[Owasp-board] ESAPI

Jason Li jason.li at owasp.org
Thu Jan 17 16:58:16 UTC 2013


Agreed that we should focus on achievable, actionable goals rather than
open ended "pay developer $5k to 'work' on the project".

While philosophically, there's some contention about paying leaders, even
back when we DID pay leaders (e.g. Seasons of Code), it was for a specific
action plan.

I don't see how OWASP can ensure it gets some value any other way than to
have some kind of specific goal deliverable - whether it's a feature, bug
fix, etc.

-Jason

On Thursday, January 17, 2013, Tom Brennan wrote:

> Like the bounties on projects personally. Aligned with strategic annual
> investments for projects (budgeted investment) this measurable with results.
>
>
> On Jan 17, 2013, at 10:58 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
> Complex?  I would think that the project already has a list of bugs and
> features that we'd like to further develop.  It wouldn't take much to
> assign a value to those based on a very basic LOE which I'd imagine Kevin
> could provide fairly easily.  And in terms of a committed PM, I thought
> that OWASP hired someone (Samantha?) to help run the project initiatives.
> Seems like that role could very easily be amended to support this for
> projects we deem valuable enough to put a bounty on.  Seems to me like the
> problem here is that you have one guy willing to do the work because right
> now he's doing it for free.  If you place a bounty on the work (either dev
> or QA), I'm guessing that you'll have a line of people wanting to collect
> on it.  Might even be a potential source of (minor) revenue for a company
> who has spare contractor hours.  Trust me....if the idea were that complex,
> then Metasploit wouldn't be using it for exploit bounties.  The hardest
> part is guesstimating at LOE and assigning a dollar value to that.
>
> ~josh
>
>
> On Wed, Jan 16, 2013 at 10:04 AM, Dave Wichers <dave.wichers at owasp.org>wrote:
>
> This sounds a little complex to me. I wouldn’t object to it in the long
> term but this also requires a committed PM to define the tasks and set the
> bounties and Kevin is kind of the last man standing right now.****
>
> ** **
>
> So, in the short term I’d suggest we pay him the $5K.****
>
> ** **
>
> In the longer term, we could ask him to see if he wants to define tasks
> and set bounties for them. But then someone would have to verify they were
> implemented correctly and award the bounties, which probably would be Kevin.
> ****
>
> ** **
>
> I don’t’ know if Chris Schmidt would be willing to volunteer his time to
> at least review such deliveries. I know he doesn’t have serious time to
> develop on ESAPI anymore because (we (Aspect)) have him buried in getting
> our first commercial software product out the door.****
>
> ** **
>
> -Dave****
>
> ** **
>
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Josh Sokol
> *Sent:* Wednesday, January 16, 2013 9:37 AM
> *To:* Samantha Groves
> *Cc:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] ESAPI****
>
> ** **
>
> I'm concerned about the approach of paying for people rather than for
> features.  I'm sure Kevin is doing a lot, but giving him $X to do something
> seems like we're favoring the individual to do something.  Wouldn't it be
> better if we took an approach simil
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130117/9740ced7/attachment.html>


More information about the Owasp-board mailing list