<div dir="ltr"><font color="#000000" face="arial, helvetica, sans-serif">>>I am very confused. No one asked you to do any work here, am I mistaken? </font><div><font color="#000000" face="arial, helvetica, sans-serif"><br></font></div><div><font color="#000000" face="arial, helvetica, sans-serif">BTW , there is a nice wiki page asking for people to be volunteers:</font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><a href="https://www.owasp.org/index.php/Become_an_OWASP_Volunteer">https://www.owasp.org/index.php/Become_an_OWASP_Volunteer</a></font><font color="#500050"><b><br></b></font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><br></font></div><div><font color="#000000" face="arial, helvetica, sans-serif">Yes, I think that quite contradicts that 'no one asked you to do any work here'...</font></div><div><font color="#000000" face="arial, helvetica, sans-serif"><br></font></div><div><font color="#000000" face="arial, helvetica, sans-serif">Maybe should be set as inactive.😁 I would do it will all the pleasure...😝</font></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 20, 2016 at 9:03 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    I was not at all trying to be mean or hurtful, I was just saying
    that this is all volunteer and you do not have to work on the Bug
    Bounty program. I was worried you felt pressure here, and I did not
    think that was fair.<br>
    <br>
    I was not trying to be mean, at all.<span class="HOEnZb"><font color="#888888"><br>
    <br>
    - Jim</font></span><div><div class="h5"><br>
    <br>
    <div>On 2/20/16 7:02 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><span style="color:rgb(80,0,80);font-size:13px">>>I
          am very confused. </span><b style="color:rgb(80,0,80);font-size:13px">No one asked you to
          do any work here, am I mistaken? </b><br>
        <div><b style="color:rgb(80,0,80);font-size:13px"><br>
          </b></div>
        <div><font color="#500050">I don't think this is a very nice
            thing to say to a volunteer.</font></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sat, Feb 20, 2016 at 9:00 PM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"><span>
                <div><br>
                </div>
                <div><font color="#500050"><b>> Thats counts for
                      every volunteer I assume...</b></font></div>
                <br>
              </span> Of course it does, me too!. :) There are about 10
              folks active on the wiki who I talk to on a very regular
              basis. In my experience we all really enjoy messin' with
              the wiki and have a lot of fun interacting with each
              other. It's satisfying and we all learn in the process. <br>
              <br>
              Wiki work brings a lot of joy to me in my OWASP
              interactions so imma going to keep doing it. These are
              folks who are really sharp about application security,
              enjoy debating the finer points and are happy to
              contribute some of their expertise to the foundation. No
              one forced any of the wiki (or project) folks to
              contribute. They want to. :)<br>
              <br>
              Aloha,<br>
              Jim<br>
              <br>
              Not bad traffic for wiki pages<br>
              <br>
              2.1 million <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet</a><br>
              1.9 million
              <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" target="_blank">https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet</a><br>
              <br>
              <div><br>
                <br>
                <br>
              </div>
              <blockquote type="cite"><span>
                  <div dir="ltr"><span style="color:rgb(80,0,80);font-size:13px">>>I

                      am very confused. </span><b style="color:rgb(80,0,80);font-size:13px">No one
                      asked you to do any work here, am I mistaken? </b><br>
                    <div><br>
                    </div>
                    <div><font color="#500050"><b>Thats counts for every
                          volunteer I assume...</b></font></div>
                  </div>
                </span>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote"><span>On Sat, Feb
                      20, 2016 at 8:50 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                      wrote:<br>
                    </span>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div bgcolor="#FFFFFF" text="#000000"><span><span> > I don't think you have
                            read properly what I'm trying to say, which
                            is, that these activities, where there seems
                            to be a need for operational support, such
                            as reviewing or wiki editing , does not have
                            enough traction from volunteer efforts and
                            therefore not sustainable. Many talk cheap
                            and in the end, not enough people toy backup
                            operations.<br>
                            <br>
                          </span> Right. Wiki could use more help, but
                          the Bug Bounty proposals include significant <b>vendor</b>
                          support. I think that will work wel</span>
                        <div>
                          <div><span><br>
                              > If you consider the wiki a success,
                              (with XSS fiasco included) then you have
                              not read the responses people provided on
                              the survey I did where 50 members of our
                              community responded.Have you read what
                              they say?<br>
                              <br>
                            </span> Fiasco? We found and fixed bugs.
