[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

dinis cruz dinis.cruz at owasp.org
Tue Jun 1 12:49:53 UTC 2010

On 1 Jun 2010, at 13:08, Tom Brennan - OWASP <tomb at owasp.org> wrote:

Great clarrification, good framework.

Thanks, any problems with presenting this to the leaders as a model that
makes sense to the OWASP Board for the 'OWASP Commercial Services'?

Has this draft been shared with mike yet?

The answer to your question is at the bottom on my email. I did call him and
spent 16m trying to explain it to him.

He refused to understand, did not agree with the model, and took personal
offence to my comments.

Perhaps we should share this, request his proposal in a similar write up and
then invite him to the next board meeting to compare models "open" and a
final vote on the topic after hearing both sides. Typically this would be a
GPC focus.

Of course I want to share this (and we need to do it with the 'OWASP Board
voice') .But Mike's latest actions (namely the emails he sent yesterday to
the list AFTER he spoke to me) create a situation where we will have to
contradict him.

Might be politically correct, but we want to encourage volenteerism and use
this as another example of how OWASP really works.

Of course that we want, but there is a moment where we have to draw a line,
and in this case Mike crossed several lines that he shouldn't have crossed

Like I said in my previous email, in my view, there are two courses of
action which we need to decide on ASAP (i.e. today)

1) Approve a model that the board recommends as the 'current proposed model
to see if we can get this to work' (based on the model I present below
(please fell free to propose changes))

2) Start the process of opening an 'OWASP Inquire' on Mike's actions as
OWASP Leader (which we will also have to communicate to the leaders list)

To make 1) more calm in the short term, we also need to remove Mike from
that project/initiative and leave me and Eoin in there


On Jun 1, 2010, at 4:49 AM, Eoin <eoin.keary at owasp.org> wrote:

also as discussed in London,
There needs to be minimum number of feedback entries (3 or so?) before any
feedback is posted to ensure fairness and avoid targeted emotive reviews.


On 31 May 2010 20:17, dinis cruz < <dinis.cruz at owasp.org>
dinis.cruz at owasp.org> wrote:

> Board
> After much discussion with a lot of OWASP leaders (both online and
> personally) and after receiving a lot of direct comments/worries about how
> it was currently being set-up (and lead), I think we (the OWASP Leaders in
> London last week) have come up with a model that should work, and is VERY
> compatible with OWASP values and focus on visibility.
> Here are the proposed model (read it twice (since the first couple Articles
> will only really make sense the 2nd time round :)  )
> ------------------------------
> Article 1: The OWASP Commercial Services (hosted at <http://www.owasp.org/index.php/Commercial_Services>
> http://www.owasp.org/index.php/Commercial_Services) is a service provided
> by OWASP to its community aimed at:
>                         a) exposing the OWASP Community to companies
> providing commercial services (good or bad) around one or more OWASP
> Projects (Tools or Documents)
>                         b) reward companies, individuals or OWASP Leaders
> that provide successful commercial (i.e. paid for) services around OWASP
> Projects (with the hope that this will create a positive investment cycle
> that will greatly benefit those OWASP Projects and community)
> Article 2: The Companies or Individuals providing these commercial services
> ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any details
> about the services they currently provide
> Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
> Commercial Services' area are existing OWASP Members who are/were CLIENTS of
> those services, and who, ON THE RECORD, have to provide a comment (good or
> bad) about the services they receive.
> Article 4: The Companies or Individuals providing these commercial services
> ARE ALLOWED to comment on the comments made about them (i.e. from Article
> 3.)
> Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
> their discretion, good taste and common sense, to regularly communicate
> (i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
> provided around their project/chapter
> Article 6: There will be very clear points of contact for the reporting of
> any abuses on the 'OWASP Commercial Services' model (which optionally can be
> made anonymously). Any reports will will be investigated by a team made of
> several OWASP Committee and Board members, with their findings and
> recommendations acted upon.
> Article 7: The first phase of the 'OWASP Commercial Services' will be
> implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
> as the transaction volume grows, and if needed, the service will move to a
> more powerful community/social web solution
> ------------------------------
> And that's it :)
> Here is what I like about this model and the problems it solves/prevents:
>    - it puts our community at the heard of this service in a way they they
>    also have a lot to benefit from its existence (in fact, we do this right and
>    some companies could even join because of this)
>    - It only allows existing and (hopefully) successful commercial
>    deliveries of 'OWASP Projects related services' to be listed (i.e. there is
>    a hard requirement that the listings start with a 'real world' delivery of
>    one of these services)
>    - prevents the proactive existence  of 'Marketing Speak', of the
>    tendency to write a 'Super list of ALL potential OWASP related services
>    provided by Company XYZ' and (more importantly) the exaggeration of the type
>    of services provided
>    - It creates a way for our projects/chapter leaders to advertise to
>    their communities the services being provided around their project
>    (including the ones they (the project leader) are providing and delivering)
>    - The room for abuse is quite limited by the fact that everything is on
>    the record (although we have to leave an obvious open channel  for direct
>    reports on such abuses)
>    - The fact that we put the onus of managing these commercial
>    communities on the project/chapter leader (or whoever he delegates to),
>    creates a nice 'self protecting system'. This happens because the
>    project/chapter leaders are 'by design' pressured to have an independent and
>    balance opinion/position (since if he/she abuses his/her community he/she
>    will be killing it)
>    - finally if we get this right, we should see a huge increase in the
>    number of OWASP Leaders being directly paid to work on OWASP projects, which
>    has to be a good thing :)
> What do you think?
> Lets see if we can get a consensus from the board on this one, so that we
> can present this to the owasp-leaders and, vote on it at the OWASP Board
> meeting next week.
> (Btw, I just called Mike Boberski to explain him this 'revised' model and
> he was NOT happy with this model, but that is the topic for another email)
> Dinis Cruz
> _______________________________________________
> Owasp-board mailing list
> <Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> <https://lists.owasp.org/mailman/listinfo/owasp-board>
> https://lists.owasp.org/mailman/listinfo/owasp-board

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author


Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100601/e463ff22/attachment-0002.html>

More information about the Owasp-board mailing list