[Owasp-leaders] Fwd: New funding model for O2 Development
martin.knobloch at owasp.org
Thu Jul 29 12:53:38 EDT 2010
I see your points. Definitely worth trying it!
Keep my fingers crossed and good luck for your 9 pleges! ;-)
On Thu, Jul 29, 2010 at 6:22 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
> On 29 July 2010 16:49, Martin Knobloch <martin.knobloch at owasp.org> wrote:
>> On the first impression, I really like that idea. One the second, I have
>> some questions we have to think of:
>> Model1) OWASP, at this moment, has no resources to manage the raised
> Yes and No. we are already doing a similar financial model for the Chapters
> and Projects (remember Project leaders that you can get the same 'donation'
> and 'owasp membership split' that the chapters have (talk to Kate/Alison)),
> but you are correct that doing it under a Pledgie.com model is something
> that we are currently not set-up to do
>> Model 2) This could move the OWASP projects away from OWASP. Has a
>> potential of abusing the OWASP brand more attractive.
> I don't see why this model will push OWASP projects away from OWASP. In
> fact, when we are able to create a good set of guidelines for what is an
> 'OWASP Approved Pledged' (which will allow the pledge to be listed on the
> OWASP website), then this could even be a driver for projects to become
> OWASP projects
>> In both models, the financing and the in and outgoing of the funding would
>> have to be open.
> Yes and no :)
> Model 2) is specifically designed so that there is some information that
> might not be 100% disclosed (namely the commercial contracts for outsourced
> Let's say for example that this O2 Pledge O2 Platform - 'J2EE Struts' Rule
> Pack <http://pledgie.com/campaigns/12110> is able to get the requested
> 20,000 USD.
> Now lets say that me as the O2 project leader (and the one managing those
> funds) decides to alocate 15,000 USD of that money to hire a number of
> external (to current team) developers and contributors, which would include:
> - * 2x QA (via elance.com)
> - * 2x Technical editors (via elance.com)
> - John Wilander (directly as a contractor)
> - Jason Lee and Jeff Williams (via a contract to Aspect Security)
> - John Steven (via a contract to Cigital)
> - * Rudolph Araujo (via a contract to Foundstone)
> - Matteo Meucci (via a contract to Minded Security)
> - Bruce Mayhew (directly as a contractor (cutting a contract with the IBM
> lawyers would cost the 15k :) )
> - * Portuguese Developer (directly as a contractor)
> - * Brazilian Developer (directly as a contractor)
> - etc....
> (the ones marked with * are not owasp-leaders)
> Assuming that I was able to fit all those people in my 15,000 USD budged,
> can I really share the contract details with all of them (or even post them
> on a website?). I'm not sure I could even if I wanted to. I view as my job
> as negotiator for the funds allocated to this pledge to assemble the best
> possible team at the best possible prices. The good news Is that (somehow) I
> have the felling that for this project (for example) I would be able to
> negotiate a very good deal and not have to pay these professionals/companies
> their current market rate (which btw, on the day that I have 100k or 250k
> to spend on these Rule Packs, I would more than happily do)
> And why do I have to 'pay' these professionals, some of which are OWASP
> Apart from the fact that they are amongst some of the best in the world (in
> this field), more importantly, I need them to commit the time and effort to
> As you can see in O2 Platform - 'J2EE Struts' Rule Pack<http://pledgie.com/campaigns/12110>I'm committing to deliver this Rule Pack in 3 months, so I need the
> contributors to focus and to make sure they have time allocated to work on
> Of course that others can contribute, BUT I know that if one wants focused
> and on-time work, one has to pay for it.
> Now, can you imagine how complex (if even doable) it would be to make this
> type of commercial arrangements via OWASP?
> For both models, rules and possibilities have to been thought through.
> Yes, and I really think that the only way to do this is by looking at real
> examples and real case-studies.
> This is why I'm pushing this via the O2 Platform since that is a project
> that needs it and you can beat me over the head if I push it on the wrong
> direction (and btw, if other project leaders want to try a similar pledge,
> just contact me and we'll work on it)
>> ..both models are very promising!
> Now lets see if it works, so far there have been no pledges on any of the 9
> set up at pledgie.com (http://o2platform.com/wiki/O2_Pledges) but its
> still early days...
>> On Thu, Jul 29, 2010 at 5:06 PM, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> Yes the GitHub guys have done an automatic 'list your project in Pledgie'
>>> and tons of GitHub projects have done that.
>>> I'm not sure if doing it automatically is a good idea, since the end
>>> result is tons and tons of projects which have no funding and barelly have
>>> any description and thought about it.
>>> I like the idea that we set a number of guidelines for these Pledges to
>>> be recognized by OWASP (and listed on our website) since that will keep the
>>> quality up and make sure the Pledge makes sense (remember that nothing stops
>>> anybody from setting up a Pledge about any OWASP projects).
>>> Regarding the 2 models, my view is that the key difference is how the
>>> money is going to be used. If owasp leaders need to be paid (or direct
>>> development contracts need to be made), that money really needs to flow
>>> outside of OWASP (for a number of reasons including liability and more
>>> importantly independence of the person negotiating the contracts).
>>> So they are not mutually exclusive, and time will tell how they play in
>>> Dinis Cruz
>>> On 28 July 2010 11:21, Paolo Perego <thesp0nge at owasp.org> wrote:
>>>> On Wed, Jul 28, 2010 at 12:06 PM, dinis cruz <dinis.cruz at owasp.org>
>>>> > I really think that this model could work in creating independent
>>>> > streams for OWASP projects (namely our most popular and widely used
>>>> > projects), so, if there are other project leaders that want to give
>>>> this a
>>>> > go, please lets talk.
>>>> Well, I see a lot of github hosted projects trying to raise some money
>>>> with pledgie.com
>>>> I think this could be a deal.
>>>> > Model 1) the funds are going to be used for operational expenses, no
>>>> > leader will be paid by it, and the money will be managed by OWASP
>>>> > Model 2) the funds will be used to cover development costs, there are
>>>> > limitations on where the funds are spent, and OWASP is NOT the one
>>>> > the money (it will either be the project leader(s) or an allocated 3rd
>>>> > party)
>>>> Are they mutually exclusive?
>>>> I mean... if pledgie will help you in fund raising, Owasp can think to
>>>> adopt the same strategy for Model 1 (to pay for conference/summit
>>>> location, catering, our employees, whatever). I think also that using
>>>> Model 2 will be up to each leader in order to become self sustained in
>>>> term of money.
>>>> Personally I think this could be a great approach for fund raising
>>>> also for projects.
>>>> Just my €0.02
>>>> "... static analysis is fun, again!"
>>>> OWASP Orizon project leader, http://github.com/owasp-orizon
>>>> Owasp Italy R&D director
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders