[Owasp-board] ESAPI

Jim Manico jim.manico at owasp.org
Sun Jan 20 20:18:55 UTC 2013

What about funds that are grants for specific projects? How about using
those funds to move projects along?

There is nothing in our bylaws preventing us from paying folks to work on
projects, and we have done it in the past. I agree we need to be careful
about this.

And last, my goal is project integrity. ESAPI is not active but we bill it
as a production ready project. I think we need to EITHER pay someone to
maintain/update it or re-evaluate the projects "release" status.

Jim Manico
(808) 652-3805

On Jan 20, 2013, at 2:43 AM, Jason Li <jason.li at owasp.org> wrote:

Agreed that we should focus on achievable, actionable goals rather than
open ended "pay developer $5k to 'work' on the project".

While philosophically, there's some contention about paying leaders, even
back when we DID pay leaders (e.g. Seasons of Code), it was for a specific
action plan.

I don't see how OWASP can ensure it gets some value any other way than to
have some kind of specific goal deliverable - whether it's a feature, bug
fix, etc.


On Thursday, January 17, 2013, Tom Brennan wrote:

> Like the bounties on projects personally. Aligned with strategic annual
> investments for projects (budgeted investment) this measurable with results.
> On Jan 17, 2013, at 10:58 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> Complex?  I would think that the project already has a list of bugs and
> features that we'd like to further develop.  It wouldn't take much to
> assign a value to those based on a very basic LOE which I'd imagine Kevin
> could provide fairly easily.  And in terms of a committed PM, I thought
> that OWASP hired someone (Samantha?) to help run the project initiatives.
> Seems like that role could very easily be amended to support this for
> projects we deem valuable enough to put a bounty on.  Seems to me like the
> problem here is that you have one guy willing to do the work because right
> now he's doing it for free.  If you place a bounty on the work (either dev
> or QA), I'm guessing that you'll have a line of people wanting to collect
> on it.  Might even be a potential source of (minor) revenue for a company
> who has spare contractor hours.  Trust me....if the idea were that complex,
> then Metasploit wouldn't be using it for exploit bounties.  The hardest
> part is guesstimating at LOE and assigning a dollar value to that.
> ~josh
> On Wed, Jan 16, 2013 at 10:04 AM, Dave Wichers <dave.wichers at owasp.org>wrote:
> This sounds a little complex to me. I wouldn’t object to it in the long
> term but this also requires a committed PM to define the tasks and set the
> bounties and Kevin is kind of the last man standing right now.****
> ** **
> So, in the short term I’d suggest we pay him the $5K.****
> ** **
> In the longer term, we could ask him to see if he wants to define tasks
> and set bounties for them. But then someone would have to verify they were
> implemented correctly and award the bounties, which probably would be Kevin.
> ****
> ** **
> I don’t’ know if Chris Schmidt would be willing to volunteer his time to
> at least review such deliveries. I know he doesn’t have serious time to
> develop on ESAPI anymore because (we (Aspect)) have him buried in getting
> our first commercial software product out the door.****
> ** **
> -Dave****
> ** **
> *From:* owasp-board-bounces at lists.owasp.org [mailto:
> owasp-board-bounces at lists.owasp.org] *On Behalf Of *Josh Sokol
> *Sent:* Wednesday, January 16, 2013 9:37 AM
> *To:* Samantha Groves
> *Cc:* OWASP Foundation Board List
> *Subject:* Re: [Owasp-board] ESAPI****
> ** **
> I'm concerned about the approach of paying for people rather than for
> features.  I'm sure Kevin is doing a lot, but giving him $X to do something
> seems like we're favoring the individual to do something.  Wouldn't it be
> better if we took an approach simil
> _______________________________________________
Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130120/bf7d7139/attachment.html>

More information about the Owasp-board mailing list