[Owasp-leaders] Why it's ok to pay leaders

Kenneth Van Wyk ken at krvw.com
Thu Apr 12 17:53:38 UTC 2012

Hi Dinis (et al),

On Apr 12, 2012, at 10:40 AM, Dinis Cruz wrote:
> Well , I listed about 14 reasons why this is a bad idea (on an email on this thread and also posted on my blog: http://diniscruz.blogspot.co.uk/2012/04/why-owasp-cant-pay-owasp-leaders.html)

I've read every one of your points, and I (for one) don't believe I agree with a single one, FWIW. I say that with due respect for your work and your efforts with OWASP and beyond.

Many organizations produce open source code and still pay the contributors for their efforts. OWASP would be among hundreds of organizations with employees -- full time, part time, contractors, etc. -- that pay their employees for their work and still release open source code. Google, Oracle, Microsoft, Apple, etc., have all underwritten open source projects by having their employees (who are being paid salaries (gasp)) work on them. Heck my little company has paid developers for their work and released the resulting code into OWASP's project pool.

> The problem is always with details, and for example, Ken what you describe in "...fair and equitable selection process, with appropriate checks and balances, removal of conflicts of interest..." is just about impossible to do at OWASP...

If OWASP can't create a fair and equitable selection process, how on earth did it ever undertake its summer of code efforts? Were those selections not equitable or fair? Is that what you're saying?

If this organization can't put together a fair and equitable process for selecting contracted labor, the problem isn't in _paying_ people -- it is in fact far deeper.

On Apr 12, 2012, at 11:05 AM, Dennis Groves wrote:
> You seem to fail to understand that OWASP has been down this route of paying its leaders at least twice and it failed both times. 

To say that it can't be done because it's never worked before is a defeatist attitude that I can't possibly debate. You win.

> Once you go down that route you destroy OWASP's meritocracy and cease to be the an open social organization.  

How on earth does paying someone for labor constitute a close organization? To put it differently, why can't an organization both pay its contracted labor as well as be open? I see absolutely nothing that should preclude that.

If the process is fair and _open_, where's the problem?

> And In my point of view, that inability to implement such  "...fair and equitable selection process, with appropriate checks and balances, removal of conflicts of interest..." is one of OWASP's strongest assets and self-control mechanisms.

Wow, really?

> Can I again remind you that we even don't have a project manager and can manage our current projects/process/workflows 

The point is moot. Nor does another non-profit I serve on as a director of its board. (FIRST -- see http://first.org) Yet we contract out all the time. Our selection process is both fair and equitable. We've done it successfully for years. We release documents, standards (e.g., CVSS), etc., that are open source. In no way do I agree that these notions are in any way incompatible with one another.

Sorry folks, I just don't see any of this to be a problem. Paying people for their labor is completely compatible with a meritocracy and openness. It needs to be done carefully and be fair beyond reproach, but it is entirely achievable in my humble opinion.

If there is money to fund labor, I for one would cheer that as a sign of OWASP's continued success. I would applaud paying people to do even more work for the organization -- and have the fruits of their labor shared under an open source license. I would expect these people to be selected based entirely on their (and their projects') merit. I would love to see some of my friends -- including some "OWASP Leader" -- to be among those whose projects are selected for funding. I would say that OWASP has grown up.

On the other hand, should OWASP decide to NOT pay "OWASP Leaders", but accept paying others, I would expect that far fewer people would ever want to be OWASP Leaders, as it would preclude them from being remunerated for their labors (by OWASP). That, by my thinking, would be a travesty.

Enough of this silliness. Back to some real (revenue producing -- gasp) work.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120412/2b95bbf9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2252 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120412/2b95bbf9/attachment.bin>

More information about the OWASP-Leaders mailing list