[Owasp-leaders] Why OWASP can't pay OWASP Leaders

Tobias tobias.gondrom at owasp.org
Wed Apr 11 03:22:43 UTC 2012

I agree with many of Dinis' points, too.
=> OWASP can not (or in fact must not) pay OWASP leaders.

Best regards, Tobias

On 11/04/12 11:12, Ryan Barnett wrote:
> I agree with many of Dinis' points.
> We have has success with the ModSecurity Core Rule Set project by 
> having my company listed as a project sponsor. Trustwave SpiderLabs 
> gets good visibility and PR and, in turn, they allocate time for me to 
> work on the project. So, in essence I am being paid as the project 
> lead. To Dinis' point though, I am not being paid by OWASP.
> This is a great setup.  I encourage any project leader to see who 
> would most benefit from their project and see if there are any 
> sponsorship options.
> Ryan
> On Apr 10, 2012, at 7:52 PM, Dinis Cruz <dinis.cruz at owasp.org 
> <mailto:dinis.cruz at owasp.org>> wrote:
>> Michael I was the one that created and executed (initially alone and 
>> then with Paulo) the only Seasons of Code that OWASP did (AoC 2006 
>> <https://www.owasp.org/index.php/OWASP_Autumn_Of_Code_2006> , SoC 
>> 2007 <https://www.owasp.org/index.php/OWASP_Spring_Of_Code_2007> , 
>> SoC 2008 <https://www.owasp.org/index.php/OWASP_Summer_of_Code_2008>) 
>> so I know first hand what can be done, what works, what doesn't work 
>> and its side effects. In fact it was that experience that made me 
>> have such strong views on this topic.
>> There is a subtle but very key distinction that we need to have in 
>> this thread. And that is the issue of 'OWASP paying OWASP leaders'
>> Hiring interns or other professionals to work on specific 
>> projects/tasks is fine (specially if they are doing what our OWASP 
>> leaders and contributors don't want to do). The main problem happens 
>> when OWASP leaders can be part of the pool that can be paid by OWASP 
>> (again nothing wrong with them being paid by a 3rd party to work on 
>> an OWASP Project (like what already happens today)).
>> *So why it is very wrong to pay OWASP leaders to work on OWASP projects?*
>> *
>> *
>> Let say that there is 2000 USD available to pay an OWASP leaders to 
>> work on his project
>>   * *Changing of the social contract  - *The moment money is
>>     introduced, invariably the target individual is going to make a
>>     math calculation (what is his current daily rate?, how much he
>>     earns at the moment?, how much his current boss bills for his
>>     time? , etc....).The end result is that we moved from a
>>     'contributor' model to a 'service provider' model
>>       o */'I will do that for free, but won't do it if I am paid'
>>         /syndrome* - If one starts to look at OWASP contributions
>>         with a financial angle, then what one would gladly do for
>>         free is now viewed from a completely different angle. I would
>>         strongly recommend the 'Predictably Irrational' book on this
>>         topic, which has tons of great example on how money doesn't
>>         help (here is preview of what the author talks about:
>>         http://en.wikipedia.org/wiki/Predictably_Irrational#Being_Paid_vs._A_Friendly_Favor )
>>         The RSA Animate - Drive: The surprising truth about what
>>         motivates us <http://www.youtube.com/watch?v=u6XAPnuFjJc> is
>>         also a brilliant video/animation on motivation:
>>   * *A rate for an Worldwide audience? - *given the truly global
>>     presence of OWASP, $2000 might not be a lot for a successful
>>     security professional (or conference speaker), but it is good
>>     money in countries like Portugal/Italy, and if you go to
>>     India/China it is a lot. So how do we do this? Surely it doesn't
>>     make any commercial sense (for OWASP) to pay a guy from London or
>>     the US, right? Can't we get a LOT more hours and effort from
>>     somebody that lives in a cheaper country! I'm sure there are
>>     places in the world (or on elance.com <http://elance.com>) that
>>     we can rent a team of workers for $2000 for a month !
