[Owasp-cert] Deadlines for August

Matthew Chalmers matthew.chalmers at owasp.org
Mon Jul 28 19:06:43 EDT 2008


No need to play the emotional trump card...I'm just not convinced asking for
employer or email from work is going to guarantee anything (although the
latter is a bit better 'proof' of employer). Someone can volunteer his/her
employer and submit content in good faith or with good intentions but we
could still be told by that employer that the content is theirs because they
own all the IP the employee creates whilst in their employ, or something
similar--perhaps merely by saying "this is my submission" and "this is my
employer" in the same context means, to the employer, that the content
belongs to the employer. Or maybe people will lie and submit content saying
they work for Spacely Sprockets when they actually work for Cogswell Cogs.
Or maybe someone really does work for Whizlabs or something similar but
wants to participate--are you saying they can't, even with their employer's
permission? Either way does it matter if the individual created the content?

Matt

On Mon, Jul 28, 2008 at 5:34 PM, <james at architectbook.com> wrote:

> Could you imagine if someone joined our project where we didn't know their
> employer or even that they are really who they say they are and discover
> this employee works for Whizlabs or some other entity that sells test
> questions? It would mean that our process is flawed and more importantly
> would probably result in invalidating all the hard work done by others.
>
> How about a compromise where the sole confirmation I need is an email from
> their work email indicating that all is well. Sorry, for caring about the
> team...
>
> -------- Original Message --------
> Subject: Re: [Owasp-cert] Deadlines for August
> From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> Date: Mon, July 28, 2008 3:57 pm
> To: james at architectbook.com
> Cc: owasp-cert at lists.owasp.org
>
>  Ah, that makes more sense now, thanks for clarifying. There might be some
> problems, though.
>
> 1. Some people will decline to submit exam content--possibly content which
> could be great for the exam--because they're required to provide their
> company name but can't (some people will ask their company and the company
> will say no) or don't want to, for whatever reason, valid or no. This also
> makes OWASP appear not as "free and open." The only way I see around this is
> to have everyone who submits content sign or agree to some kind of waiver
> which states they created what they are submitting and can be held
> personally responsible if otherwise, however, this will still cause some
> people to decline to submit content.
>
> 2. Some companies that are surprised to find their name associated with
> this project or OWASP may attempt to take action against OWASP or the
> individual from the company. It may be as simple as asking us to remove
> their name but it could be worse, for OWASP or the individual who had the
> best intentions and was just doing what OWASP said.
>
> 3. We may need our own privacy policy for this project. No other OWASP
> project I'm aware of requires volunteers to give their company name because
> it's irrelevant. Sure OWASP in general would like to have respected company
> names associated with its work, as you indicated, but it's never been
> compulsory. If we require content submitters to submit anything--at
> all--other than the exam content they've come up with, that we intend to use
> somehow other than perhaps storing away in a database (which has its own
> concerns), we may need to have a disclosure statement about how we intend to
> use that info. So this is legal document/contract number 2, or maybe 3 (see
> #1 above). And we know you really, really, really, really, really, hate
> NDAs. ;-)
>
> There may be other problems I haven't thought of...
>
> Matt
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080728/c1421bf7/attachment-0001.html 


More information about the Owasp-cert mailing list