, when
                                                          Claudia start
                                                          offering
                                                          amazon cards
                                                          in exchange
                                                          for reviews,
                                                          only 2 persons
                                                          participated
                                                          for 2 reviews
                                                          one different
                                                          projects. We
                                                          keep on
                                                          looking, I
                                                          believe
                                                          Claudia has
                                                          contact them,
                                                          but in the
                                                          end, nothing.</div>
                                                          <div><br>
                                                          </div>
                                                          <div> I took
                                                          many hours to
                                                          build that
                                                          criteria and
                                                          let people
                                                          comment and
                                                          collaborate,
                                                          so we make
                                                          this process
                                                          easier. There
                                                          has been some
                                                          participation
                                                          , but from
                                                          very few. We
                                                          provide the
                                                          community with
                                                          all the
                                                          opportunities
                                                          to participate
                                                          but still,
                                                          there is a
                                                          lack of
                                                          interested in
                                                          this subject.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I spoke
                                                          with Jason Li,
                                                          and even on an
                                                          interview you
                                                          did to him in
                                                          2008, he had
                                                          the same idea
                                                          of providing a
                                                          platform for
                                                          participation,
                                                          but people
                                                          don't want to
                                                          volunteer to
                                                          for these kind
                                                          of tasks, just
                                                          as happens
                                                          with the wiki.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Furthermore,

                                                          you end as a
                                                          solo-player,
                                                          nobody gives
                                                          you thanks,
                                                          when all you
                                                          are trying to
                                                          do is help,
                                                          burning your
                                                          free time
                                                          chasing
                                                          waterfalls.(Thats
                                                          counts for you
                                                          with the wiki
                                                          editing of
                                                          +8000 pages, I
                                                          guess all you
                                                          hear is
                                                          criticism just
                                                          as I do, and
                                                          people just
                                                          tends to
                                                          forget we are
                                                          not OWASP
                                                          staff, we are
                                                          volunteers)</div>
                                                          <div><br>
                                                          </div>
                                                          <div>I think
                                                          is time that,
                                                          from the
                                                          operational
                                                          management
                                                          point of view,
                                                          to revise all
                                                          these actions
                                                          and have a
                                                          very serious
                                                          talk about
                                                          this.</div>
                                                          <div>
                                                          <ul>
                                                          <li>Are they
                                                          sustainable
                                                          only volunteer
                                                          based?<br>
                                                          </li>
                                                          <li>What has
                                                          the experience
                                                          shown?<br>
                                                          </li>
                                                          <li>Why does
                                                          owasp lack
                                                          volunteers to
                                                          help on these
                                                          tasks?<br>
                                                          </li>
                                                          <li>Is the
                                                          workload to
                                                          big to expect
                                                          volunteers to
                                                          do this?</li>
                                                          <li>Is this a
                                                          community that
                                                          has not time
                                                          to do this
                                                          kind of work?</li>
                                                          <li>Do they
                                                          actually want
                                                          to do these
                                                          kind of tasks?</li>
                                                          </ul>
                                                          </div>
                                                          <div>Volunteers
                                                          are
                                                          volunteers,
                                                          they are not
                                                          workforce nor
                                                          can you expect
                                                          the same
                                                          output.You
                                                          cannot expect
                                                          anything from
                                                          them.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>A
                                                          volunteer must
                                                          feel he gains
                                                          something back
                                                          for giving his
                                                          time. If there
                                                          is no exchange
                                                          on this part,
                                                          if he does not
                                                          feel valued or
                                                          that his work
                                                          matters,  or
                                                          enjoys what he
                                                          does, then , I
                                                          think ,
                                                          volunteer work
                                                          stops. For me
                                                          , it must have
                                                          a meaning,
                                                          that what I do
                                                          , matters.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Whatever
                                                          the reason ,
                                                          the effect is,
                                                          volunteered
                                                          based
                                                          initiatives as
                                                          wiki, reviews
                                                          and possibly
                                                          Bounty
                                                          program, does
                                                          not seem to
                                                          work. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>We should
                                                          evaluate this
                                                          before we keep
                                                          bringing
                                                          systems that
                                                          cannot be
                                                          volunteered-based
                                                          sustained.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Cheers</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On