                            That's good. The world keeps on spinning.
                            Yes, I know of the complains from the 50
                            folks in your survey, and I agree with those
                            concerns. But you must have missed the many
                            <b>millions</b> of page hits on <b>several</b> 
                            wiki pages and other documentation
                            projects...<br>
                            <br>
                            Johanna, I do not know why you keep
                            targeting me in these emails. I am just one
                            board member - one that you apparently do
                            not like or have respect for. Maybe consider
                            talking to other board members if you are
                            not happy with my actions. In the meantime,
                            I am going to do a little wiki work tonight.<br>
                            <br>
                            If you have sustainable ideas for these
                            programs, by all means lets hear them. If
                            there are things you need me to read, let me
                            know. I am doing my best in my limited time
                            as a volunteer.<br>
                            <br>
                            Aloha,<br>
                            - Jim
                            <div>
                              <div><br>
                                <br>
                                <br>
                                <div>On 2/20/16 6:43 PM, johanna curiel
                                  curiel wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr"><span style="font-size:13px">>>I
                                      am very confused. <b>No one asked
                                        you to do any work here, am I
                                        mistaken? </b></span><br>
                                    <div><span style="font-size:13px"><br>
                                      </span></div>
                                    <div>Exactly,  <i><u>thank you for
                                          making that clear.</u></i></div>
                                    <div><br>
                                    </div>
                                    <div>I don't think you have read
                                      properly what I'm trying to say,
                                      which is, that these activities,
                                      where there seems to be a need for
                                      operational support, such as
                                      reviewing or wiki editing , does
                                      not have enough traction from
                                      volunteer efforts and therefore
                                      not sustainable. Many talk cheap
                                      and in the end, not enough people
                                      toy backup operations.</div>
                                    <div><br>
                                    </div>
                                    <div>If you consider the wiki a
                                      success, (with XSS fiasco
                                      included) then you have not read
                                      the responses people provided on
                                      the survey I did where 50 members
                                      of our community responded.Have
                                      you read what they say?</div>
                                    <div><br>
                                    </div>
                                    <div>I'm looking for a discussion
                                      around solutions and creating
                                      initiatives that are sustainable. </div>
                                    <div><br>
                                    </div>
                                    <div>Once again Jim, thank you for
                                      making it very clear to me how you
                                      think. </div>
                                    <div><br>
                                    </div>
                                    <div> I was expecting a some
                                      discussions around sustainability.</div>
                                    <div><br>
                                    </div>
                                    <div>Cheers</div>
                                    <div><br>
                                    </div>
                                    <div>Johanna</div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Sat, Feb
                                      20, 2016 at 8:29 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                        <div bgcolor="#FFFFFF" text="#000000"> Joanna,<br>
                                          <br>
                                          All I asked is that we give
                                          other vendors a chance to
                                          propose a bug bounty program
                                          instead of just choosing one
                                          vendor. I am not "the decider"
                                          here. I did not initiate the
                                          bug bounty program nor do I
                                          disagree with all of your
                                          comments below. I am sure we
                                          will face several challenges.
                                          I still think it's a good idea
                                          to try and I'm grateful Josh
                                          is taking a leadership
                                          position here.<span><br>
                                            <br>
                                            > I'm out of this
                                            equation regarding any
                                            decisions of a bounty
                                            program and management of it
                                            in the future.<br>
                                            <br>
                                          </span> For someone who is
                                          "out of the equation" you sure
                                          have a lot to say! No one is
                                          asking you to do - any work.
