[Owasp-board] SpoC Financials

Jeff Williams jeff.williams at owasp.org
Mon Mar 5 04:54:41 UTC 2007

I don't have a problem with this at all, although I think that projects that
are not OWASP projects will have a difficult time getting high scores using
the current criteria (which I think are right).  So let's see how it comes






From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
Sent: Sunday, March 04, 2007 1:09 PM
To: 'OWASP Board'
Subject: Re: [Owasp-board] SpoC Financials


This seems interesting/weird to me. Are we saying that people can propose a
project that is not an OWASP project and still get OWASP to fund it? That
seems somewhat odd to me. That said, I think helping other efforts like PHP
wouldn't be a bad idea.


We have to be careful about match funding, because we only have so much.
Maybe we can say that we'll work on getting match funding for projects, and
the match might come from OWASP, and it might come from another sponsor. Why
would they care where the match $ came from, as long as it leverages their
$. In fact, we might be able to get multiple matches to one sponsor's
pledge, which would be cool, since then we'd get 3 or more times the
original amount pledged.





From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
Sent: Sunday, March 04, 2007 11:26 AM
To: Andrew van der Stock
Cc: OWASP Board
Subject: Re: [Owasp-board] SpoC Financials


Of course we can sponsor  PHP projects, in theory there are only two
limitations in SpoC: 1) none of us can apply and 2) the applicant must be
from a country OWASP can do business with (well the amount of money
available is also a limitation :)  ) 

What we need is good proposals for projects. So Andrew rattle up your PHP
contacts and use SpoC to sponsor them.

Regarding the match-funding of projects by other organizations, that is one
of the ideas that I want to put out in the membership drive. I will propose
multiple ideas for other companies (and non-profit organizations) to match
fund SpoC projects (as in OWASP puts in 5k and they put in 5k) 

On the financials, the last number that I saw was that we had 180k in the
bank, so I don't think the 100k will hurt that much. Also remember that we
DON'T have to allocate the 100k if the level of proposals doesn't justify


On 3/4/07, Andrew van der Stock <vanderaj at owasp.org> wrote:


Is there any way we could help (say) the PHP project itself? By far the
worst offender is the lack of security architecture around PHP which leads
to many apps re-doing the usual suspects (authC, authZ, session management
(if they do it at all + php is a shared nothing language), data validation,
output filtering, the works. It's too hard for a normal PHP app to be
secure. Helping PHP 6.0 become secure by offering to pay someone (or some
people) who is an acknowledged PHP security dude would really help. If we
help fund good quality work like the Zend Framework, maybe we could ask Zend
to match us dollar for dollar. 

Dave - is the money right and would it leave enough for you to do OWASP EU,
especially since SPI aren't paying until later?


On 3/4/07 12:15 AM, "Dinis Cruz" <dinis at ddplus.net> wrote:

Ok, I want to take oportunity that I am in San Jose and will be
participating in the San Francisco Chapter next tuesday to lauch SpoC. 

And what I need from you is to agree on the financials.

Here are my ideas (this is a variation of the email I sent a while back): 

*	No member of the OWASP board is allowed to apply to a SpoC
sponsorship (i.e . the four of us :) ) 
*	We encourage Owasp project leaders to submit proposals. I am planing
to have a variation of the
which favours them 

*	Initial Budget will be $109,000 (100k from OWASP and 9 from Spy
Dinamics). And this is before the membership drive 
*	For 100k for projects sponsorships I would like to propose the
following numbers as an initial guideline (of course that depending on the
proposals we will reorganize this) 

*	$20,000 on 1 Large project 
*	$40,000 on Big projects - 8 projects @ $5,000 each 
*	$22,500 on Medium projects - 9 projects @ $2,500 each 
*	$7,500 on 1 internship (at Aspect's offices) 
*	$10,000 on Donations to Open Source projects: 10 donations of $1,000

*	I will want to allocated one Big or Medium sponsorship to somebody
to help manage the whole SpoC process 
*	I don't think we should normalize these sponsorship numbers by GNI
(although we might take into account the location of the applicant). This at
the moment favours lower rating GNI applicants, but on the AoC that wasn't
really an issue. 
*	The 10 'Donations to Open Source projects' ($1,000 each) is an idea
that I REALLY would like you guys to accept since it is win-win all over the

*	The idea is to get OWASP Members (and only the members) to vote of
the top 10 Open Source projects they use in their companies (we might need
to make each corporate member worth 10 points and individual members 1

*	This would exclude OWASP projects since they can apply to SpoC

*	Naturally the payment would be made to the top 10 voted projects 
*	The payment would be a no-strings attached "Thanks for the hard work
in creating this tool (which is widely used and appreciated in the OWASP
community) and please keep working on the next version" 
*	This would be another 'unique benefit to OWASP members' 
*	And the PR/Media coverage should be great. We can even make announce
and present them at OWASP conferences (to make it a bit more official) 

*	For Timescales here are two versions 

*	Aggressive TimeScale (my preference): 

*	6th March: SpoC lauch and request for proposals 
*	22nd March: Submission Period is finished 
*	1th April: SPoC Results are announced and SpoC projects begin 
*	30 June: SpoC ends 

*	More relaxedTimeScale:

*	6th March: SpoC lauch and request for proposals 
*	1st April: Submission Period is finished 
*	15th April: Results are announced 
*	1st May: SpoC projects begin 
*	31 July: SpoC ends

Ok, guys what do you think? 

I will start working on the SpoC Press release now



Owasp-board mailing list
Owasp-board at lists.owasp.org

Dinis Cruz
Chief OWASP Evangelist, Are you a member yet?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070304/ca8779d9/attachment-0002.html>

More information about the Owasp-board mailing list