[GPC] Update Needed

Christian Heinrich christian.heinrich at owasp.org
Mon Jul 12 00:33:49 EDT 2010


On Mon, Jul 12, 2010 at 12:22 PM, Jason Li <jason.li at owasp.org> wrote:
> I never said that you lied on the survey - far from it. All I'm saying
> is that self-surveys can only go so far in evaluating a project. The
> fact that several people have spoken out about the functionality of
> the project just goes to show that what one person may see as useful
> and functional, another person may see differently. That just supports
> the fact that we can't rely on one evaluator.

The correct course of action would have been that Dinis realized they
bypassed me with their complaint and subsequently forwarded it to be
so it could be handled with discretion.

Furthermore, there are similarities to their complaint to what was put
out on twitter by others i.e.
http://twitter.com/TownyRoberto/status/17235012717 and that they have
stolen the identities of real people i.e.

Two high profile people had nominated themselves to review this OWASP
Project i.e. Chris Gates (metasploit) and PDP (GNUCITIZEN) i.e. this
isn't a single evaluator.

> As I said, the message was not about the Google Hacking project, but
> about shortcomings of the GPC. The current situation with the Google
> Hacking project happens to emphasize those shortcomings. If we had
> achieved our goal of creating a repository, the Google Hacking project
> code would have been in the repository and you would not have had to
> endure antagonistic accusations that you had closed the source or that
> it was simply vapor-ware - the source would be there on record in the
> repository for anyone to reference. If we had made better progress on
> performing project reviews, we may have been able to manage some of
> the community's expectations for the project so that there wouldn't
> have been the firestorm that has ensued.

In light of the assumptions of the complaint from Tom Brennan that he
received from Google (i.e. August 2008) I won't release the source
code to the GPC repository either until their complaint was clarified
as it would appear that I was encouraging people to violate Google's
Terms of Service and therefore OWASP would lost its standing with

was correct i.e. I was busy as I was considering exploring both the
AJAX Search API (again) and porting to the Bing SOAP service or
officially closing the project down which I intended to present at the
recent OWASP NL Meeting.

Due to https://lists.owasp.org/pipermail/owasp-australia/2010-June/thread.html,
the agreement that I had reached with Kate and Matt prior to departing
Australia (i.e. 24 June) was that this incident would be resolved when
I returned to Australia (i.e. 9 July)

The firestorm has ensured because rather then follow the agreement
with Kate, particular senior members of the OWASP community (excluding
Andrew van der Stock) have tried to assist and when I have declined
their offer that have in turn insisted resulting in it backfiring as I
expected resulting in more effort for everyone..

>> 2. Create additional metadata which communicates that unique projects with a limited shelf life, such as the OWASP "Google
>>Hacking" Project.
>I don't think additional metadata is necessary. Ideally, this type of
>information would be communicated in a project's roadmap. A project
>that has limited shelf life would simply reach the end of their
>roadmap and be considered "complete".

Unless the GPC put the roadmap on the same page as
then people won't see this at a glance.

>> 4. Reconsider Andrew van der Stock's proposal to become a full time employee
> I can't really speak to that proposal - that's not a decision for the
> GPC. But I imagine budgetary considerations would preclude OWASP from
> pursuing it...

I believe he wanted USD$60K

Christian Heinrich - http://www.owasp.org/index.php/user:cmlh
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking

More information about the Global-projects-committee mailing list