                                          You are a volunteer (like me)
                                          and you do as you like when
                                          you feel like it and that is
                                          ok.<br>
                                          <br>
                                          > Wiki have shown that
                                          volunteer based does not work.<br>
                                          <br>
                                          I strongly disagree. I know
                                          the wiki is tough for some to
                                          read, and it needs work, but
                                          several pages have received
                                          millions of hits and have
                                          helped many on several issues.
                                          I know the wiki needs work,
                                          but I am proud of the
                                          accomplishments of the
                                          thousands of volunteers who
                                          have contributed to that
                                          knowledge base in some way. <br>
                                          <span> <br>
                                            > Therefore, I prefer to
                                            abstain to participate on
                                            this bounty initiative
                                            because my workload has
                                            multiplied by the dozen, and
                                            as a volunteer, I cannot
                                            provide any guarantees of my
                                            availability in the future.<br>
                                            <br>
                                          </span> I am very confused. No
                                          one asked you to do any work
                                          here, am I mistaken? I do not
                                          understand why you are upset
                                          or are abstaining in something
                                          that I did not even know you
                                          were a part of. I just recall
                                          you (and Josh) getting very
                                          upset that I even suggested we
                                          look at other vendor
                                          proposals.... First you
                                          suggest we get a specific
                                          vendor for an OWASP bug bounty
                                          program, then you get upset
                                          that I suggested we discuss
                                          this with other vendors, and
                                          now you abstaining. It's hard
                                          for me to follow what you want
                                          here. I have watched you email
                                          the world about "taking on an
                                          initiative" and then quit
                                          several times now, that I am
                                          having a lot of trouble
                                          following your work and needs.
                                          And I have done this a few
                                          times myself, I'm not perfect.
                                          But I do keep trying.<span><br>
                                            <br>
                                            > This counts for the
                                            review process. This is the
                                            reason why we,  Enrico and
                                            I, proposed to decentralise
                                            and focus on a platform.
                                            Even so, this platform is
                                            highly dependable on
                                            volunteers. So far, only 6
                                            members have voted for
                                            Graduation of the OWASP
                                            security project.We lack
                                            participation. I feel like
                                            no one cares. Or people just
                                            don't want to participate in
                                            this kind of thing.I have no
                                            freaking idea.<br>
                                            <br>
                                          </span> Johanna, if you are
                                          not satisfied with your
                                          volunteer activities, then I
                                          suggest you find another way
                                          to lend support at OWASP
                                          (there are many many things
                                          going on with application
                                          security) or <b>take a break
                                            and take some time off</b>.
                                          OWASP is not supposed to get
                                          your angry or make you feel
                                          unsatisfied.  It's Saturday
                                          night and I'm stuck in Chicago
                                          so I'm going to work on a few
                                          wiki tasks on my plate because
                                          that gives me a lot of
                                          satisfaction - even in the
                                          face of other folks, like
                                          yourself, who do not see the
                                          value in the wiki. I do - so
                                          I'm going to keep at it.<span><br>
                                            <br>
                                            > Furthermore, you end as
                                            a solo-player, nobody gives
                                            you thanks, when all you are
                                            trying to do is help,
                                            burning your free time
                                            chasing waterfalls.(Thats
                                            counts for you with the wiki
                                            editing of +8000 pages, I
                                            guess all you hear is
                                            criticism just as I do, and
                                            people just tends to forget
                                            we are not OWASP staff, we
                                            are volunteers)<br>
                                            <br>
                                          </span> Yea, I think that if
                                          you join OWASP because you
                                          want "thanks" - you're in it
                                          for the wrong reason. Johanna,
                                          I have seen folks give you
                                          MANY compliments - over and
                                          over and over - on big public
                                          lists - from folks all over
                                          the world - and it does not
                                          seem to be enough for you, so
                                          I do not know what to tell
                                          you. I do the work I do at
                                          OWASP because I believe it in
                                          and find the value in it. I
                                          don't want thanks - I actually
                                          dislike getting public thanks
                                          - I just want more volunteers
                                          involved. And I find that
                                          leading by example helps.