                                                          Sat, Feb 20,
                                                          2016 at 12:17
                                                          AM, Jim Manico
                                                          <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div bgcolor="#FFFFFF" text="#000000">
                                                          Josh,<br>
                                                          <br>
                                                          I am grateful
                                                          you took the
                                                          time to hear
                                                          other bounty
                                                          vendors out,
                                                          especially
                                                          since I forced
                                                          your hand to
                                                          do so to some
                                                          degree.<br>
                                                          <br>
                                                          I trust those
                                                          involved will
                                                          make a good
                                                          decision here.
                                                          <br>
                                                          <br>
                                                          I do not have
                                                          a charge over
                                                          this and do
                                                          not want to
                                                          interfere, but
                                                          if you want my
                                                          assistance
                                                          just ask.<br>
                                                          <br>
                                                          Aloha,<br>
                                                          Jim
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          <div>On
                                                          2/19/16 4:07
                                                          PM, Josh Sokol
                                                          wrote:<br>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>I went
                                                          ahead and
                                                          spoke with
                                                          HackerOne this
                                                          afternoon even
                                                          though others
                                                          were unable to
                                                          make it.  I'm
                                                          going to be
                                                          mostly
                                                          out-of-pocket
                                                          over the next
                                                          couple of
                                                          weeks, but at
                                                          least wanted
                                                          to be
                                                          informed.  I
                                                          took some
                                                          notes,
                                                          included
                                                          below, but had
                                                          a couple of
                                                          things that
                                                          are worth
                                                          mentioning
                                                          here.  First,
                                                          the current
                                                          proposal does
                                                          not include
                                                          the triage,
                                                          reproduction,
                                                          and
                                                          remediation
                                                          piece (the
                                                          Bugcrowd one
                                                          does).  After
                                                          speaking with
                                                          them about
                                                          this, they
                                                          explained that
                                                          it is because
                                                          there is
                                                          additional
                                                          costs involved
                                                          with that
                                                          because they
                                                          partner with
                                                          other
                                                          companies to
                                                          provide that
                                                          service.  That
                                                          said, they
                                                          offered to
                                                          talk to one of
                                                          their partners
                                                          and had a
                                                          strong belief
                                                          that they
                                                          could offer
                                                          this to us as
                                                          well.  With
                                                          that, I think
                                                          that what they
                                                          are offering
                                                          is pretty much
                                                          equivalent to
                                                          what Bugcrowd
                                                          is offering. 
                                                          That said, the
                                                          ask is
                                                          **VERY**
                                                          different. 
                                                          While Bugcrowd
                                                          is looking for
                                                          an OWASP
                                                          Platinum
                                                          sponsorship
                                                          package in
                                                          exchange for
                                                          their
                                                          services,
                                                          HackerOne is
                                                          literally
                                                          asking for
                                                          nothing.  They
                                                          said that they
                                                          are big
                                                          supporters of
                                                          the OWASP
                                                          Foundation and
                                                          what we stand
                                                          for and want
                                                          to do this to
                                                          help us out. 
                                                          I was not
                                                          expecting
                                                          this, but am
                                                          extremely
                                                          happy with
                                                          what I heard
                                                          from them.  We
                                                          haven't talked
                                                          to Cobalt yet,
                                                          but my gut at
                                                          this point is
                                                          that HackerOne
                                                          would make for
                                                          a great
                                                          partner on
                                                          this and I
                                                          would
                                                          recommend, if
                                                          we were to
                                                          accept their
                                                          offer,
                                                          providing them
                                                          with a logo
                                                          placement on
                                                          the supporter
                                                          page (as a
                                                          minimum) as a
                                                          token of our
                                                          appreciation. 
                                                          <br>
                                                          <br>
                                                          </div>
                                                          <div>So, I
                                                          realize that
                                                          we still have
                                                          one more
                                                          vendor to talk
                                                          to, but
                                                          HackerOne
                                                          looks really
                                                          good.  With
                                                          Johanna
                                                          out-of-pocket
                                                          for the
                                                          foreseeable
                                                          future, I
                                                          wanted to make
                                                          a
                                                          recommendation
                                                          to pull Simon
                                                          Bennetts (if
                                                          he is willing)
                                                          into this
                                                          evaluation
                                                          process.  I
                                                          think that a
                                                          bug bounty
                                                          program would
                                                          be of huge
                                                          benefit to his
                                                          efforts, and
                                                          would like to
                                                          get his
                                                          impression of
                                                          the value of
                                                          such a tool
                                                          for his
                                                          project. 
                                                          Simon, would
                                                          you be willing
                                                          to hop on a
                                                          call with the
                                                          HackerOne
                                                          folks to take
                                                          a look at
                                                          their
                                                          platform?  Or,
                                                          if you'd
                                                          prefer, we
                                                          have access to
                                                          the platform
                                                          already and
                                                          can get you an
                                                          account to
                                                          poke around
                                                          with on your
                                                          own.  <br>
                                                          <br>
                                                          </div>
                                                          <div>In any
                                                          case, notes
                                                          are below. 
                                                          Have a great
                                                          weekend!<br>
                                                          <br>
                                                          </div>
                                                          <div>~josh<br>
                                                          </div>
                                                          <div><br>
                                                          <u><b>Your
                                                          Platform:</b></u><br>
                                                          </div>
                                                          <ul>
                                                          <li>Workflow
                                                          &
                                                          Automation:
                                                          Focused on
                                                          engineering
                                                          the world's
                                                          most advanced
                                                          vulnerability
                                                          coordination
                                                          platform.<br>
                                                          </li>
                                                          <li>Signal:
                                                          Numerous
                                                          systems, such
                                                          as Reputation
                                                          and hackbot,
                                                          dedicated to
                                                          ensuring high
                                                          signal
                                                          programs.<br>
                                                          </li>
                                                          <li>Transparent:


