[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages
eoin.keary at owasp.org
Tue Jun 1 14:15:43 UTC 2010
Please send the proposal with no "noise" in the email, simply the proposal,
so we can review and agree/disagree with this project.
1. Is this a viable project. (please reflect on the benefit to OWASP in
making this decision) (Y/N)
2. If (Y), are the stated governance articles sufficient? Do they need any
On 1 June 2010 13:49, dinis cruz <dinis.cruz at owasp.org> wrote:
> On 1 Jun 2010, at 13:08, Tom Brennan - OWASP <tomb at owasp.org> wrote:
> Great clarrification, good framework.
> Thanks, any problems with presenting this to the leaders as a model that
> makes sense to the OWASP Board for the 'OWASP Commercial Services'?
> Has this draft been shared with mike yet?
> The answer to your question is at the bottom on my email. I did call him
> and spent 16m trying to explain it to him.
> He refused to understand, did not agree with the model, and took personal
> offence to my comments.
> Perhaps we should share this, request his proposal in a similar write up
> and then invite him to the next board meeting to compare models "open" and a
> final vote on the topic after hearing both sides. Typically this would be a
> GPC focus.
> Of course I want to share this (and we need to do it with the 'OWASP Board
> voice') .But Mike's latest actions (namely the emails he sent yesterday to
> the list AFTER he spoke to me) create a situation where we will have to
> contradict him.
> Might be politically correct, but we want to encourage volenteerism and
> use this as another example of how OWASP really works.
> Of course that we want, but there is a moment where we have to draw a line,
> and in this case Mike crossed several lines that he shouldn't have crossed
> Like I said in my previous email, in my view, there are two courses of
> action which we need to decide on ASAP (i.e. today)
> 1) Approve a model that the board recommends as the 'current proposed model
> to see if we can get this to work' (based on the model I present below
> (please fell free to propose changes))
> 2) Start the process of opening an 'OWASP Inquire' on Mike's actions as
> OWASP Leader (which we will also have to communicate to the leaders list)
> To make 1) more calm in the short term, we also need to remove Mike from
> that project/initiative and leave me and Eoin in there
> On Jun 1, 2010, at 4:49 AM, Eoin <eoin.keary at owasp.org> wrote:
> also as discussed in London,
> There needs to be minimum number of feedback entries (3 or so?) before any
> feedback is posted to ensure fairness and avoid targeted emotive reviews.
> On 31 May 2010 20:17, dinis cruz < <dinis.cruz at owasp.org>
> dinis.cruz at owasp.org> wrote:
>> After much discussion with a lot of OWASP leaders (both online and
>> personally) and after receiving a lot of direct comments/worries about how
>> it was currently being set-up (and lead), I think we (the OWASP Leaders in
>> London last week) have come up with a model that should work, and is VERY
>> compatible with OWASP values and focus on visibility.
>> Here are the proposed model (read it twice (since the first couple
>> Articles will only really make sense the 2nd time round :) )
>> Article 1: The OWASP Commercial Services (hosted at <http://www.owasp.org/index.php/Commercial_Services>
>> http://www.owasp.org/index.php/Commercial_Services) is a service provided
>> by OWASP to its community aimed at:
>> a) exposing the OWASP Community to companies
>> providing commercial services (good or bad) around one or more OWASP
>> Projects (Tools or Documents)
>> b) reward companies, individuals or OWASP Leaders
>> that provide successful commercial (i.e. paid for) services around OWASP
>> Projects (with the hope that this will create a positive investment cycle
>> that will greatly benefit those OWASP Projects and community)
>> Article 2: The Companies or Individuals providing these commercial
>> services ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any
>> details about the services they currently provide
>> Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
>> Commercial Services' area are existing OWASP Members who are/were CLIENTS of
>> those services, and who, ON THE RECORD, have to provide a comment (good or
>> bad) about the services they receive.
>> Article 4: The Companies or Individuals providing these commercial
>> services ARE ALLOWED to comment on the comments made about them (i.e. from
>> Article 3.)
>> Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
>> their discretion, good taste and common sense, to regularly communicate
>> (i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
>> provided around their project/chapter
>> Article 6: There will be very clear points of contact for the reporting of
>> any abuses on the 'OWASP Commercial Services' model (which optionally can be
>> made anonymously). Any reports will will be investigated by a team made of
>> several OWASP Committee and Board members, with their findings and
>> recommendations acted upon.
>> Article 7: The first phase of the 'OWASP Commercial Services' will be
>> implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
>> as the transaction volume grows, and if needed, the service will move to a
>> more powerful community/social web solution
>> And that's it :)
>> Here is what I like about this model and the problems it solves/prevents:
>> - it puts our community at the heard of this service in a way they
>> they also have a lot to benefit from its existence (in fact, we do this
>> right and some companies could even join because of this)
>> - It only allows existing and (hopefully) successful commercial
>> deliveries of 'OWASP Projects related services' to be listed (i.e. there is
>> a hard requirement that the listings start with a 'real world' delivery of
>> one of these services)
>> - prevents the proactive existence of 'Marketing Speak', of the
>> tendency to write a 'Super list of ALL potential OWASP related services
>> provided by Company XYZ' and (more importantly) the exaggeration of the type
>> of services provided
>> - It creates a way for our projects/chapter leaders to advertise to
>> their communities the services being provided around their project
>> (including the ones they (the project leader) are providing and delivering)
>> - The room for abuse is quite limited by the fact that everything is
>> on the record (although we have to leave an obvious open channel for direct
>> reports on such abuses)
>> - The fact that we put the onus of managing these commercial
>> communities on the project/chapter leader (or whoever he delegates to),
>> creates a nice 'self protecting system'. This happens because the
>> project/chapter leaders are 'by design' pressured to have an independent and
>> balance opinion/position (since if he/she abuses his/her community he/she
>> will be killing it)
>> - finally if we get this right, we should see a huge increase in the
>> number of OWASP Leaders being directly paid to work on OWASP projects, which
>> has to be a good thing :)
>> What do you think?
>> Lets see if we can get a consensus from the board on this one, so that we
>> can present this to the owasp-leaders and, vote on it at the OWASP Board
>> meeting next week.
>> (Btw, I just called Mike Boberski to explain him this 'revised' model and
>> he was NOT happy with this model, but that is the topic for another email)
>> Dinis Cruz
>> Owasp-board mailing list
>> <Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
OWASP Global Board Member
OWASP Code Review Guide Lead Author
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board