>>   * *Prevents multi-national teams from occurring* - What happens
>>     when you want to get a couple resources involved from different
>>     countries? Are you going to pay them the same? And if not, is
>>     that really sustainable? There is a huge amount of HR theory that
>>     shows that collaborators are much happier (and productive) when
>>     they don't know how much money their colleges earn (but how can
>>     you do that in an OWASP environment like OWASP where all
>>     financial deals must be disclosed)
>>   * *A lot more money will be needed* - This is another massive
>>     problem. If we REALLY want to get the best talent, and REALLY
>>     want to take a professional approach, then we will have to buy
>>     the best talent, which is expensive AND will need to be paid a
>>     good rate.
>>     And why should we pay them so much? ... They will deliver, right?
>>     Aren't they the best? Why shouldn't we put 40k or 100k of OWASP's
>>     money in their hands?
>>     Well, apart from the fact that those 100k would not /'create that
>>     super-duper deliverable'/ (we are talking about big projects with
>>     complex problems that need LOTS of work), the problems I'm
>>     raising here would be dramatically multiplied
>>   * *Nobody is independent at OWASP - *Here is the catch, it is
>>     impossible to find somebody (or a group) inside that OWASP that
>>     has any kind of independence to be able to make a reall solid
>>     decision (everybody has an agenda, a pet
>>     project/chapter/conference, a particular vision for what OWASP
>>     should be doing, etc...) So who is going to make the call?
>>   * *Little secret - on the last OWASP Seasons of Code, all (decent)
>>     proposals got funded *- so how did we avoided this problem in the
>>     last OWASP Seasons of Code? I.e. how did we actually selected the
>>     owasp leaders who deserved the funding? In what turned out to be
>>     an amazing feat of maths and mappings, we actually funded every
>>     decent proposal that was summited (remember that OWASP was MUCH
>>     smaller than it is now, and there was still space for a number of
>>     new OWASP contributors to join the party)
>>   * *'He/she are the ones being paid, THEY should do that' syndrome*
>>     - This is another problem that happens when there is somebody
>>     that clearly is being paid when others are not. Yes we will still
>>     have this problem when they are paid outside of OWASP, but to be
>>     on the same 'level' as somebody else and they are being paid,
>>     really creates a bad vibe
>>   * *Lots of negative energy is created - *For me the point of the
>>     last Seasons of Code, was not to pay people!
>>     It was to motivate them, to empower them and to give them space
>>     inside OWASP.
>>     This is why It was so important to me that no good proposal was
>>     left out, since the objective was to motivate people to do their
>>     best (not to get a group of OWASP contributors to start fighting
>>     each other)
>>   * *It breaks an OWASP Contributor heart to receive a NO - *We also
>>     had a couple cases were great OWASP leaders/contributors, turned
>>     to the board (where I was at the time) and said. /"..Hey I have
>>     this idea, can you give me 20k / 40k so that I can spend the time
>>     to do it? ... you know I can do it!, I have a good track record
>>     !.."/. And it was pretty obvious that when we didn't support that
>>     idea, that OWASP leader was really not happy
>>       o **How to say NO to a big contributor** - If  OWASP leaders
>>         could be paid by OWASP, it would create situations where it
>>         is very hard to say NO to a big OWASP contributor, even if
>>         maybe he is not as qualified to do the job as the other
>>         candidates (there are always emotions involved).
>>       o *'I could had done better with that money' syndrome* - And
>>         then after the work is done and delivered, the one who got
>>         paid, is now a sitting duck for sniper fire that will pick
>>         his/hers work apart
>>       o *What to do when the leaders don't deliver? - *We also had
>>         this on the last OWASP Season of Code, where a couple really
>>         Large (with capital L) OWASP contributors, took a
>>         good chunk of cash and didn't really do a good job! So what
>>         do you do? Are we really going to buy that fight and shame
>>         that person in public for doing a bad job? Also, how to you
>>         handle other OWASP leaders/contributors that also worked on
>>         that task but didn't get paid.
>>       o *We can't even count the leaders that we have today, can we
>>         review their work? *At the moment we can't even keep track of
>>         our current projects and still have a lot of project review
>>         work to be done. Are we (OWASP) really in any shape to review
>>         commercial/paid work?
