<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    > I don't think you have read properly what I'm trying to say,
    which is, that these activities, where there seems to be a need for
    operational support, such as reviewing or wiki editing , does not
    have enough traction from volunteer efforts and therefore not
    sustainable. Many talk cheap and in the end, not enough people toy
    backup operations.<br>
    <br>
    Right. Wiki could use more help, but the Bug Bounty proposals
    include significant <b>vendor</b> support. I think that will work
    well.<br>
    <br>
    > If you consider the wiki a success, (with XSS fiasco included)
    then you have not read the responses people provided on the survey I
    did where 50 members of our community responded.Have you read what
    they say?<br>
    <br>
    Fiasco? We found and fixed bugs. That's good. The world keeps on
    spinning. Yes, I know of the complains from the 50 folks in your
    survey, and I agree with those concerns. But you must have missed
    the many <b>millions</b> of page hits on <b>several</b>  wiki
    pages and other documentation projects...<br>
    <br>
    Johanna, I do not know why you keep targeting me in these emails. I
    am just one board member - one that you apparently do not like or
    have respect for. Maybe consider talking to other board members if
    you are not happy with my actions. In the meantime, I am going to do
    a little wiki work tonight.<br>
    <br>
    If you have sustainable ideas for these programs, by all means lets
    hear them. If there are things you need me to read, let me know. I
    am doing my best in my limited time as a volunteer.<br>
    <br>
    Aloha,<br>
    - Jim<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 2/20/16 6:43 PM, johanna curiel
      curiel wrote:<br>
    </div>
    <blockquote
cite="mid:CACxry_1ZiaZ11Zudb7UzDxoMkp51KzvjN45sY08jyWSeEVdgmw@mail.gmail.com"
      type="cite">
      <div dir="ltr"><span style="font-size:13px">>>I am very
          confused. <b>No one asked you to do any work here, am I
            mistaken? </b></span><br>
        <div><span style="font-size:13px"><br>
          </span></div>
        <div>Exactly,  <i><u>thank you for making that clear.</u></i></div>
        <div><br>
        </div>
        <div>I don't think you have read properly what I'm trying to
          say, which is, that these activities, where there seems to be
          a need for operational support, such as reviewing or wiki
          editing , does not have enough traction from volunteer efforts
          and therefore not sustainable. Many talk cheap and in the end,
          not enough people toy backup operations.</div>
        <div><br>
        </div>
        <div>If you consider the wiki a success, (with XSS fiasco
          included) then you have not read the responses people provided
          on the survey I did where 50 members of our community
          responded.Have you read what they say?</div>
        <div><br>
        </div>
        <div>I'm looking for a discussion around solutions and creating
          initiatives that are sustainable. </div>
        <div><br>
        </div>
        <div>Once again Jim, thank you for making it very clear to me
          how you think. </div>
        <div><br>
        </div>
        <div> I was expecting a some discussions around sustainability.</div>
        <div><br>
        </div>
        <div>Cheers</div>
        <div><br>
        </div>
        <div>Johanna</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sat, Feb 20, 2016 at 8:29 PM, Jim
          Manico <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Joanna,<br>
              <br>
              All I asked is that we give other vendors a chance to
              propose a bug bounty program instead of just choosing one
              vendor. I am not "the decider" here. I did not initiate
              the bug bounty program nor do I disagree with all of your
              comments below. I am sure we will face several challenges.
              I still think it's a good idea to try and I'm grateful
              Josh is taking a leadership position here.<span class=""><br>
                <br>
                > I'm out of this equation regarding any decisions of
                a bounty program and management of it in the future.<br>
                <br>
              </span> For someone who is "out of the equation" you sure
              have a lot to say! No one is asking you to do - any work.