                                          There are quite a few folks
                                          working on the wiki with me. I
                                          am super grateful for them
                                          all. Generating new content is
                                          not an issue, dealing with
                                          older content is.<span><br>
                                            <br>
                                            > Whatever the reason ,
                                            the effect is, volunteered
                                            based initiatives as wiki,
                                            reviews and possibly Bounty
                                            program, does not seem to
                                            work. <br>
                                            <br>
                                          </span> This is a fair point
                                          regarding the bug bounty
                                          program. Please keep in mind
                                          that several of the bounty
                                          programs proposed would be
                                          vendor driven, not volunteer
                                          driven. It's not decided yet
                                          nor is it my call (or even
                                          charge). This thread started
                                          because I asked to be vendor
                                          neutral, and if this was to
                                          start over I'd do the same.<br>
                                          <br>
                                          Have a nice Saturday night.
                                          I'm off to work on the Java
                                          wiki page and do a little
                                          cleanup.<br>
                                          <br>
                                          Aloha,<br>
                                          - Jim
                                          <div>
                                            <div><br>
                                              <br>
                                              <div>On 2/20/16 11:14 AM,
                                                johanna curiel curiel
                                                wrote:<br>
                                              </div>
                                              <blockquote type="cite">
                                                <div dir="ltr">>><span style="font-size:13px">I trust those involved will make a good decision
                                                    here. </span>
                                                  <div><br>
                                                  </div>
                                                  <div>>><span style="font-size:13px">First,

                                                      the current
                                                      proposal <u>does
                                                        not include the
                                                        triage,
                                                        reproduction,
                                                        and remediation
                                                        piece</u> (the
                                                      Bugcrowd one
                                                      does).  After
                                                      speaking with them
                                                      about this, they
                                                      explained that it
                                                      is because there
                                                      is additional
                                                      costs involved
                                                      with that because
                                                      they partner with
                                                      other companies to
                                                      provide that
                                                      service.  That
                                                      said, they offered
                                                      to talk to one of
                                                      their partners and
                                                      had a strong
                                                      belief that they
                                                      could offer this
                                                      to us as well.</span><br>
                                                    <div><span style="font-size:13px"><br>
                                                      </span></div>
                                                    <div><span style="font-size:13px">Hi

                                                        Jim.</span></div>
                                                    <div><span style="font-size:13px"><br>
                                                      </span></div>
                                                    <div>I'm all
                                                      in favour of
                                                      vendor neutrality
                                                      at all times.I
                                                      admire your
                                                      pro-activeness in
                                                      these matters,
                                                      however, at this
                                                      point, I'm out of
                                                      this equation
                                                      regarding any
                                                      decisions of a
                                                      bounty program and
                                                      management of it
                                                      in the future.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>One of the
                                                      major problems we
                                                      have, is to create
                                                      sustainable
                                                      initiatives. I'm a
                                                      volunteer with
                                                      limited time. My
                                                      availability will
                                                      vary a lot and
                                                      this is common for
                                                      volunteers.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>I think is
                                                      important that we
                                                      ask ourselves who
                                                      will be
                                                      accountable for
                                                      the system we
                                                      bring in and able
                                                      to manage this
                                                      continuously.