>>   * *What about the other big contributors* - Also take into account,
>>     that there are a number of OWASP leaders who have spent years of
>>     their life working for OWASP projects
>>       o *For example: My Wife would kill me (if other owasp leaders
>>         got paid) *I spent 18 months without any pay to work on the
>>         OWASP O2 Platform. I still have debts today from the lack of
>>         income I suffered during that period. My wife was really
>>         unhappy with that (understatement of the century) and my kids
>>         gave me a very hard time. But they supported it, because they
>>         accepted my passion and focus on 'doing the right' thing. I'm
>>         not asking for any money from OWASP, BUT if others are
>>         getting paid, then that would completely change the dynamics
>>         of my relationship with OWASP (at least it would for my wife)
>>       o *What about Jeff and Dave?* These two, even had to use some
>>         of his own money to buy some OWASP assets and release them to
>>         the OWASP community (surely they should be repaid that?)
>>       o *What about Denis, Andrew, Daniel, Matteo, John .... *(the
>>         list would go on and on and on...)
>>   * *Slippery slope:
>>     *
>>       o *What about the conference organizers* - shouldn't they also
>>         get slice of the profit they generate?
>>       o *What about the successful chapters?* - specially the ones
>>         with lots of attendees and generated funds?
>>       o *What about those hard-working board and committee members?*
>>         - should they also be paid for they countless hours?
>>       o *This will bread corruption and favouritism *- which is human
>>         nature given the right environment
>>   * *Killing the golden goose - *If you look carefully, we already
>>     have an amazing capability to 'convince' highly paid individuals
>>     to work for free and dedicate their energy into something they
>>     believe. For example if you add up all the 'money' (in time) that
>>     is 'donated' to OWASP every day or month by its leaders,
>>     contributors, participants, you would be amazed (for example it
>>     would probably cost 1,000,000$ (1M$) to pay for the talent that
>>     we were able to assembly at the last Summit (and even then, I
>>     don't think that if we were paying the attendee's a fee for their
>>     time, we would had been able to assembly that crowd)
>>       o *Not Paying OWASP Leaders is a self-defence mechanism - *Give
>>         the massive web of trust that OWASP has (just add up all its
>>         leaders), it is much easier to trust them with OWASP funds
>>         when they can't pay themselves or a friend (it also
>>         dramatically simplifies the rules of engagement)
>>   * *Let's get 3rd parties to fund those OWASP leaders *-  Jeff and
>>     John proposed a great model with the OWASP Project Partnership
>>     Model
>>     <https://docs.google.com/document/d/1ea4jWVDziLcZMTJUC5qW5psWYROpB-oPlqyl4Ei2xHA/edit?hl=en_US> which
>>     is how we can get OWASP leaders/contributors to be paid for
>>     working on OWASP projects. I don't know who said /'..the real
>>     sign of a product's value is when somebody is willing to pay for
>>     it...' /but it is very true. In fact, it should be a sign of
>>     maturity and market-acceptance, the fact that somebody
>>     (company, government, etc) is ready to invest on that project.
>>   * *Prevents OWASP from finding better solutions (to Money) -
>>     *Finally this is (for me) the key reason why paying OWASP leaders
>>     is a very BAD idea.
>>     *We (OWASP) need to figure out what are the social/commercial
>>     models that work for OWASP (and make use productive).*
>>     Clearly contributing to OWASP makes business sense. If it didn't
>>     we wouldn't have the sustainability and energy we had.
>>     There are countless stories of OWASP leaders getting better jobs,
>>     being promoted, increasing their income, learning key skills,
>>     etc... There are also a number of companies that regularly
>>     support OWASP. They don't do it because they want to be nice,
>>     they do it because it makes commercial sense to them.
>>     *So what we REALLY need to do, is to rationalize what makes OWASP
>>     work, and see if we can improve the current model, so that we can
>>     have more and more people being paid to work for OWASP Activities. *
>> I could continue, but hopefully some of these points will clarify why 
>> OWASP can't pay OWASP.
