[Owasp-board] ESAPI

Eoin eoin.keary at owasp.org
Sun Jan 20 17:56:19 UTC 2013


Milestones need to be defined as per reboot projects.


Eoin Keary
Owasp Global Board
+353 87 977 2988


On 17 Jan 2013, at 16:58, Jason Li <jason.li at owasp.org> wrote:

> Agreed that we should focus on achievable, actionable goals rather than open ended "pay developer $5k to 'work' on the project".
> 
> While philosophically, there's some contention about paying leaders, even back when we DID pay leaders (e.g. Seasons of Code), it was for a specific action plan.
> 
> I don't see how OWASP can ensure it gets some value any other way than to have some kind of specific goal deliverable - whether it's a feature, bug fix, etc.
> 
> -Jason
> 
> On Thursday, January 17, 2013, Tom Brennan wrote:
>> Like the bounties on projects personally. Aligned with strategic annual investments for projects (budgeted investment) this measurable with results.
>> 
>> 
>> On Jan 17, 2013, at 10:58 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> 
>>> Complex?  I would think that the project already has a list of bugs and features that we'd like to further develop.  It wouldn't take much to assign a value to those based on a very basic LOE which I'd imagine Kevin could provide fairly easily.  And in terms of a committed PM, I thought that OWASP hired someone (Samantha?) to help run the project initiatives.  Seems like that role could very easily be amended to support this for projects we deem valuable enough to put a bounty on.  Seems to me like the problem here is that you have one guy willing to do the work because right now he's doing it for free.  If you place a bounty on the work (either dev or QA), I'm guessing that you'll have a line of people wanting to collect on it.  Might even be a potential source of (minor) revenue for a company who has spare contractor hours.  Trust me....if the idea were that complex, then Metasploit wouldn't be using it for exploit bounties.  The hardest part is guesstimating at LOE and assigning a dollar value to that.
>>> 
>>> ~josh
>>> 
>>> 
>>> On Wed, Jan 16, 2013 at 10:04 AM, Dave Wichers <dave.wichers at owasp.org> wrote:
>>> This sounds a little complex to me. I wouldn’t object to it in the long term but this also requires a committed PM to define the tasks and set the bounties and Kevin is kind of the last man standing right now.
>>> 
>>>  
>>> 
>>> So, in the short term I’d suggest we pay him the $5K.
>>> 
>>>  
>>> 
>>> In the longer term, we could ask him to see if he wants to define tasks and set bounties for them. But then someone would have to verify they were implemented correctly and award the bounties, which probably would be Kevin.
>>> 
>>>  
>>> 
>>> I don’t’ know if Chris Schmidt would be willing to volunteer his time to at least review such deliveries. I know he doesn’t have serious time to develop on ESAPI anymore because (we (Aspect)) have him buried in getting our first commercial software product out the door.
>>> 
>>>  
>>> 
>>> -Dave
>>> 
>>>  
>>> 
>>> From: owasp-board-bounces at lists.owasp.org [mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Josh Sokol
>>> Sent: Wednesday, January 16, 2013 9:37 AM
>>> To: Samantha Groves
>>> Cc: OWASP Foundation Board List
>>> Subject: Re: [Owasp-board] ESAPI
>>> 
>>>  
>>> 
>>> I'm concerned about the approach of paying for people rather than for features.  I'm sure Kevin is doing a lot, but giving him $X to do something seems like we're favoring the individual to do something.  Wouldn't it be better if we took an approach simil
>>> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130120/0ec8fa3f/attachment-0001.html>


More information about the Owasp-board mailing list