                                                      Volunteer based,
                                                      I'm not
                                                      convinced. </div>
                                                    <div><br>
                                                    </div>
                                                    <div>Wiki and
                                                      Reviews have shown
                                                      that volunteer
                                                      based does not
                                                      work. Therefore, I
                                                      prefer to abstain
                                                      to participate on
                                                      this bounty
                                                      initiative because
                                                      my workload has
                                                      multiplied by the
                                                      dozen, and as a
                                                      volunteer, I
                                                      cannot provide any
                                                      guarantees of my
                                                      availability in
                                                      the future.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>This counts for
                                                      the review
                                                      process. This is
                                                      the reason why we,
                                                       Enrico and I,
                                                      proposed to
                                                      decentralise and
                                                      focus on a
                                                      platform. Even so,
                                                      this platform is
                                                      highly dependable
                                                      on volunteers. So
                                                      far, only 6
                                                      members have voted
                                                      for Graduation of
                                                      the OWASP security
                                                      project.We lack
                                                      participation. I
                                                      feel like no one
                                                      cares. Or people
                                                      just don't want to
                                                      participate in
                                                      this kind of
                                                      thing.I have no
                                                      freaking idea.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>So far, there
                                                      has not been any
                                                      reviewers that
                                                      have worked on
                                                      reviews since we
                                                      restarted this
                                                      initiative.Even
                                                      before, when
                                                      Claudia start
                                                      offering amazon
                                                      cards in exchange
                                                      for reviews, only
                                                      2 persons
                                                      participated for 2
                                                      reviews one
                                                      different
                                                      projects. We keep
                                                      on looking, I
                                                      believe Claudia
                                                      has contact them,
                                                      but in the end,
                                                      nothing.</div>
                                                    <div><br>
                                                    </div>
                                                    <div> I took many
                                                      hours to build
                                                      that criteria and
                                                      let people comment
                                                      and collaborate,
                                                      so we make this
                                                      process easier.
                                                      There has been
                                                      some participation
                                                      , but from very
                                                      few. We provide
                                                      the community with
                                                      all the
                                                      opportunities to
                                                      participate but
                                                      still, there is a
                                                      lack of interested
                                                      in this subject.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>I spoke with
                                                      Jason Li, and even
                                                      on an interview
                                                      you did to him in
                                                      2008, he had the
                                                      same idea of
                                                      providing a
                                                      platform for
                                                      participation, but
                                                      people don't want
                                                      to volunteer to
                                                      for these kind of
                                                      tasks, just as
                                                      happens with the
                                                      wiki.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Furthermore,
                                                      you end as a
                                                      solo-player,
                                                      nobody gives you
                                                      thanks, when all
                                                      you are trying to
                                                      do is help,
                                                      burning your free
                                                      time chasing
                                                      waterfalls.(Thats
                                                      counts for you
                                                      with the wiki
                                                      editing of +8000
                                                      pages, I guess all
                                                      you hear is
                                                      criticism just as
                                                      I do, and people
                                                      just tends to
                                                      forget we are not
                                                      OWASP staff, we
                                                      are volunteers)</div>
                                                    <div><br>
                                                    </div>
                                                    <div>I think is time
                                                      that, from the
                                                      operational
                                                      management point
                                                      of view, to revise
                                                      all these actions
                                                      and have a very
                                                      serious talk about
                                                      this.</div>
                                                    <div>
                                                      <ul>
                                                        <li>Are they
                                                          sustainable
                                                          only volunteer
                                                          based?<br>
                                                        </li>
                                                        <li>What has the
                                                          experience
                                                          shown?<br>
                                                        </li>
                                                        <li>Why does
                                                          owasp lack
                                                          volunteers to
                                                          help on these
                                                          tasks?<br>
                                                        </li>
                                                        <li>Is the
                                                          workload to
                                                          big to expect
                                                          volunteers to
                                                          do this?</li>
                                                        <li>Is this a
                                                          community that
                                                          has not time
                                                          to do this
                                                          kind of work?</li>
                                                        <li>Do they
                                                          actually want
                                                          to do these
                                                          kind of tasks?</li>
                                                      </ul>
                                                    </div>
                                                    <div>Volunteers are
                                                      volunteers, they
                                                      are not workforce
                                                      nor can you expect
                                                      the same
                                                      output.You cannot
                                                      expect anything
                                                      from them.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>A volunteer
                                                      must feel he gains
                                                      something back for
                                                      giving his time.