>> Wrapping up, this is actually a great opportunity to move OWASP to 
>> the next level.
>> Dinis Cruz
>> On 11 April 2012 00:04, Michael Coates <michael.coates at owasp.org 
>> <mailto:michael.coates at owasp.org>> wrote:
>>>     The key issue that we need to agree and move on (so that we find
>>>     solutions), is that '*Simulating those projects by paying OWASP
>>>     Leaders to
>>>     work on it , is NOT an option'*
>>     I'd like to understand why not.
>>     If we can set aside money that is for a season of code style
>>     funding, or is used for research interns to work on projects,
>>     then it seems like a good move.  The end result is high quality
>>     security material that is free and open to the world.  I am also
>>     happy with the idea of bringing in fresh new graduates to dive
>>     deeper into security areas.  Combined with established and
>>     experienced leaders you can get some great results.
>>     There are a variety of ways to structure this pay.  It doesn't
>>     have to be an actual outsource setup where we are attempting to
>>     compete with the market. I felt like the summer of code we held
>>     was a good method. It provided a bit of a financial incentive and
>>     set up deadlines, deliverables and expectations in order to be
>>     considered a success.
>>     The end goal is to provide free and open source security
>>     materials, tools, etc.  I'd rather explore a variety of options
>>     instead of claiming that we can't fund research/development for
>>     these projects in some way.
>>     -------
>>     Michael Coates | OWASP
>>     michael.coates at owasp.org <mailto:michael.coates at owasp.org> | @_mwc
>>     On Apr 10, 2012, at 11:00 AM, Dinis Cruz wrote:
>>>     Nobody is saying that we shouldn't stimulate those projects (of
>>>     course we
>>>     should)
>>>     The question is how?
>>>     The key issue that we need to agree and move on (so that we find
>>>     solutions), is that '*Simulating those projects by paying OWASP
>>>     Leaders to
>>>     work on it , is NOT an option'*
>>>     *
>>>     *
>>>     Once we accept that (and it looks like we haven't reached
>>>     consensus) , I
>>>     think there are a lot of ideas and things we should do to
>>>     stimulate these
>>>     projects.
>>>     That said, the energy MUST come from the projects (OWASP is an
>>>     enabler)
>>>     Dinis Cruz
>>>     On 10 April 2012 18:50, Eoin <eoin.keary at owasp.org
>>>     <mailto:eoin.keary at owasp.org>> wrote:
>>>>     Chris,
>>>>     Not sure if your simplifying things to be honest....
>>>>     Can you say the Testing guide is also not important based on
>>>>     this logic?
>>>>     I certainly want the community to pick what is important but
>>>>     there are
>>>>     millions of developers whom are not part of the community,
>>>>     never heard of
>>>>     owasp and don't understand secure app dev.
>>>>     Shall we deny them of such resources, talent and free
>>>>     information because
>>>>     OWASP did not bother to focus, stimulate or drive such projects?
>>>>     -ek
>>>>     On 10 April 2012 18:42, Chris Schmidt <chris.schmidt at owasp.org
>>>>     <mailto:chris.schmidt at owasp.org>> wrote:
>>>>>     -----BEGIN PGP SIGNED MESSAGE-----
>>>>>     Hash: SHA1
>>>>>     I think that statement is fine and dandy for an organization like
>>>>>     Hibernate (which is one of your examples of this I think) -
>>>>>     Hibernate and
>>>>>     SpringSource both have Full-Time Employees that work on their
>>>>>     open-source
>>>>>     software for competitive full time wages. This is a totally
>>>>>     different
>>>>>     situation. Our funds are much more limited in this scenario
>>>>>     and I believe
>>>>>     it is much more worthwhile for the project leaders to come to the
>>>>>     organization with specific proposals about requests for funds
>>>>>     and what they
>>>>>     intend to use them for as opposed to the organization
>>>>>     determining that
>>>>>     these *n* projects will now be *paid* sub-par rates.
