[Owasp-cert] Deadlines for August

Leigh Honeywell leigh at hypatia.ca
Mon Jul 28 19:10:24 EDT 2008

Furthermore, what if the employer we are concerned with is the previous
one that a volunteer worked for, not their current employer?  Are we
going to require CV's from everyone?

I don't think there's anyone on this list who doesn't "care for the
team", James, but the question is what the appropriate way to do the due
diligence is for the particular needs of this project.  I suggest we all
quit batting this back and forth and go find an IP and/or labour lawyer :)


On Mon, Jul 28, 2008 at 06:06:43PM -0500, Matthew Chalmers wrote:
> No need to play the emotional trump card...I'm just not convinced asking for
> employer or email from work is going to guarantee anything (although the
> latter is a bit better 'proof' of employer). Someone can volunteer his/her
> employer and submit content in good faith or with good intentions but we
> could still be told by that employer that the content is theirs because they
> own all the IP the employee creates whilst in their employ, or something
> similar--perhaps merely by saying "this is my submission" and "this is my
> employer" in the same context means, to the employer, that the content
> belongs to the employer. Or maybe people will lie and submit content saying
> they work for Spacely Sprockets when they actually work for Cogswell Cogs.
> Or maybe someone really does work for Whizlabs or something similar but
> wants to participate--are you saying they can't, even with their employer's
> permission? Either way does it matter if the individual created the content?
> Matt
> On Mon, Jul 28, 2008 at 5:34 PM, <james at architectbook.com> wrote:
> > Could you imagine if someone joined our project where we didn't know their
> > employer or even that they are really who they say they are and discover
> > this employee works for Whizlabs or some other entity that sells test
> > questions? It would mean that our process is flawed and more importantly
> > would probably result in invalidating all the hard work done by others.
> >
> > How about a compromise where the sole confirmation I need is an email from
> > their work email indicating that all is well. Sorry, for caring about the
> > team...
> >
> > -------- Original Message --------
> > Subject: Re: [Owasp-cert] Deadlines for August
> > From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> > Date: Mon, July 28, 2008 3:57 pm
> > To: james at architectbook.com
> > Cc: owasp-cert at lists.owasp.org
> >
> >  Ah, that makes more sense now, thanks for clarifying. There might be some
> > problems, though.
> >
> > 1. Some people will decline to submit exam content--possibly content which
> > could be great for the exam--because they're required to provide their
> > company name but can't (some people will ask their company and the company
> > will say no) or don't want to, for whatever reason, valid or no. This also
> > makes OWASP appear not as "free and open." The only way I see around this is
> > to have everyone who submits content sign or agree to some kind of waiver
> > which states they created what they are submitting and can be held
> > personally responsible if otherwise, however, this will still cause some
> > people to decline to submit content.
> >
> > 2. Some companies that are surprised to find their name associated with
> > this project or OWASP may attempt to take action against OWASP or the
> > individual from the company. It may be as simple as asking us to remove
> > their name but it could be worse, for OWASP or the individual who had the
> > best intentions and was just doing what OWASP said.
> >
> > 3. We may need our own privacy policy for this project. No other OWASP
> > project I'm aware of requires volunteers to give their company name because
> > it's irrelevant. Sure OWASP in general would like to have respected company
> > names associated with its work, as you indicated, but it's never been
> > compulsory. If we require content submitters to submit anything--at
> > all--other than the exam content they've come up with, that we intend to use
> > somehow other than perhaps storing away in a database (which has its own
> > concerns), we may need to have a disclosure statement about how we intend to
> > use that info. So this is legal document/contract number 2, or maybe 3 (see
> > #1 above). And we know you really, really, really, really, really, hate
> > NDAs. ;-)
> >
> > There may be other problems I haven't thought of...
> >
> > Matt
> >
> >

> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert

More information about the Owasp-cert mailing list