[Owasp-board] Fwd: IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

dinis cruz dinis.cruz at owasp.org
Tue Jun 1 11:34:39 UTC 2010

just in case you got this buried in your emails, here is my proposed model
for the 'OWASP Commercial Services' pages/area

I really would like to get a vote on this today, so that I can send it to
the leaders and defuse the current situation created by Mike

Sent from my iPad

Begin forwarded message:

*From:* dinis cruz <dinis.cruz at owasp.org>
*Date:* 31 May 2010 20:17:59 GMT+01:00
*To:* OWASP Foundation Board List <owasp-board at lists.owasp.org>
*Subject:* *IMPORTANT: Proposed (revised) model for the 'OWASP Commercial
Services' pages*


After much discussion with a lot of OWASP leaders (both online and
personally) and after receiving a lot of direct comments/worries about how
it was currently being set-up (and lead), I think we (the OWASP Leaders in
London last week) have come up with a model that should work, and is VERY
compatible with OWASP values and focus on visibility.

Here are the proposed model (read it twice (since the first couple Articles
will only really make sense the 2nd time round :)  )


Article 1: The OWASP Commercial Services (hosted at
http://www.owasp.org/index.php/Commercial_Services) is a service provided by
OWASP to its community aimed at:
                        a) exposing the OWASP Community to companies
providing commercial services (good or bad) around one or more OWASP
Projects (Tools or Documents)
                        b) reward companies, individuals or OWASP Leaders
that provide successful commercial (i.e. paid for) services around OWASP
Projects (with the hope that this will create a positive investment cycle
that will greatly benefit those OWASP Projects and community)

Article 2: The Companies or Individuals providing these commercial services
ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any details
about the services they currently provide

Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
Commercial Services' area are existing OWASP Members who are/were CLIENTS of
those services, and who, ON THE RECORD, have to provide a comment (good or
bad) about the services they receive.

Article 4: The Companies or Individuals providing these commercial services
ARE ALLOWED to comment on the comments made about them (i.e. from Article

Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
their discretion, good taste and common sense, to regularly communicate
(i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
provided around their project/chapter

Article 6: There will be very clear points of contact for the reporting of
any abuses on the 'OWASP Commercial Services' model (which optionally can be
made anonymously). Any reports will will be investigated by a team made of
several OWASP Committee and Board members, with their findings and
recommendations acted upon.

Article 7: The first phase of the 'OWASP Commercial Services' will be
implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
as the transaction volume grows, and if needed, the service will move to a
more powerful community/social web solution


And that's it :)

Here is what I like about this model and the problems it solves/prevents:

   - it puts our community at the heard of this service in a way they they
   also have a lot to benefit from its existence (in fact, we do this right and
   some companies could even join because of this)
   - It only allows existing and (hopefully) successful commercial
   deliveries of 'OWASP Projects related services' to be listed (i.e. there is
   a hard requirement that the listings start with a 'real world' delivery of
   one of these services)
   - prevents the proactive existence  of 'Marketing Speak', of the tendency
   to write a 'Super list of ALL potential OWASP related services provided by
   Company XYZ' and (more importantly) the exaggeration of the type of services
   - It creates a way for our projects/chapter leaders to advertise to their
   communities the services being provided around their project (including the
   ones they (the project leader) are providing and delivering)
   - The room for abuse is quite limited by the fact that everything is on
   the record (although we have to leave an obvious open channel  for direct
   reports on such abuses)
   - The fact that we put the onus of managing these commercial communities
   on the project/chapter leader (or whoever he delegates to), creates a nice
   'self protecting system'. This happens because the project/chapter leaders
   are 'by design' pressured to have an independent and balance
   opinion/position (since if he/she abuses his/her community he/she will be
   killing it)
   - finally if we get this right, we should see a huge increase in the
   number of OWASP Leaders being directly paid to work on OWASP projects, which
   has to be a good thing :)

What do you think?

Lets see if we can get a consensus from the board on this one, so that we
can present this to the owasp-leaders and, vote on it at the OWASP Board
meeting next week.

(Btw, I just called Mike Boberski to explain him this 'revised' model and he
was NOT happy with this model, but that is the topic for another email)

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100601/304bde66/attachment-0002.html>

More information about the Owasp-board mailing list