[Owasp-board] IMPORTANT: Proposed (revised) model for the 'OWASP Commercial Services' pages

Seba seba at owasp.org
Wed Jun 2 17:49:17 UTC 2010

I agree with the principle of having this 'list' with a feedback cycle
that creates potential valuable guiding for organisation looking for
quality people/companies.
several questions/comments in the document.
We need to be very clear on roles & responsabilities up front and
refreign from fuzzy wording.

On Mike: to be honest I have not been in direct contact with him.
If people within the community believe he has violated one of our
ethic codes/principles in an obvious and undisputed way, we need to
have a mechanism/escalation path that protects our community.
I don't think we have a formal mechanism yet, so I think it is unfair
to simply strip Mike from his OWASP leaderships without a clearly
defined escalation procedure that is voted upon by the board and
communicated/RFC'ed towards all the leaders.

On Wed, Jun 2, 2010 at 4:36 PM, Eoin <eoin.keary at owasp.org> wrote:
> Ok,
> I am happy with this as per my last mail (below)
> Proposal is attached.
> If changes are to be made please change this document and redistribute and
> change version so we can track changes.
> I would like to amend/add the following:
> "There needs to be minimum number of feedback entries, 3, from three
> disparate groups/organisations/individuals before any feedback is posted to
> ensure fairness and avoid targeted emotive reviews."
> On 1 June 2010 09:49, Eoin <eoin.keary at owasp.org> wrote:
>> Dinis/Board,
>> also as discussed in London,
>> There needs to be minimum number of feedback entries (3 or so?) before any
>> feedback is posted to ensure fairness and avoid targeted emotive reviews.
>> Eoin
>> On 31 May 2010 20:17, dinis cruz <dinis.cruz at owasp.org> wrote:
>>> Board
>>> After much discussion with a lot of OWASP leaders (both online and
>>> personally) and after receiving a lot of direct comments/worries about how
>>> it was currently being set-up (and lead), I think we (the OWASP Leaders in
>>> London last week) have come up with a model that should work, and is VERY
>>> compatible with OWASP values and focus on visibility.
>>> Here are the proposed model (read it twice (since the first couple
>>> Articles will only really make sense the 2nd time round :)  )
>>> ------------------------------
>>> Article 1: The OWASP Commercial Services (hosted
>>> at http://www.owasp.org/index.php/Commercial_Services) is a service provided
>>> by OWASP to its community aimed at:
>>>                         a) exposing the OWASP Community to companies
>>> providing commercial services (good or bad) around one or more OWASP
>>> Projects (Tools or Documents)
>>>                         b) reward companies, individuals or OWASP Leaders
>>> that provide successful commercial (i.e. paid for) services around OWASP
>>> Projects (with the hope that this will create a positive investment cycle
>>> that will greatly benefit those OWASP Projects and community)
>>> Article 2: The Companies or Individuals providing these commercial
>>> services ARE NOT ALLOWED to post on the 'OWASP Commercial Services' area any
>>> details about the services they currently provide
>>> Article 3: The only 'entities' that ARE ALLOWED to post on the 'OWASP
>>> Commercial Services' area are existing OWASP Members who are/were CLIENTS of
>>> those services, and who, ON THE RECORD, have to provide a comment (good or
>>> bad) about the services they receive.
>>> Article 4: The Companies or Individuals providing these commercial
>>> services ARE ALLOWED to comment on the comments made about them (i.e. from
>>> Article 3.)
>>> Article 5: ONLY the OWASP Project/Chapter Leaders ARE ALLOWED, at
>>> their discretion, good taste and common sense, to regularly communicate
>>> (i.e. advertise) to THEIR PROJECT MAILING LIST the commercial services
>>> provided around their project/chapter
>>> Article 6: There will be very clear points of contact for the reporting
>>> of any abuses on the 'OWASP Commercial Services' model (which optionally can
>>> be made anonymously). Any reports will will be investigated by a team made
>>> of several OWASP Committee and Board members, with their findings and
>>> recommendations acted upon.
>>> Article 7: The first phase of the 'OWASP Commercial Services' will be
>>> implemented on top of the existing OWASP Website engine (i.e. MediaWiki) and
>>> as the transaction volume grows, and if needed, the service will move to a
>>> more powerful community/social web solution
>>> ------------------------------
>>> And that's it :)
>>> Here is what I like about this model and the problems it solves/prevents:
>>> it puts our community at the heard of this service in a way they they
>>> also have a lot to benefit from its existence (in fact, we do this right and
>>> some companies could even join because of this)
>>> It only allows existing and (hopefully) successful commercial deliveries
>>> of 'OWASP Projects related services' to be listed (i.e. there is a hard
>>> requirement that the listings start with a 'real world' delivery of one of
>>> these services)
>>> prevents the proactive existence  of 'Marketing Speak', of the tendency
>>> to write a 'Super list of ALL potential OWASP related services provided by
>>> Company XYZ' and (more importantly) the exaggeration of the type of services
>>> provided
>>> It creates a way for our projects/chapter leaders to advertise to their
>>> communities the services being provided around their project (including the
>>> ones they (the project leader) are providing and delivering)
>>> The room for abuse is quite limited by the fact that everything is on the
>>> record (although we have to leave an obvious open channel  for direct
>>> reports on such abuses)
>>> The fact that we put the onus of managing these commercial communities on
>>> the project/chapter leader (or whoever he delegates to), creates a nice
>>> 'self protecting system'. This happens because the project/chapter leaders
>>> are 'by design' pressured to have an independent and balance
>>> opinion/position (since if he/she abuses his/her community he/she will be
>>> killing it)
>>> finally if we get this right, we should see a huge increase in the number
>>> of OWASP Leaders being directly paid to work on OWASP projects, which has to
>>> be a good thing :)
>>> What do you think?
>>> Lets see if we can get a consensus from the board on this one, so that we
>>> can present this to the owasp-leaders and, vote on it at the OWASP Board
>>> meeting next week.
>>> (Btw, I just called Mike Boberski to explain him this 'revised' model and
>>> he was NOT happy with this model, but that is the topic for another email)
>>> Dinis Cruz
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> --
>> Eoin Keary
>> OWASP Global Board Member
>> OWASP Code Review Guide Lead Author
>> http://asg.ie/
>> https://twitter.com/EoinKeary
> --
> Eoin Keary
> OWASP Global Board Member
> OWASP Code Review Guide Lead Author
> Sent from my i-Transmogrifier
> http://asg.ie/
> https://twitter.com/EoinKeary
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OWASP Commercial Registery v1_3.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 17016 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100602/82468717/attachment.docx>

More information about the Owasp-board mailing list