[Owasp-board] ESAPI

Josh Sokol josh.sokol at owasp.org
Wed Jan 16 14:37:00 UTC 2013


I'm concerned about the approach of paying for people rather than for
features.  I'm sure Kevin is doing a lot, but giving him $X to do something
seems like we're favoring the individual to do something.  Wouldn't it be
better if we took an approach similar to Metasploit's exploit bounties and
listed a set of features we wanted and how much we were willing to pay for
them?  Individuals could then sign up for them and complete them in order
to collect the bounty.  We could even issue a bounty for code review of the
completed code to ensure quality.  If Kevin is as good as you say, then he
should have no problem collecting on some of these bounties, but at least
this approach doesn't favor any individual and still allows us to pay for
specific contributions to specific projects.  Thoughts?

~josh


On Wed, Jan 16, 2013 at 5:19 AM, Samantha Groves
<samantha.groves at owasp.org>wrote:

> Hello Seba and Jim,
>
> I certainly do think that ESAPI needs a committed project leader and a
> dedicated project support team to help take it to the next level of
> development. As ESAPI is one of our Flagship projects, I see nothing wrong
> with giving the initiative an extra amount of support from the foundation.
> That being said, the amount of support we choose to give this project will
> need to be reproduced for at least all 15 Flagship projects. I suggest we
> keep this in mind when discussing how to provide support to ESAPI.
>
> SG
>
>
> On Wed, Jan 16, 2013 at 6:13 AM, Seba <seba at owasp.org> wrote:
>
>> Hi Jim
>> sounds like a good suggestion for the short term
>> on longer term, ESAPI needs a committed project manager and
>> project/support team to evolve it in the de facto standard security
>> framework example/implementation supported by a reliable community
>>
>> Samantha: what are your thoughts?
>>
>> --seba
>>
>>
>> On Tue, Jan 15, 2013 at 9:25 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> We have 5k in funding for ESAPI. ESAPI for Java is the main version of
>>> ESAPI.
>>>
>>> Most everyone who was on the project dropped out, myself included.
>>>
>>> Kevin Wall is the "last man standing" working on the project. And
>>> frankly, his code is the highest quality - by far - on the project.
>>>
>>> Can we spend some of the 5k in ESAPI funding to pay Kevin to finish the
>>> next release?
>>>
>>> He did not ask for this, this is my suggestion to use funds to move a
>>> key project along in support of our mission.
>>>
>>> - Jim
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>
>>
>
>
> --
>
> *Samantha Groves, MBA*****
>
> *OWASP Project Manager*
>
> *
> *
>
> The OWASP Foundation
>
> London, United Kingdom
>
> Email: samantha.groves at owasp.org
>
> Skype: samanthahz
>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form<https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130116/b4a2a3ca/attachment.html>


More information about the Owasp-board mailing list