              You are a volunteer (like me) and you do as you like when
              you feel like it and that is ok.<br>
              <br>
              > Wiki have shown that volunteer based does not work.<br>
              <br>
              I strongly disagree. I know the wiki is tough for some to
              read, and it needs work, but several pages have received
              millions of hits and have helped many on several issues. I
              know the wiki needs work, but I am proud of the
              accomplishments of the thousands of volunteers who have
              contributed to that knowledge base in some way. <br>
              <span class=""> <br>
                > Therefore, I prefer to abstain to participate on
                this bounty initiative because my workload has
                multiplied by the dozen, and as a volunteer, I cannot
                provide any guarantees of my availability in the future.<br>
                <br>
              </span> I am very confused. No one asked you to do any
              work here, am I mistaken? I do not understand why you are
              upset or are abstaining in something that I did not even
              know you were a part of. I just recall you (and Josh)
              getting very upset that I even suggested we look at other
              vendor proposals.... First you suggest we get a specific
              vendor for an OWASP bug bounty program, then you get upset
              that I suggested we discuss this with other vendors, and
              now you abstaining. It's hard for me to follow what you
              want here. I have watched you email the world about
              "taking on an initiative" and then quit several times now,
              that I am having a lot of trouble following your work and
              needs. And I have done this a few times myself, I'm not
              perfect. But I do keep trying.<span class=""><br>
                <br>
                > This counts for the review process. This is the
                reason why we,  Enrico and I, proposed to decentralise
                and focus on a platform. Even so, this platform is
                highly dependable on volunteers. So far, only 6 members
                have voted for Graduation of the OWASP security
                project.We lack participation. I feel like no one cares.
                Or people just don't want to participate in this kind of
                thing.I have no freaking idea.<br>
                <br>
              </span> Johanna, if you are not satisfied with your
              volunteer activities, then I suggest you find another way
              to lend support at OWASP (there are many many things going
              on with application security) or <b>take a break and take
                some time off</b>. OWASP is not supposed to get your
              angry or make you feel unsatisfied.  It's Saturday night
              and I'm stuck in Chicago so I'm going to work on a few
              wiki tasks on my plate because that gives me a lot of
              satisfaction - even in the face of other folks, like
              yourself, who do not see the value in the wiki. I do - so
              I'm going to keep at it.<span class=""><br>
                <br>
                > Furthermore, you end as a solo-player, nobody gives
                you thanks, when all you are trying to do is help,
                burning your free time chasing waterfalls.(Thats counts
                for you with the wiki editing of +8000 pages, I guess
                all you hear is criticism just as I do, and people just
                tends to forget we are not OWASP staff, we are
                volunteers)<br>
                <br>
              </span> Yea, I think that if you join OWASP because you
              want "thanks" - you're in it for the wrong reason.
              Johanna, I have seen folks give you MANY compliments -
              over and over and over - on big public lists - from folks
              all over the world - and it does not seem to be enough for
              you, so I do not know what to tell you. I do the work I do
              at OWASP because I believe it in and find the value in it.
              I don't want thanks - I actually dislike getting public
              thanks - I just want more volunteers involved. And I find
              that leading by example helps. There are quite a few folks
              working on the wiki with me. I am super grateful for them
              all. Generating new content is not an issue, dealing with
              older content is.<span class=""><br>
                <br>
                > Whatever the reason , the effect is, volunteered
                based initiatives as wiki, reviews and possibly Bounty
                program, does not seem to work. <br>
                <br>
              </span> This is a fair point regarding the bug bounty
              program. Please keep in mind that several of the bounty
              programs proposed would be vendor driven, not volunteer
              driven. It's not decided yet nor is it my call (or even
              charge). This thread started because I asked to be vendor
              neutral, and if this was to start over I'd do the same.<br>
              <br>
              Have a nice Saturday night. I'm off to work on the Java
              wiki page and do a little cleanup.<br>
              <br>
              Aloha,<br>
              - Jim
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 2/20/16 11:14 AM, johanna curiel curiel wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">>><span style="font-size:13px">I
                        trust those involved will make a good decision
                        here. </span>
                      <div><br>
                      </div>
                      <div>>><span style="font-size:13px">First,
                          the current proposal <u>does not include the
                            triage, reproduction, and remediation piece</u>
                          (the Bugcrowd one does).  After speaking with
                          them about this, they explained that it is
                          because there is additional costs involved
                          with that because they partner with other
                          companies to provide that service.  That said,
                          they offered to talk to one of their partners
                          and had a strong belief that they could offer
                          this to us as well.</span><br>
                        <div><span style="font-size:13px"><br>
                          </span></div>
                        <div><span style="font-size:13px">Hi Jim.</span></div>
                        <div><span style="font-size:13px"><br>
                          </span></div>
                        <div>I'm all in favour of vendor neutrality at
                          all times.I admire your pro-activeness in
                          these matters, however, at this point, I'm out
                          of this equation regarding any decisions of a
                          bounty program and management of it in the
                          future.</div>
                        <div><br>
                        </div>
                        <div>One of the major problems we have, is to
                          create sustainable initiatives. I'm a
                          volunteer with limited time. My availability
                          will vary a lot and this is common for
                          volunteers.</div>
                        <div><br>
                        </div>
                        <div>I think is important that we ask ourselves
                          who will be accountable for the system we
                          bring in and able to manage this continuously.
                          Volunteer based, I'm not convinced. </div>
                        <div><br>
                        </div>
                        <div>Wiki and Reviews have shown that volunteer
                          based does not work. Therefore, I prefer to
                          abstain to participate on this bounty
                          initiative because my workload has multiplied
                          by the dozen, and as a volunteer, I cannot
                          provide any guarantees of my availability in
                          the future.</div>
                        <div><br>
                        </div>
                        <div>This counts for the review process. This is
                          the reason why we,  Enrico and I, proposed to
                          decentralise and focus on a platform. Even so,
                          this platform is highly dependable on
                          volunteers. So far, only 6 members have voted
                          for Graduation of the OWASP security
                          project.We lack participation. I feel like no
                          one cares. Or people just don't want to
                          participate in this kind of thing.I have no
                          freaking idea.</div>
                        <div><br>
                        </div>
                        <div>So far, there has not been any reviewers
                          that have worked on reviews since we restarted
                          this initiative.Even before, when Claudia
                          start offering amazon cards in exchange for
                          reviews, only 2 persons participated for 2
                          reviews one different projects. We keep on
                          looking, I believe Claudia has contact them,
                          but in the end, nothing.</div>
                        <div><br>
                        </div>
                        <div> I took many hours to build that criteria
                          and let people comment and collaborate, so we
                          make this process easier. There has been some
                          participation , but from very few. We provide
                          the community with all the opportunities to
                          participate but still, there is a lack of
                          interested in this subject.</div>
                        <div><br>
                        </div>
                        <div>I spoke with Jason Li, and even on an
                          interview you did to him in 2008, he had the
                          same idea of providing a platform for
                          participation, but people don't want to
                          volunteer to for these kind of tasks, just as
                          happens with the wiki.</div>
                        <div><br>
                        </div>
                        <div>Furthermore, you end as a solo-player,
                          nobody gives you thanks, when all you are
                          trying to do is help, burning your free time
                          chasing waterfalls.(Thats counts for you with
                          the wiki editing of +8000 pages, I guess all
                          you hear is criticism just as I do, and people
                          just tends to forget we are not OWASP staff,
                          we are volunteers)</div>
                        <div><br>
                        </div>
                        <div>I think is time that, from the operational
                          management point of view, to revise all these
                          actions and have a very serious talk about
                          this.</div>
                        <div>
                          <ul>
                            <li>Are they sustainable only volunteer
                              based?<br>
                            </li>
                            <li>What has the experience shown?<br>
                            </li>
                            <li>Why does owasp lack volunteers to help
                              on these tasks?<br>
                            </li>
                            <li>Is the workload to big to expect
                              volunteers to do this?</li>
                            <li>Is this a community that has not time to
                              do this kind of work?</li>
                            <li>Do they actually want to do these kind
                              of tasks?</li>
                          </ul>
                        </div>
                        <div>Volunteers are volunteers, they are not
                          workforce nor can you expect the same
                          output.You cannot expect anything from them.</div>
                        <div><br>
                        </div>
                        <div>A volunteer must feel he gains something
                          back for giving his time. If there is no
                          exchange on this part, if he does not feel
                          valued or that his work matters,  or enjoys
                          what he does, then , I think , volunteer work
                          stops. For me , it must have a meaning, that
                          what I do , matters.</div>
                        <div><br>
                        </div>
                        <div>Whatever the reason , the effect is,
                          volunteered based initiatives as wiki, reviews
                          and possibly Bounty program, does not seem to
                          work. </div>
                        <div><br>
                        </div>
                        <div>We should evaluate this before we keep
                          bringing systems that cannot be
                          volunteered-based sustained.</div>
                        <div><br>
                        </div>
                        <div>Cheers</div>
                        <div><br>
                        </div>
                        <div>Johanna</div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                        <div><br>
                        </div>
                      </div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On Sat, Feb 20, 2016 at
                          12:17 AM, Jim Manico <span dir="ltr"><<a
                              moz-do-not-send="true"
                              href="mailto:jim.manico@owasp.org"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a></a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            <div bgcolor="#FFFFFF" text="#000000"> Josh,<br>
                              <br>
                              I am grateful you took the time to hear
                              other bounty vendors out, especially since
                              I forced your hand to do so to some
                              degree.<br>
                              <br>
                              I trust those involved will make a good
                              decision here. <br>
                              <br>
                              I do not have a charge over this and do
                              not want to interfere, but if you want my
                              assistance just ask.<br>
                              <br>
                              Aloha,<br>
                              Jim
                              <div>
                                <div><br>
                                  <br>
                                  <br>
                                  <div>On 2/19/16 4:07 PM, Josh Sokol
                                    wrote:<br>
                                  </div>
                                  <blockquote type="cite">
                                    <div dir="ltr">
                                      <div>
                                        <div>
                                          <div>
                                            <div>
                                              <div>
                                                <div>
                                                  <div>I went ahead and
                                                    spoke with HackerOne
                                                    this afternoon even
                                                    though others were
                                                    unable to make it. 
