[Owasp-leaders] (New Version of O2 Subscription model) Re: O2 Platform Subscription Model

dinis cruz dinis.cruz at owasp.org
Fri Oct 1 12:08:32 EDT 2010

Hi, firstly I would like to thank your support in this thread (specially to
Michael who provided a great analysis (included below))

Following the feedback provided (namely that you were OK with the
Subscription model but asked to remove the OWASP membership stuff), I've
just launched an updated model which you can read on this blog entry Update
on O2 Subscription
see on this O2
- Commercial Services

(As with the previous version please note that this is an OWASP experiment.
We are trying to figure out a funding model for OWASP Projects (with O2
leading the way, but more to follow))

Now that I have been living with this idea for a while (and the fact that
finally people understand my answer to *'What is O2 and what are you
seeling?'*) I think that the *'Open Source Tool/API Customization per
Subscriber'* model (where each subscriber gets a targeted version) could
actually be a great funding model not only for OWASP projects but also for
other Open Source projects/APIs (including the many that O2
consumes/exposes). What do you think?

Dinis Cruz

On 10 August 2010 18:53, Michael Coates <michael.coates at owasp.org> wrote:

>  To my knowledge, this is the first OWASP project that has attempted a
> financing model.  It is important for us (OWASP leaders) to be open and
> communicate the correct ways for OWASP projects to offer services that are
> not free.  Below I've included the OWASP principles and my thoughts on their
> relation to Dinis's idea.
> OWASP Principles -
> http://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project
> *Free & Open*
> As Dinis mentioned, his code is open to everyone at no charge.  The O2 tool
> can be downloaded and used without paying any of the subscription fees. No
> problem here.
> *Governed by rough consensus & running code *
> Not relevant to this issue except that the overall consensus of the OWASP
> leaders should be considered.
> *Abide by a code of ethics *
> No problems here
> *Not-for-profit *
> OWASP itself is not for profit. But what about individual projects? The O2
> project is rightfully (in my opinion) charging for Dinis's time to offer
> premium support to commercial customers. Many of us, Dinis included,
> volunteer large amounts of time to OWASP. However, volunteering and
> providing commercial grade support or two totally different things. This is
> a fine move in my opinion.  Many companies will not adopt an open source
> software if a formal support policy cannot be established.  So although I
> don't personally have any problems here, how do we reconcile this situation
> with our principles?  Perhaps the answer is related to point #2 (rough
> consensus) and this sort of email discussion
> *Not driven by commercial interests*
> Although O2 technically would become "commercial" in a small way I don't
> see any problem here. This item is meant to address the overall objectivity
> of OWASP in always promoting the best security advice that is not tainted by
> a particular company's motivation.
> *
> Risk based approach
> *Not a problem. In fact O2 reinforces this principle.
> Overall I think Dinis's approach to a subscription model for support is not
> a problem. This model is used by other open source organizations such as red
> hat (https://www.redhat.com/wapps/store/catalog.html). In fact, if we want
> OWASP to continue to grow then I think we need to support these types of
> initiatives. Otherwise our tools and processes may be ignored by many
> companies that require these types of formal relationships.
> However, I do have concerns about bundling owasp membership with the
> subscription plan.  On one hand it does help get more companies involved
> with OWASP (yay) but on the other it undermines Dinis's final disclaimer of
> " Note that this is NOT a service provided by OWASP and the OWASP foundation
> has no direct involvement or responsibility in the delivery or fulfillment
> of these subscriptions".
> Are we happy with this bundling model? Consider company X that offers a web
> security scanning service. The service itself may be awesome or total
> garbage. Either way, would we be happy with a big commercial entity offering
> a subscription plan that included OWASP corporate membership? Presumably the
> company would just subtract $5k from their subscription fee and use that to
> cover the OWASP corporate supporter cost to OWASP.
> In the end OWASP is getting more corporate supporters, but we are doing
> that at the expense of our OWASP brand.  I think this is a long term loss
> for OWASP - since our brand and vendor neutral stance is what makes OWASP
> awesome and a trusted source for information.
> *
> Conclusion
> *
>    - I support Dinis's plan to offer a subscription service for commercial
>    support of O2 and believe this type of model is necessary to take OWASP
>    projects to the next level
>     - I believe this is inline with OWASP principles
>    - I don't support the bundling of OWASP membership with a subscription
>    plan. I believe bundling will ultimately weaken the OWASP brand (not because
>    of Dinis's use with O2, but because of the future uses that would occur as a
>    result of this precedent)
> *Thought from others?*
> Michael Coates
> On 8/10/10 7:18 AM, dinis cruz wrote:
> Hi
> Yesterday I just posted/bloged about one of the final pieces of the O2
> Platform business model: An subscription model for companies that wish to
> provide commercial services around O2 and need proper support from the O2
> Platform main developers.
> You can read the details herehttp://diniscruz.blogspot.com/2010/08/new-o2-subscription-model.html and as
> with the O2 Pledges (http://o2platform.com/wiki/O2_Pledges) this is a first
> experiment at trying to create a funding model for Open Source development
> (which should eventually be replicated by a number of other OWASP projects)
> As you will see in the the Subscription model, I added a number of
> OWASP-related-items since I think that it should be easier for companies to
> join OWASP as member if they do it via active participation on an OWASP
> Project
> I also think (please confirm) that what I'm proposing is 100% compatible
> with OWASP's values and licensing model (all code is open and the only
> 'closed items' are either customer specific (and most likely could never be
> published anyway) or are 'time sensitive')
> Let me know what you think
> Dinis Cruz
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20101001/9008c32e/attachment.html 

More information about the OWASP-Leaders mailing list