                                                      If there is no
                                                      exchange on this
                                                      part, if he does
                                                      not feel valued or
                                                      that his work
                                                      matters,  or
                                                      enjoys what he
                                                      does, then , I
                                                      think , volunteer
                                                      work stops. For me
                                                      , it must have a
                                                      meaning, that what
                                                      I do , matters.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Whatever the
                                                      reason , the
                                                      effect is,
                                                      volunteered based
                                                      initiatives as
                                                      wiki, reviews and
                                                      possibly Bounty
                                                      program, does not
                                                      seem to work. </div>
                                                    <div><br>
                                                    </div>
                                                    <div>We should
                                                      evaluate this
                                                      before we keep
                                                      bringing systems
                                                      that cannot be
                                                      volunteered-based
                                                      sustained.</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Cheers</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Johanna</div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                  </div>
                                                  <div class="gmail_extra"><br>
                                                    <div class="gmail_quote">On
                                                      Sat, Feb 20, 2016
                                                      at 12:17 AM, Jim
                                                      Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank"></a><a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
                                                      wrote:<br>
                                                      <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                        <div bgcolor="#FFFFFF" text="#000000">
                                                          Josh,<br>
                                                          <br>
                                                          I am grateful
                                                          you took the
                                                          time to hear
                                                          other bounty
                                                          vendors out,
                                                          especially
                                                          since I forced
                                                          your hand to
                                                          do so to some
                                                          degree.<br>
                                                          <br>
                                                          I trust those
                                                          involved will
                                                          make a good
                                                          decision here.
                                                          <br>
                                                          <br>
                                                          I do not have
                                                          a charge over
                                                          this and do
                                                          not want to
                                                          interfere, but
                                                          if you want my
                                                          assistance
                                                          just ask.<br>
                                                          <br>
                                                          Aloha,<br>
                                                          Jim
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          <div>On
                                                          2/19/16 4:07
                                                          PM, Josh Sokol
                                                          wrote:<br>
                                                          </div>
                                                          <blockquote type="cite">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>I went
                                                          ahead and
                                                          spoke with
                                                          HackerOne this
                                                          afternoon even
                                                          though others
                                                          were unable to
                                                          make it.  I'm
                                                          going to be
                                                          mostly
                                                          out-of-pocket
                                                          over the next
                                                          couple of
                                                          weeks, but at
                                                          least wanted
                                                          to be
                                                          informed.  I
                                                          took some
                                                          notes,
                                                          included
                                                          below, but had
                                                          a couple of
                                                          things that
                                                          are worth
                                                          mentioning
                                                          here.  First,
                                                          the current
                                                          proposal does
                                                          not include
                                                          the triage,
                                                          reproduction,
                                                          and
                                                          remediation
                                                          piece (the
                                                          Bugcrowd one
                                                          does).  After
                                                          speaking with
                                                          them about
                                                          this, they
                                                          explained that
                                                          it is because
                                                          there is
                                                          additional
                                                          costs involved
                                                          with that
                                                          because they
                                                          partner with
                                                          other
                                                          companies to
                                                          provide that
                                                          service.  That
                                                          said, they
                                                          offered to
                                                          talk to one of
                                                          their partners
                                                          and had a
                                                          strong belief
                                                          that they
                                                          could offer
                                                          this to us as
                                                          well.  With
                                                          that, I think
                                                          that what they
                                                          are offering
                                                          is pretty much
                                                          equivalent to
                                                          what Bugcrowd
                                                          is offering. 
                                                          That said, the
                                                          ask is
                                                          **VERY**
                                                          different. 
                                                          While Bugcrowd
                                                          is looking for
                                                          an OWASP
                                                          Platinum
                                                          sponsorship
                                                          package in
                                                          exchange for
                                                          their
                                                          services,
                                                          HackerOne is
                                                          literally
                                                          asking for
                                                          nothing.  They
                                                          said that they
                                                          are big
                                                          supporters of
                                                          the OWASP
                                                          Foundation and
                                                          what we stand
                                                          for and want
                                                          to do this to
                                                          help us out. 
                                                          I was not
                                                          expecting
                                                          this, but am
                                                          extremely
                                                          happy with
                                                          what I heard
                                                          from them.  We
                                                          haven't talked
                                                          to Cobalt yet,
                                                          but my gut at
                                                          this point is
                                                          that HackerOne
                                                          would make for
                                                          a great
                                                          partner on
                                                          this and I
                                                          would
                                                          recommend, if
                                                          we were to
                                                          accept their
                                                          offer,
                                                          providing them
                                                          with a logo
                                                          placement on
                                                          the supporter
                                                          page (as a
                                                          minimum) as a
                                                          token of our
                                                          appreciation. 