>>>>>     To John's point, if the Dev Guide is truly an important
>>>>>     project, then why
>>>>>     hasn't there been more of a demand for it and why hasn't
>>>>>     someone just
>>>>>     picked up and gotten it done by now. We may think it is
>>>>>     important, and I
>>>>>     agree that at one point it probably was - but if there is no
>>>>>     energy behind
>>>>>     a project, simply throwing money at it doesn't solve the
>>>>>     bigger problem. It
>>>>>     may slow the bleeding, it may even result in a new finished
>>>>>     product, but
>>>>>     what is our return on that product (not purely financially
>>>>>     speaking) -
>>>>>     especially if there is not an industry need for it any more
>>>>>     b/c things like
>>>>>     the Cheat Sheets series have basically replaced them.
>>>>>     There are really an infinite amount of reasons that throwing
>>>>>     money at
>>>>>     projects and project leaders is generally a bad idea - I'm
>>>>>     sure I don't
>>>>>     need to iterate all of them.
>>>>>     If we are going to pay developers FT or Contractor wages to
>>>>>     work on a
>>>>>     project, that is a completely different story, however that
>>>>>     was not what I
>>>>>     got out of the whole thing. We want to pay the existing
>>>>>     project teams a
>>>>>     stipend to motivate them to do the work they already signed up
>>>>>     for to do as
>>>>>     volunteers and have neglected to do. This in essence, as I
>>>>>     already stated,
>>>>>     is rewarding inactive project leaders and members for bad
>>>>>     behavior.
>>>>>     On 4/10/2012 11:09 AM, Jim Manico wrote:
>>>>>>>     Open source and public domain comes from the spirit and will of
>>>>>     volunteers.
>>>>>>     This is not entirely true. Some of the most successful and
>>>>>>     production
>>>>>>     quality open source projects have major financial backing.
>>>>>>     There is nothing in the "mission" of OWASP that prevents us
>>>>>>     from using
>>>>>>     funds to update core guides that help spread AppSec awareness.
>>>>>>     But I think the risk of letting more time go by were our flagship
>>>>>>     projects continue to wane, that's a big problem that is directly
>>>>>>     counter to what we should be doing.
>>>>>>     --
>>>>>>     Jim Manico
>>>>>>     (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>>     On Apr 10, 2012, at 5:30 AM, John Wilander
>>>>>>     <john.wilander at owasp.org
>>>>>>     <mailto:john.wilander at owasp.org>><john.wilander at owasp.org
>>>>>>     <mailto:john.wilander at owasp.org>>wrote:
>>>>>>>     Open source and public domain comes from the spirit and will of
>>>>>     volunteers.
>>>>>     -----BEGIN PGP SIGNATURE-----
>>>>>     Version: GnuPG v2.0.14 (MingW32)
>>>>>     Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>>>>     ywnWlIHp3sOGgcmVL4pyQpNgXcoJrEj8+WEMU8bZGxrBvnGVoZYohH6FScG3FkPW
>>>>>     5OtTCLI6ybgQQh88CWjeB9TXHvaHmtigxtWaZemJ29xLF6/ZI5E01CEby7bhQiAM
>>>>>     TTUhGOGcM3qhL5MY1kL4zwbOrQErmWywA4yF80eBe1tsmgRko9Q9UKyuFwSFLIpx
>>>>>     ElqBY8pf1/hNpeb0ZF7urzQquFCtOO1dg4RvTXxdXULjZvoAXUhzolCElFZ8IhMa
>>>>>     eZeX9IL+L2xcloOUnH+toBx2K50HD5eay3PBH9e0VBU+0U5V5bm6WcbIMIWY3dM=
>>>>>     =oRVx
>>>>>     -----END PGP SIGNATURE-----
>>>>     --
>>>>     Eoin Keary
>>>>     OWASP Global Board Member (Vice Chair)
>>>>     https://twitter.com/EoinKeary
>>>>     _______________________________________________
>>>>     OWASP-Leaders mailing list
>>>>     OWASP-Leaders at lists.owasp.org
>>>>     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>     _______________________________________________
>>>     OWASP-Leaders mailing list
>>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120411/17a5d657/attachment-0001.html>

More information about the OWASP-Leaders mailing list