[Owasp-board] SpoC Financials

Andrew van der Stock vanderaj at owasp.org
Mon Mar 5 10:02:36 UTC 2007


I am meeting at the Columbia PHP User Group tonight. Two core folks will be
there: Chris Shiflett and Wez Furlong. I will bring it up and get them to
submit an application. Let¹s score it as if it were any other submission,
but let¹s also keep in mind if PHP went from the way ASP was to how
relatively good ASP.NET is, we¹d see far fewer things in the open source
world. 

These are the real world statistics from SourceForge:

http://www.cs.berkeley.edu/~flab/languages.html

18% of all projects are in Java, but not all of these are web apps. 13% of
all apps are PHP, and I¹d say nearly 100% of those would be web apps. Only
0.58% are ASP, and 3.29% are in C#.

Thanks,
Andrew  


On 3/4/07 11:54 PM, "Jeff Williams" <jeff.williams at owasp.org> wrote:

> I don¹t have a problem with this at all, although I think that projects that
> are not OWASP projects will have a difficult time getting high scores using
> the current criteria (which I think are right).  So let¹s see how it comes
> out?
>  
> 
> --Jeff
> 
>  
> 
>  
> 
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dave Wichers
> Sent: Sunday, March 04, 2007 1:09 PM
> To: 'OWASP Board'
> Subject: Re: [Owasp-board] SpoC Financials
>  
> This seems interesting/weird to me. Are we saying that people can propose a
> project that is not an OWASP project and still get OWASP to fund it? That
> seems somewhat odd to me. That said, I think helping other efforts like PHP
> wouldn¹t be a bad idea.
>  
> We have to be careful about match funding, because we only have so much. Maybe
> we can say that we¹ll work on getting match funding for projects, and the
> match might come from OWASP, and it might come from another sponsor. Why would
> they care where the match $ came from, as long as it leverages their $. In
> fact, we might be able to get multiple matches to one sponsor¹s pledge, which
> would be cool, since then we¹d get 3 or more times the original amount
> pledged.
>  
> -Dave
>  
> 
> 
> From: owasp-board-bounces at lists.owasp.org
> [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Dinis Cruz
> Sent: Sunday, March 04, 2007 11:26 AM
> To: Andrew van der Stock
> Cc: OWASP Board
> Subject: Re: [Owasp-board] SpoC Financials
>  
> Of course we can sponsor  PHP projects, in theory there are only two
> limitations in SpoC: 1) none of us can apply and 2) the applicant must be from
> a country OWASP can do business with (well the amount of money available is
> also a limitation :)  )
> 
> What we need is good proposals for projects. So Andrew rattle up your PHP
> contacts and use SpoC to sponsor them.
> 
> Regarding the match-funding of projects by other organizations, that is one of
> the ideas that I want to put out in the membership drive. I will propose
> multiple ideas for other companies (and non-profit organizations) to match
> fund SpoC projects (as in OWASP puts in 5k and they put in 5k)
> 
> On the financials, the last number that I saw was that we had 180k in the
> bank, so I don't think the 100k will hurt that much. Also remember that we
> DON'T have to allocate the 100k if the level of proposals doesn't justify it.
> 
> Dinis
> 
> On 3/4/07, Andrew van der Stock <vanderaj at owasp.org> wrote:
> 
> Dinis,
> 
> Is there any way we could help (say) the PHP project itself? By far the worst
> offender is the lack of security architecture around PHP which leads to many
> apps re-doing the usual suspects (authC, authZ, session management (if they do
> it at all + php is a shared nothing language), data validation, output
> filtering, the works. It's too hard for a normal PHP app to be secure. Helping
> PHP 6.0 become secure by offering to pay someone (or some people) who is an
> acknowledged PHP security dude would really help. If we help fund good quality
> work like the Zend Framework, maybe we could ask Zend to match us dollar for
> dollar. 
> 
> Dave ­ is the money right and would it leave enough for you to do OWASP EU,
> especially since SPI aren't paying until later?
> 
> Thanks,
> Andrew
> 
> 
> On 3/4/07 12:15 AM, "Dinis Cruz" <dinis at ddplus.net> wrote:
> Ok, I want to take oportunity that I am in San Jose and will be participating
> in the San Francisco Chapter next tuesday to lauch SpoC.
> 
> And what I need from you is to agree on the financials.
> 
> Here are my ideas (this is a variation of the email I sent a while back):
> * No member of the OWASP board is allowed to apply to a SpoC sponsorship (i.e
> . the four of us :) )
> *  
> *  
> * We encourage Owasp project leaders to submit proposals. I am planing to have
> a variation of the
> http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection
> <http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection>
> <http://www.owasp.org/index.php/OWASP_Autumn_of_Code_2006_-_Selection>   which
> favours them 
> * Initial Budget will be $109,000 (100k from OWASP and 9 from Spy Dinamics).
> And this is before the membership drive
> *  
> *  
> * For 100k for projects sponsorships I would like to propose the following
> numbers as an initial guideline (of course that depending on the proposals we
> will reorganize this)
> *  
>> * $20,000 on 1 Large project
>> *  
>> * $40,000 on Big projects - 8 projects @ $5,000 each
>> * $22,500 on Medium projects - 9 projects @ $2,500 each
>> * $7,500 on 1 internship (at Aspect's offices)
>> *  
>> * $10,000 on Donations to Open Source projects: 10 donations of $1,000 each
>> *  
> * I will want to allocated one Big or Medium sponsorship to somebody to help
> manage the whole SpoC process
> *  
> *  
> * I don't think we should normalize these sponsorship numbers by GNI (although
> we might take into account the location of the applicant). This at the moment
> favours lower rating GNI applicants, but on the AoC that wasn't really an
> issue. 
> *  
> *  
> * The 10 'Donations to Open Source projects' ($1,000 each) is an idea that I
> REALLY would like you guys to accept since it is win-win all over the place:
> *  
>> * The idea is to get OWASP Members (and only the members) to vote of the top
>> 10 Open Source projects they use in their companies (we might need to make
>> each corporate member worth 10 points and individual members 1 point)
>>> * This would exclude OWASP projects since they can apply to SpoC
>> * Naturally the payment would be made to the top 10 voted projects
>> *  
>> * The payment would be a no-strings attached "Thanks for the hard work in
>> creating this tool (which is widely used and appreciated in the OWASP
>> community) and please keep working on the next version"
>> * This would be another 'unique benefit to OWASP members'
>> * And the PR/Media coverage should be great. We can even make announce and
>> present them at OWASP conferences (to make it a bit more official)
>> *  
> * For Timescales here are two versions
> *  
>> * Aggressive TimeScale (my preference):
>> *  
>>> * 6th March: SpoC lauch and request for proposals
>>> *  
>>> * 22nd March: Submission Period is finished
>>> * 1th April: SPoC Results are announced and SpoC projects begin
>>> *  
>>> * 30 June: SpoC ends
>>> *  
>> * More relaxedTimeScale:
>>> * 6th March: SpoC lauch and request for proposals
>>> *  
>>> * 1st April: Submission Period is finished
>>> * 15th April: Results are announced
>>> * 1st May: SpoC projects begin
>>> *  
>>> * 31 July: SpoC ends
> Ok, guys what do you think?
> 
> I will start working on the SpoC Press release now
> 
> Dinis
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> http://lists.owasp.org/mailman/listinfo/owasp-board
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20070305/b5f98c58/attachment-0002.html>


More information about the Owasp-board mailing list