                                                          <br>
                                                          <br>
                                                          </div>
                                                          <div>So, I
                                                          realize that
                                                          we still have
                                                          one more
                                                          vendor to talk
                                                          to, but
                                                          HackerOne
                                                          looks really
                                                          good.  With
                                                          Johanna
                                                          out-of-pocket
                                                          for the
                                                          foreseeable
                                                          future, I
                                                          wanted to make
                                                          a
                                                          recommendation
                                                          to pull Simon
                                                          Bennetts (if
                                                          he is willing)
                                                          into this
                                                          evaluation
                                                          process.  I
                                                          think that a
                                                          bug bounty
                                                          program would
                                                          be of huge
                                                          benefit to his
                                                          efforts, and
                                                          would like to
                                                          get his
                                                          impression of
                                                          the value of
                                                          such a tool
                                                          for his
                                                          project. 
                                                          Simon, would
                                                          you be willing
                                                          to hop on a
                                                          call with the
                                                          HackerOne
                                                          folks to take
                                                          a look at
                                                          their
                                                          platform?  Or,
                                                          if you'd
                                                          prefer, we
                                                          have access to
                                                          the platform
                                                          already and
                                                          can get you an
                                                          account to
                                                          poke around
                                                          with on your
                                                          own.  <br>
                                                          <br>
                                                          </div>
                                                          <div>In any
                                                          case, notes
                                                          are below. 
                                                          Have a great
                                                          weekend!<br>
                                                          <br>
                                                          </div>
                                                          <div>~josh<br>
                                                          </div>
                                                          <div><br>
                                                          <u><b>Your
                                                          Platform:</b></u><br>
                                                          </div>
                                                          <ul>
                                                          <li>Workflow
                                                          &
                                                          Automation:
                                                          Focused on
                                                          engineering
                                                          the world's
                                                          most advanced
                                                          vulnerability
                                                          coordination
                                                          platform.<br>
                                                          </li>
                                                          <li>Signal:
                                                          Numerous
                                                          systems, such
                                                          as Reputation
                                                          and hackbot,
                                                          dedicated to
                                                          ensuring high
                                                          signal
                                                          programs.<br>
                                                          </li>
                                                          <li>Transparent:

                                                          All hackers
                                                          have a
                                                          profile,
                                                          history and
                                                          reputation. 
                                                          Advanced
                                                          public
                                                          disclosure
                                                          workflow when
                                                          needed.<br>
                                                          </li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <u><b>You are
                                                          in Control:</b></u><br>
                                                          </div>
                                                          <ul>
                                                          <li>Flexible:
                                                          Run private or
                                                          public
                                                          programs, with
                                                          or without
                                                          bounties,
                                                          managed or
                                                          unmanaged.<br>
                                                          </li>
                                                          <li>Ownership:
                                                          You own your
                                                          data. 
