[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Dave Wichers dave.wichers at owasp.org
Wed Jun 2 13:35:23 UTC 2010

Regarding Article 3: I'm thinking that any consumer of paid for OWASP
commercial services should be able to provide a comment, not just OWASP


Regarding Article 5: Rather than only posting to their project mailing list,
I would think the project lead should also be able to post about commercial
services they are aware of related to their project. I think these should
only be 'executed' services, not planned or advertised services. They can
work with the consumers (from article 3) to get the consumer's comments


But I think some phone time would be helpful for me to understand that.


Dinis - I'm in the office all day today and tomorrow if you have time to
call me at 301 604 4882 (in U.S. of course).




From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of dinis cruz
Sent: Monday, May 31, 2010 3:18 PM
To: OWASP Foundation Board List
Subject: [Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP
Commercial Services' pages




After much discussion with a lot of OWASP leaders (both online and
personally) and after receiving a lot of direct comments/worries about how
it was currently being set-up (and lead), I think we (the OWASP Leaders in
London last week) have come up with a model that should work, and is VERY
compatible with OWASP values and focus on visibility.


Here are the proposed model (read it twice (since the first couple Articles
will only really make sense the 2nd time round :)  )




Article 1: The OWASP Commercial Services (hosted at
http://www.owasp.org/index.php/Commercial_Services) is a service provided by
OWASP to its community aimed at:

                        a) exposing the OWASP Community to companies
providing commercial services (good or bad) around one or more OWASP
Projects (Tools or Documents)

                        b) reward companies, individuals or OWASP Leaders
that provide successful commercial (i.e. paid for) services around OWASP
Projects (with the hope that this will create a positive investment cycle
that will greatly benefit those OWASP Projects and community)


Article 2: The Companies or Individuals providing these commercial services
ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any details
about the services they currently provide 


Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
Commercial Services' area are existing OWASP Members who are/were CLIENTS of
those services, and who, ON THE RECORD, have to provide a comment (good or
bad) about the services they receive.


Article 4: The Companies or Individuals providing these commercial services
ARE ALLOWED to comment on the comments made about them (i.e. from Article


Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at their
discretion, good taste and common sense, to regularly communicate (i.e.
advertise) to THEIR PROJECT MAILING LIST the commercial services provided
around their project/chapter


Article 6: There will be very clear points of contact for the reporting of
any abuses on the 'OWASP Commercial Services' model (which optionally can be
made anonymously). Any reports will will be investigated by a team made of
several OWASP Committee and Board members, with their findings and
recommendations acted upon.


Article 7: The first phase of the 'OWASP Commercial Services' will be
implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
as the transaction volume grows, and if needed, the service will move to a
more powerful community/social web solution




And that's it :)


Here is what I like about this model and the problems it solves/prevents:

*	it puts our community at the heard of this service in a way they
they also have a lot to benefit from its existence (in fact, we do this
right and some companies could even join because of this)
*	It only allows existing and (hopefully) successful commercial
deliveries of 'OWASP Projects related services' to be listed (i.e. there is
a hard requirement that the listings start with a 'real world' delivery of
one of these services)
*	prevents the proactive existence  of 'Marketing Speak', of the
tendency to write a 'Super list of ALL potential OWASP related services
provided by Company XYZ' and (more importantly) the exaggeration of the type
of services provided
*	It creates a way for our projects/chapter leaders to advertise to
their communities the services being provided around their project
(including the ones they (the project leader) are providing and delivering)
*	The room for abuse is quite limited by the fact that everything is
on the record (although we have to leave an obvious open channel  for direct
reports on such abuses)
*	The fact that we put the onus of managing these commercial
communities on the project/chapter leader (or whoever he delegates to),
creates a nice 'self protecting system'. This happens because the
project/chapter leaders are 'by design' pressured to have an independent and
balance opinion/position (since if he/she abuses his/her community he/she
will be killing it)
*	finally if we get this right, we should see a huge increase in the
number of OWASP Leaders being directly paid to work on OWASP projects, which
has to be a good thing :)


What do you think?


Lets see if we can get a consensus from the board on this one, so that we
can present this to the owasp-leaders and, vote on it at the OWASP Board
meeting next week.


(Btw, I just called Mike Boberski to explain him this 'revised' model and he
was NOT happy with this model, but that is the topic for another email)

Dinis Cruz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100602/ecf40930/attachment-0002.html>

More information about the Owasp-board mailing list