[GPC] SoC '09, RFP questions

Boberski, Michael [USA] boberski_michael at bah.com
Thu May 14 13:11:30 EDT 2009

Jason, a few follow-up questions:
Question #3. What was the rationale from changing "Release" quality to
"Stable" quality? I understand the intent, but do we not want to
underscore that releases for us mean the same as in the commercial
Question #4. Are the proposals intended to be "realistic"? E.g. there's
mention of joint proposals up to 20k. The SoC grants were all (?) e.g.
2.5k, more incentive-type amounts than amounts intended to cover the
actual cost of the work.
Mike B.


From: li.jason.c at gmail.com [mailto:li.jason.c at gmail.com] On Behalf Of
Jason Li
Sent: Thursday, May 14, 2009 12:48 PM
To: Boberski, Michael [USA]
Cc: paulo.coimbra at owasp.org; Global Projects Committee
Subject: Re: [GPC] SoC '09, RFP questions


I was not able to attend the recent meeting the GPC had in Poland
regarding the SoC protocol, but here was my understanding of it prior to
that meeting and I do not believe the rules of engagement have changed.

With regards to your first question, yes, we are relying more on project
proposals this year. We are hoping for this season of code to be geared
more towards improving existing projects rather than create a new wave
of new projects by having a list of projects as in the previous year.
That is not to say that we will not accept any new ideas - any proposal
will be accepted for review by the SoC Jury. But rather than provide a
list of ideas which encourages a tide of new projects, we're hoping to
focus on improving existing projects while still allowing new and
innovative project ideas to pop up.

Also, as you may have seen in traffic on the list, we are currently in
the process of identifying projects that have been abandoned by their
project leaders and it's our intention to include these projects as an
adoption option for SoC when it is officially launched next week.

In regards to your second question, this discussion was undergoing much
debate but I believe the conclusion was that there is no mandate to
reach any particular quality level. It will be up to the project
proposer to create a clearly defined roadmap with milestones and for the
proposer to identify which quality level they wish to reach. The SoC
Jury will examine the project roadmap and deliverables and take into
consideration whether the quality level identified in the roadmap is
appropriate for the amount of work proposed for the project. As
appropriate, the SoC Jury will provide feedback on proposals if they
feel the quality level is too low.

As an extreme example, a project proposal to create a one page
cheat-sheet for CSRF that selects "Alpha" quality will most likely be
referred back to the proposer with a request that the proposal target
"Stable" quality as the amount of work involved in a one page
cheat-sheet should allow for reaching "Stable".

On the other hand, a project proposal to create a comprehensive security
framework like ESAPI for say, PHP, that selects "Alpha" quality may be
viewed more favorably because the expected work involved may be
considerably more.

Regardless of the quality level selected, the SoC Jury will also be
judging the project roadmap to ensure that the deliverables and
milestones are appropriate; payment for SoC will be directly tied to
completion of the project's proposed milestones in the roadmap and
therefore it is expected that the roadmap will include significant
detail about the work involved.

Hope that helps! LMK if you have further questions.
-Jason Li-
-jason.li at owasp.org-

On Thu, May 14, 2009 at 12:25 PM, Paulo Coimbra
<paulo.coimbra at owasp.org> wrote:



	I thank your interest and pertinent questions and I am carbon
copying the Global Projects Committee as its members may want to provide
the adequate answers. 




	Paulo Coimbra,

	OWASP Project Manager


	From: Boberski, Michael [USA] [mailto:boberski_michael at bah.com] 
	Sent: quinta-feira, 14 de Maio de 2009 16:27
	To: Paulo Coimbra
	Subject: SoC '09, RFP questions


	Paulo, looking at
http://www.owasp.org/index.php/OWASP_Season_of_Code_2009, I have a few


	Question #1. Is it correct that there is not a list with
specific requests for proposals as was done with the SoC '08, that
instead you're relying on participants to propose specific projects,
ideally that fall within those four listed areas?


	Question #2. Do projects need to reach Alpha or Beta quality?




	Mike B.



	Global-projects-committee mailing list
	Global-projects-committee at lists.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/global-projects-committee/attachments/20090514/f8e1ed6c/attachment-0001.html 

More information about the Global-projects-committee mailing list