                                                    I'm going to be
                                                    mostly out-of-pocket
                                                    over the next couple
                                                    of weeks, but at
                                                    least wanted to be
                                                    informed.  I took
                                                    some notes, included
                                                    below, but had a
                                                    couple of things
                                                    that are worth
                                                    mentioning here. 
                                                    First, the current
                                                    proposal does not
                                                    include the triage,
                                                    reproduction, and
                                                    remediation piece
                                                    (the Bugcrowd one
                                                    does).  After
                                                    speaking with them
                                                    about this, they
                                                    explained that it is
                                                    because there is
                                                    additional costs
                                                    involved with that
                                                    because they partner
                                                    with other companies
                                                    to provide that
                                                    service.  That said,
                                                    they offered to talk
                                                    to one of their
                                                    partners and had a
                                                    strong belief that
                                                    they could offer
                                                    this to us as well. 
                                                    With that, I think
                                                    that what they are
                                                    offering is pretty
                                                    much equivalent to
                                                    what Bugcrowd is
                                                    offering.  That
                                                    said, the ask is
                                                    **VERY** different. 
                                                    While Bugcrowd is
                                                    looking for an OWASP
                                                    Platinum sponsorship
                                                    package in exchange
                                                    for their services,
                                                    HackerOne is
                                                    literally asking for
                                                    nothing.  They said
                                                    that they are big
                                                    supporters of the
                                                    OWASP Foundation and
                                                    what we stand for
                                                    and want to do this
                                                    to help us out.  I
                                                    was not expecting
                                                    this, but am
                                                    extremely happy with
                                                    what I heard from
                                                    them.  We haven't
                                                    talked to Cobalt
                                                    yet, but my gut at
                                                    this point is that
                                                    HackerOne would make
                                                    for a great partner
                                                    on this and I would
                                                    recommend, if we
                                                    were to accept their
                                                    offer, providing
                                                    them with a logo
                                                    placement on the
                                                    supporter page (as a
                                                    minimum) as a token
                                                    of our
                                                    appreciation.  <br>
                                                    <br>
                                                  </div>
                                                  <div>So, I realize
                                                    that we still have
                                                    one more vendor to
                                                    talk to, but
                                                    HackerOne looks
                                                    really good.  With
                                                    Johanna
                                                    out-of-pocket for
                                                    the foreseeable
                                                    future, I wanted to
                                                    make a
                                                    recommendation to
                                                    pull Simon Bennetts
                                                    (if he is willing)
                                                    into this evaluation
                                                    process.  I think
                                                    that a bug bounty
                                                    program would be of
                                                    huge benefit to his
                                                    efforts, and would
                                                    like to get his
                                                    impression of the
                                                    value of such a tool
                                                    for his project. 
                                                    Simon, would you be
                                                    willing to hop on a
                                                    call with the
                                                    HackerOne folks to
                                                    take a look at their
                                                    platform?  Or, if
                                                    you'd prefer, we
                                                    have access to the
                                                    platform already and
                                                    can get you an
                                                    account to poke
                                                    around with on your
                                                    own.  <br>
                                                    <br>
                                                  </div>
                                                  <div>In any case,
                                                    notes are below. 
