[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Eoin eoin.keary at owasp.org
Tue Jun 1 14:15:43 UTC 2010

My suggestion;

Please send the proposal with no "noise" in the email, simply the proposal,
so we can review and agree/disagree with this project.

1. Is this a viable project. (please reflect on the benefit to OWASP in
making this decision) (Y/N)
2. If (Y), are the stated governance articles sufficient? Do they need any
amendment, adjustment?

On 1 June 2010 13:49, dinis cruz <dinis.cruz at owasp.org> wrote:

> On 1 Jun 2010, at 13:08, Tom Brennan - OWASP <tomb at owasp.org> wrote:
>   Great clarrification, good framework.
> Thanks, any problems with presenting this to the leaders as a model that
> makes sense to the OWASP Board for the 'OWASP Commercial Services'?
>   Has this draft been shared with mike yet?
> The answer to your question is at the bottom on my email. I did call him
> and spent 16m trying to explain it to him.
> He refused to understand, did not agree with the model, and took personal
> offence to my comments.
>   Perhaps we should share this, request his proposal in a similar write up
> and then invite him to the next board meeting to compare models "open" and a
> final vote on the topic after hearing both sides. Typically this would be a
> GPC focus.
> Of course I want to share this (and we need to do it with the 'OWASP Board
> voice') .But Mike's latest actions (namely the emails he sent yesterday to
> the list AFTER he spoke to me) create a situation where we will have to
> contradict him.
>   Might be politically correct, but we want to encourage volenteerism and
> use this as another example of how OWASP really works.
> Of course that we want, but there is a moment where we have to draw a line,
> and in this case Mike crossed several lines that he shouldn't have crossed
> Like I said in my previous email, in my view, there are two courses of
> action which we need to decide on ASAP (i.e. today)
> 1) Approve a model that the board recommends as the 'current proposed model
> to see if we can get this to work' (based on the model I present below
> (please fell free to propose changes))
> 2) Start the process of opening an 'OWASP Inquire' on Mike's actions as
> OWASP Leader (which we will also have to communicate to the leaders list)
> To make 1) more calm in the short term, we also need to remove Mike from
> that project/initiative and leave me and Eoin in there
> Dinis
> On Jun 1, 2010, at 4:49 AM, Eoin <eoin.keary at owasp.org> wrote:
>   Dinis/Board,
> also as discussed in London,
> There needs to be minimum number of feedback entries (3 or so?) before any
> feedback is posted to ensure fairness and avoid targeted emotive reviews.
> Eoin
> On 31 May 2010 20:17, dinis cruz < <dinis.cruz at owasp.org>
> dinis.cruz at owasp.org> wrote:
>> Board
>> After much discussion with a lot of OWASP leaders (both online and
>> personally) and after receiving a lot of direct comments/worries about how
>> it was currently being set-up (and lead), I think we (the OWASP Leaders in
>> London last week) have come up with a model that should work, and is VERY
>> compatible with OWASP values and focus on visibility.
>> Here are the proposed model (read it twice (since the first couple
>> Articles will only really make sense the 2nd time round :)  )
>> ------------------------------
>> Article 1: The OWASP Commercial Services (hosted at <http://www.owasp.org/index.php/Commercial_Services>
>> http://www.owasp.org/index.php/Commercial_Services) is a service provided
>> by OWASP to its community aimed at:
>>                         a) exposing the OWASP Community to companies
>> providing commercial services (good or bad) around one or more OWASP
>> Projects (Tools or Documents)
>>                         b) reward companies, individuals or OWASP Leaders
>> that provide successful commercial (i.e. paid for) services around OWASP
>> Projects (with the hope that this will create a positive investment cycle
>> that will greatly benefit those OWASP Projects and community)
>> Article 2: The Companies or Individuals providing these commercial
>> services ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any
>> details about the services they currently provide
>> Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
>> Commercial Services' area are existing OWASP Members who are/were CLIENTS of
>> those services, and who, ON THE RECORD, have to provide a comment (good or
>> bad) about the services they receive.
>> Article 4: The Companies or Individuals providing these commercial
>> services ARE ALLOWED to comment on the comments made about them (i.e. from
>> Article 3.)
>> Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
>> their discretion, good taste and common sense, to regularly communicate
>> (i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
>> provided around their project/chapter
>> Article 6: There will be very clear points of contact for the reporting of
>> any abuses on the 'OWASP Commercial Services' model (which optionally can be
>> made anonymously). Any reports will will be investigated by a team made of
>> several OWASP Committee and Board members, with their findings and
>> recommendations acted upon.
>> Article 7: The first phase of the 'OWASP Commercial Services' will be
>> implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
>> as the transaction volume grows, and if needed, the service will move to a
>> more powerful community/social web solution
>> ------------------------------
>> And that's it :)
>> Here is what I like about this model and the problems it solves/prevents:
>>    - it puts our community at the heard of this service in a way they
>>    they also have a lot to benefit from its existence (in fact, we do this
>>    right and some companies could even join because of this)
>>    - It only allows existing and (hopefully) successful commercial
>>    deliveries of 'OWASP Projects related services' to be listed (i.e. there is
>>    a hard requirement that the listings start with a 'real world' delivery of
>>    one of these services)
>>    - prevents the proactive existence  of 'Marketing Speak', of the
>>    tendency to write a 'Super list of ALL potential OWASP related services
>>    provided by Company XYZ' and (more importantly) the exaggeration of the type
>>    of services provided
>>    - It creates a way for our projects/chapter leaders to advertise to
>>    their communities the services being provided around their project
>>    (including the ones they (the project leader) are providing and delivering)
>>    - The room for abuse is quite limited by the fact that everything is
>>    on the record (although we have to leave an obvious open channel  for direct
>>    reports on such abuses)
>>    - The fact that we put the onus of managing these commercial
>>    communities on the project/chapter leader (or whoever he delegates to),
>>    creates a nice 'self protecting system'. This happens because the
>>    project/chapter leaders are 'by design' pressured to have an independent and
>>    balance opinion/position (since if he/she abuses his/her community he/she
>>    will be killing it)
>>    - finally if we get this right, we should see a huge increase in the
>>    number of OWASP Leaders being directly paid to work on OWASP projects, which
>>    has to be a good thing :)
>> What do you think?
>> Lets see if we can get a consensus from the board on this one, so that we
>> can present this to the owasp-leaders and, vote on it at the OWASP Board
>> meeting next week.
>> (Btw, I just called Mike Boberski to explain him this 'revised' model and
>> he was NOT happy with this model, but that is the topic for another email)
>> Dinis Cruz
>> _______________________________________________
>> Owasp-board mailing list
>> <Owasp-board at lists.owasp.org>Owasp-board at lists.owasp.org
>> <https://lists.owasp.org/mailman/listinfo/owasp-board>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> <http://asg.ie/>http://asg.ie/
> <https://twitter.com/EoinKeary>https://twitter.com/EoinKeary
>  _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

Eoin Keary
OWASP Global Board Member
OWASP Code Review Guide Lead Author

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100601/c98cf8f9/attachment-0002.html>

More information about the Owasp-board mailing list