[GPC] [RFC] Note for Leaders: Project Health Benefits - Using the"OWASP" Name

Boberski, Michael [USA] boberski_michael at bah.com
Wed May 20 14:01:31 EDT 2009

I would offer that one potential step would be to get that new project
criteria down to 1 page. Make sure it has pictures, is laser-clear, and
to the point. Consider that every possible contigency and circumstance
does not need to be guarded against for OWASP, this isn't the space
shuttle program. Consider sticking with the known alpha/beta/release
names, it's going to confuse the issue with already-published
docs/tools, this wasn't really broken. I am empathetic to people who
"only" get their projects to beta for instance and who get
stalled/swamped doing other things. The thing is still usable!!! We're
grateful they did what they did!! If they don't want to lead it or work
on it further, arrange for a gracious and amicable handoff, hoping that
they'll come back or start work on another OWASP project. Sorry to be
grumpy. Intended to be constructive.

Mike B.

-----Original Message-----
From: global-projects-committee-bounces at lists.owasp.org
[mailto:global-projects-committee-bounces at lists.owasp.org] On Behalf Of
Jason Li
Sent: Wednesday, May 20, 2009 1:46 PM
To: Global Projects Committee
Subject: [GPC] [RFC] Note for Leaders: Project Health Benefits - Using
the"OWASP" Name

Hey guys,

Here's an email that I drafted that I'd like to send to the leaders
list. Thoughts?

-Jason Li-
-jason.li at owasp.org-


The last couple of weeks, the GPC has gotten several angry emails from
various project owners in response to some of the initiatives that the
GPC is undertaking.

As you are hopefully aware, the GPC is trying to increase the quality of
all OWASP projects by establishing a level of consistency and
organization across our projects.

What I'm gathering from this trend of pushback though is that while
people generally agree with the direction we are trying to go in raising
the quality of OWASP projects, there are people who don't want to be
subject to any "bureaucratic" rules. In a sense, there's kind of a "not
in my backyard" mentality: everyone agrees that the quality of OWASP
projects needs to be improved but when it comes to their specific
project, the rules need not apply because they are going to release
something "soon", or they are a long time OWASP contributor, etc.

As such, I think we're going to be facing a crossroads - people still
want to contribute, but there will be a subset of those people who don't
want to do what is necessary to be consistent with a high quality OWASP

Right now, we don't really have any carrot/stick to encourage project
owners in the direction towards quality. The GPC is working on a
proposal to encapsulate project health, which establishes three "levels"
of quality for projects (see
https://www.owasp.org/index.php/Assessing_Project_Health). We expect
most projects to reach Level 2 status with a small set of projects
reaching Level 3 status.

The motivation for project owners to move from Level 2 to Level 3 is
that we intend to prominently highlight projects that reach Level 3 on
the OWASP site. But right now, we have no motivation for project leaders
to proceed to Level 2.

As I was going through the project surveys, it occurred to me that an
overwhelming number of projects call themselves the "OWASP XYZ". I'd
like to propose that a project can't include the OWASP "name" until they
reach a certain quality level.

The OWASP "name" is something that belongs to the OWASP Foundation so it
is something that we (as the community) can legitimately "control".
It's also something important that was should protect because any
project bearing the OWASP name reflects the OWASP brand and if the
quality is not up to par, then it damages the perception of OWASP for
all projects.
Global-projects-committee mailing list
Global-projects-committee at lists.owasp.org

More information about the Global-projects-committee mailing list