                                                          All hackers
                                                          have a
                                                          profile,
                                                          history and
                                                          reputation. 
                                                          Advanced
                                                          public
                                                          disclosure
                                                          workflow when
                                                          needed.<br>
                                                          </li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <u><b>You are
                                                          in Control:</b></u><br>
                                                          </div>
                                                          <ul>
                                                          <li>Flexible:
                                                          Run private or
                                                          public
                                                          programs, with
                                                          or without
                                                          bounties,
                                                          managed or
                                                          unmanaged.<br>
                                                          </li>
                                                          <li>Ownership:
                                                          You own your
                                                          data. 
                                                          HackerOne
                                                          makes no
                                                          claims on
                                                          Vulnerability
                                                          Information.<br>
                                                          </li>
                                                          <li>Multiparty
                                                          Coordination:
                                                          Easily pull in
                                                          other vendors
                                                          or external
                                                          parties into a
                                                          case.</li>
                                                          </ul>
                                                          <p><u><b>Service


                                                          Donation:</b></u></p>
                                                          <ul>
                                                          <li>Waive
                                                          bounty service
                                                          fees</li>
                                                          <li>Donate
                                                          HackerOne
                                                          Enterprise and
                                                          a dedicated
                                                          success
                                                          manager for
                                                          min 2 years.</li>
                                                          </ul>
                                                          <p>FREE
                                                          Program</p>
                                                          <ul>
                                                          <li>Security@
                                                          Workflow</li>
                                                          <li>Hacker
                                                          Reputation</li>
                                                          <li>Intelligent


                                                          Duplication
                                                          Detection</li>
                                                          <li>Automation</li>
                                                          <li>Issue
                                                          Tracker
                                                          Integration</li>
                                                          <li>Analytics
                                                          Dashboard</li>
                                                          </ul>
                                                          <p>PROFESSIONAL


                                                          Program
                                                          ($2k/mo)</p>
                                                          <ul>
                                                          <li>Everything
                                                          in Free</li>
                                                          <li>Advanced
                                                          Hacker
                                                          Matching</li>
                                                          <li>Performance


                                                          Benchmarking</li>
                                                          <li>Launch
                                                          &
                                                          Optimization
                                                          Guidance</li>
                                                          <li>Report
                                                          Mediation</li>
                                                          <li>Reports
                                                          API</li>
                                                          </ul>
                                                          <p>ENTERPRISE
                                                          Program:</p></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></div></blockquote></div></div></blockquote></div></div></div></div></div></blockquote></div></div></blockquote></div></blockquote></div></div></blockquote></div></div></div></blockquote></div></div></blockquote></div></div></div>...<br><br>[Message clipped]  </blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Johanna Curiel </div>OWASP Volunteer</div></div>
</div>