                                                    Have a great
                                                    weekend!<br>
                                                    <br>
                                                  </div>
                                                  <div>~josh<br>
                                                  </div>
                                                  <div><br>
                                                    <u><b>Your Platform:</b></u><br>
                                                  </div>
                                                  <ul>
                                                    <li>Workflow &
                                                      Automation:
                                                      Focused on
                                                      engineering the
                                                      world's most
                                                      advanced
                                                      vulnerability
                                                      coordination
                                                      platform.<br>
                                                    </li>
                                                    <li>Signal: Numerous
                                                      systems, such as
                                                      Reputation and
                                                      hackbot, dedicated
                                                      to ensuring high
                                                      signal programs.<br>
                                                    </li>
                                                    <li>Transparent: All
                                                      hackers have a
                                                      profile, history
                                                      and reputation. 
                                                      Advanced public
                                                      disclosure
                                                      workflow when
                                                      needed.<br>
                                                    </li>
                                                  </ul>
                                                </div>
                                              </div>
                                              <br>
                                            </div>
                                            <u><b>You are in Control:</b></u><br>
                                          </div>
                                          <ul>
                                            <li>Flexible: Run private or
                                              public programs, with or
                                              without bounties, managed
                                              or unmanaged.<br>
                                            </li>
                                            <li>Ownership: You own your
                                              data.  HackerOne makes no
                                              claims on Vulnerability
                                              Information.<br>
                                            </li>
                                            <li>Multiparty Coordination:
                                              Easily pull in other
                                              vendors or external
                                              parties into a case.</li>
                                          </ul>
                                          <p><u><b>Service Donation:</b></u></p>
                                          <ul>
                                            <li>Waive bounty service
                                              fees</li>
                                            <li>Donate HackerOne
                                              Enterprise and a dedicated
                                              success manager for min 2
                                              years.</li>
                                          </ul>
                                          <p>FREE Program</p>
                                          <ul>
                                            <li>Security@ Workflow</li>
                                            <li>Hacker Reputation</li>
                                            <li>Intelligent Duplication
                                              Detection</li>
                                            <li>Automation</li>
                                            <li>Issue Tracker
                                              Integration</li>
                                            <li>Analytics Dashboard</li>
                                          </ul>
                                          <p>PROFESSIONAL Program
                                            ($2k/mo)</p>
                                          <ul>
                                            <li>Everything in Free</li>
                                            <li>Advanced Hacker Matching</li>
                                            <li>Performance Benchmarking</li>
                                            <li>Launch &
                                              Optimization Guidance</li>
                                            <li>Report Mediation</li>
                                            <li>Reports API</li>
                                          </ul>
                                          <p>ENTERPRISE Program:</p>
                                          <ul>
                                            <li>Everything in
                                              Professional<br>
                                            </li>
                                            <li>Dedicated Success
                                              Manager</li>
                                            <li>Custom Analytics &
                                              Reporting</li>
                                            <li>Custom Integrations</li>
                                            <li>Custom Branding Theme</li>
                                            <li>Communications Guidance</li>
                                          </ul>
                                          <p>ADD ON: Bug Bounty Global
                                            Payments (Included in our
                                            deal)<br>
                                          </p>
                                          <p>ADD ON: HackerOne Managed -
                                            Triage, Reproduction &
                                            Remediation Guidance (Not
                                            included today in the
                                            proposal.  Implemented by
                                            partners.  Need to negotiate
                                            this.)<br>
                                          </p>
                                          <ul>
                                            <li>Would propose to have a
                                              separate instance for each
                                              project + OWASP Foundation
                                              resources</li>
                                            <li>Do not want anything in
                                              return.  Support the OWASP
                                              Foundation and what we are
                                              doing.</li>
                                            <li>Have a built in
                                              leaderboard sortable by
                                              timeframe</li>
                                            <li>Ranks hackers based on
                                              "signal" and "impact"</li>
                                            <li>Have an integration with
                                              Salesforce ticketing</li>
                                            <li>Support a wide range of
                                              common disclosure
                                              scenarios such as "public
                                              disclosure".  By default
                                              they are confidential.<br>
                                            </li>
                                          </ul>
                                        </div>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <br>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                        <br clear="all">
                        <div><br>
                        </div>
                        -- <br>
                        <div>
                          <div dir="ltr">
                            <div>Johanna Curiel </div>
                            OWASP Volunteer</div>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <div class="gmail_signature">
          <div dir="ltr">
            <div>Johanna Curiel </div>
            OWASP Volunteer</div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>