                                                          HackerOne
                                                          makes no
                                                          claims on
                                                          Vulnerability
                                                          Information.<br>
                                                          </li>
                                                          <li>Multiparty
                                                          Coordination:
                                                          Easily pull in
                                                          other vendors
                                                          or external
                                                          parties into a
                                                          case.</li>
                                                          </ul>
                                                          <p><u><b>Service

                                                          Donation:</b></u></p>
                                                          <ul>
                                                          <li>Waive
                                                          bounty service
                                                          fees</li>
                                                          <li>Donate
                                                          HackerOne
                                                          Enterprise and
                                                          a dedicated
                                                          success
                                                          manager for
                                                          min 2 years.</li>
                                                          </ul>
                                                          <p>FREE
                                                          Program</p>
                                                          <ul>
                                                          <li>Security@
                                                          Workflow</li>
                                                          <li>Hacker
                                                          Reputation</li>
                                                          <li>Intelligent

                                                          Duplication
                                                          Detection</li>
                                                          <li>Automation</li>
                                                          <li>Issue
                                                          Tracker
                                                          Integration</li>
                                                          <li>Analytics
                                                          Dashboard</li>
                                                          </ul>
                                                          <p>PROFESSIONAL

                                                          Program
                                                          ($2k/mo)</p>
                                                          <ul>
                                                          <li>Everything
                                                          in Free</li>
                                                          <li>Advanced
                                                          Hacker
                                                          Matching</li>
                                                          <li>Performance

                                                          Benchmarking</li>
                                                          <li>Launch
                                                          &
                                                          Optimization
                                                          Guidance</li>
                                                          <li>Report
                                                          Mediation</li>
                                                          <li>Reports
                                                          API</li>
                                                          </ul>
                                                          <p>ENTERPRISE
                                                          Program:</p>
                                                          <ul>
                                                          <li>Everything
                                                          in
                                                          Professional<br>
                                                          </li>
                                                          <li>Dedicated
                                                          Success
                                                          Manager</li>
                                                          <li>Custom
                                                          Analytics
                                                          &
                                                          Reporting</li>
                                                          <li>Custom
                                                          Integrations</li>
                                                          <li>Custom
                                                          Branding Theme</li>
                                                          <li>Communications

                                                          Guidance</li>
                                                          </ul>
                                                          <p>ADD ON: Bug
                                                          Bounty Global
                                                          Payments
                                                          (Included in
                                                          our deal)<br>
                                                          </p>
                                                          <p>ADD ON:
                                                          HackerOne
                                                          Managed -
                                                          Triage,
                                                          Reproduction
                                                          &
                                                          Remediation
                                                          Guidance (Not
                                                          included today
                                                          in the
                                                          proposal. 
                                                          Implemented by
                                                          partners. 
                                                          Need to
                                                          negotiate
                                                          this.)<br>
                                                          </p>
                                                          <ul>
                                                          <li>Would
                                                          propose to
                                                          have a
                                                          separate
                                                          instance for
                                                          each project +
                                                          OWASP
                                                          Foundation
                                                          resources</li>
                                                          <li>Do not
                                                          want anything
                                                          in return. 
                                                          Support the
                                                          OWASP
                                                          Foundation and
                                                          what we are
                                                          doing.</li>
                                                          <li>Have a
                                                          built in
                                                          leaderboard
                                                          sortable by
                                                          timeframe</li>
                                                          <li>Ranks
                                                          hackers based
                                                          on "signal"
                                                          and "impact"</li>
                                                          <li>Have an
                                                          integration
                                                          with
                                                          Salesforce
                                                          ticketing</li>
                                                          <li>Support a
                                                          wide range of
                                                          common
                                                          disclosure
                                                          scenarios such
                                                          as "public
                                                          disclosure". 
                                                          By default
                                                          they are
                                                          confidential.<br>
                                                          </li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                    <br clear="all">
                                                    <div><br>
                                                    </div>
                                                    -- <br>
                                                    <div>
                                                      <div dir="ltr">
                                                        <div>Johanna
                                                          Curiel </div>
                                                        OWASP Volunteer</div>
                                                    </div>
                                                  </div>
                                                </div>
                                              </blockquote>
                                              <br>
                                            </div>
                                          </div>
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                    <br clear="all">
                                    <div><br>
                                    </div>
                                    -- <br>
                                    <div>
                                      <div dir="ltr">
                                        <div>Johanna Curiel </div>
                                        OWASP Volunteer</div>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                            </div>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <div>
                    <div> <br>
                      <br clear="all">
                      <div><br>
                      </div>
                      -- <br>
                      <div>
                        <div dir="ltr">
                          <div>Johanna Curiel </div>
                          OWASP Volunteer</div>
                      </div>
                    </div>
                  </div>
                </div>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div>
          <div dir="ltr">
            <div>Johanna Curiel </div>
            OWASP Volunteer</div>
        </div>
      </div>
    </blockquote>
    <br>
  </div></div></div>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Johanna Curiel </div>OWASP Volunteer</div></div>
</div>