[Owasp-leaders] Fwd: New funding model for O2 Development

Thu Jul 29 12:22:11 EDT 2010

On 29 July 2010 16:49, Martin Knobloch <martin.knobloch at owasp.org> wrote:

> On the first impression, I really like that idea. One the second, I have
> some questions we have to think of:
> Model1) OWASP, at this moment, has no resources to manage the raised
> funding.
>

Yes and No. we are already doing a similar financial model for the Chapters
and Projects (remember Project leaders that you can get the same 'donation'
and 'owasp membership split' that the chapters have (talk to Kate/Alison)),
but you are correct that doing it under a Pledgie.com model is something
that we are currently not set-up to do

> Model 2) This could move the OWASP projects away from OWASP. Has a
> potential of abusing the OWASP brand more attractive.
>

I don't see why this model will push OWASP projects away from OWASP. In
fact, when we are able to create a good set of guidelines for what is an
'OWASP Approved Pledged' (which will allow the pledge to be listed on the
OWASP website), then this could even be a driver for projects to become
OWASP projects

>
> In both models, the financing and the in and outgoing of the funding would
> have to be open.
>

Yes and no :)

Model 2) is specifically designed so that there is some information that
might not be 100% disclosed (namely the commercial contracts for outsourced
work).

Let's say for example that this O2 Pledge O2 Platform - 'J2EE Struts' Rule
Pack <http://pledgie.com/campaigns/12110> is able to get the requested
20,000 USD.

Now lets say that me as the O2 project leader (and the one managing those
funds) decides to alocate 15,000 USD of that money to hire a number of
external (to current team) developers and contributors, which would include:

- * 2x QA (via elance.com)
- * 2x Technical editors (via elance.com)
- John Wilander (directly as a contractor)
- Jason Lee and Jeff Williams (via a contract to Aspect Security)
- John Steven (via a contract to Cigital)
- * Rudolph Araujo (via a contract to Foundstone)
- Matteo Meucci (via a contract to Minded Security)
- Bruce Mayhew (directly as a contractor (cutting a contract with the IBM
lawyers would cost the 15k :)  )
- * Portuguese Developer (directly as a contractor)
- * Brazilian Developer (directly as a contractor)
- etc....

(the ones marked with * are not owasp-leaders)

Assuming that I was able to fit all those people in my 15,000 USD budged,
can I really share the contract details with all of them (or even post them
on a website?). I'm not sure I could even if I wanted to. I view as my job
as negotiator for the funds allocated to this pledge to assemble the best
possible team at the best possible prices. The good news Is that (somehow) I
have the felling that for this project (for example) I would be able to
negotiate a very good deal and not have to pay these professionals/companies
their current market rate (which btw, on the day that  I have 100k or 250k
to spend on these Rule Packs, I would more than happily do)

And why do I have to 'pay' these professionals, some of which are OWASP
leaders?

Apart from the fact that they are amongst some of the best in the world (in
this field), more importantly, I need them to commit the time and effort to
deliver.

As you can see in O2 Platform - 'J2EE Struts' Rule
Pack<http://pledgie.com/campaigns/12110>I'm committing to deliver this
Rule Pack in 3 months, so I need the
contributors to focus and to make sure they have time allocated to work on
this.

Of course that others can contribute, BUT I know that if one wants focused
and on-time work, one has to pay for it.

Now, can you imagine how complex (if even doable) it would be to make this
type of commercial arrangements via OWASP?

For both models, rules and possibilities have to been thought through.
>

Yes, and I really think that the only way to do this is by looking at real
examples and real case-studies.

This is why I'm pushing this via the O2 Platform since that is a project
that needs it and you can beat me over the head if I push it on the wrong
direction (and btw, if other project leaders want to try a similar pledge,
just contact me and we'll work on  it)

>
> ..both models are very promising!
>

:)

Now lets see if it works, so far there have been no pledges on any of the 9
set up at pledgie.com (http://o2platform.com/wiki/O2_Pledges) but its still
early days...

Dinis

> Cheers,
> ~Martin
>
> On Thu, Jul 29, 2010 at 5:06 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>
>> Yes the GitHub guys have done an automatic 'list your project in Pledgie'
>> and tons of GitHub projects have done that.
>>
>> I'm not sure if doing it automatically is a good idea, since the end
>> result is tons and tons of projects which have no funding and barelly have
>> any description and thought about it.
>>
>> I like the idea that we set a number of guidelines for these Pledges to be
>> recognized by OWASP (and listed on our website) since that will keep the
>> quality up and make sure the Pledge makes sense (remember that nothing stops
>> anybody from setting up a Pledge about any OWASP projects).
>>
>> Regarding the 2 models, my view is that the key difference is how the
>> money is going to be used. If owasp leaders need to be paid (or direct
>> development contracts need to be made), that money really needs to flow
>> outside of OWASP (for a number of reasons including liability and more
>> importantly independence of the person negotiating the contracts).
>>
>> So they are not mutually exclusive, and time will tell how they play in
>> practice.
>>
>> Dinis Cruz
>>
>>
>>
>> On 28 July 2010 11:21, Paolo Perego <thesp0nge at owasp.org> wrote:
>>
>>> On Wed, Jul 28, 2010 at 12:06 PM, dinis cruz <dinis.cruz at owasp.org>
>>> wrote:
>>>
>>> > I really think that this model could work in creating independent
>>> revenue
>>> > streams for OWASP projects (namely our most popular and widely used
>>> > projects), so, if there are other project leaders that want to give
>>> this a
>>> > go, please lets talk.
>>> Well, I see a lot of github hosted projects trying to raise some money
>>> with pledgie.com
>>> I think this could be a deal.
>>>
>>> > Model 1) the funds are going to be used for operational expenses, no
>>> OWASP
>>> > leader will be paid by it, and the money will be managed by OWASP
>>> > Model 2) the funds will be used to cover development costs, there are
>>> no
>>> > limitations on where the funds are spent, and OWASP is NOT the one
>>> managing
>>> > the money (it will either be the project leader(s) or an allocated 3rd
>>> > party)
>>>
>>> Are they mutually exclusive?
>>>
>>> I mean... if pledgie will help you in fund raising, Owasp can think to
>>> adopt the same strategy for Model 1 (to pay for conference/summit
>>> location, catering, our employees, whatever). I think also that using
>>> Model 2 will be up to each leader in order to become self sustained in
>>> term of money.
>>>
>>> Personally I think this could be a great approach for fund raising
>>> also for projects.
>>>
>>> Just my €0.02
>>> Paolo
>>>
>>> --
>>> "... static analysis is fun, again!"
>>>
>>> OWASP Orizon project leader, http://github.com/owasp-orizon
>>> Owasp Italy R&D director
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100729/322e0e73/attachment-0001.html 