[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Tim tim.morgan at owasp.org
Wed Dec 2 16:56:50 UTC 2015

> I believe a significant reason OWASP isn't a good home for many projects is
> that we are unable to spend funds on people's time.

I have agreed with this for quite some time.  While I also understand
the reasoning on why it is dangerous to pay "volunteers", we aren't
going to get nearly as much done if people aren't compensated for
their time at some level.

Case in point: I work for myself as a consultant.  I believe in the
OWASP mission and I'm still naive enough to think I can make a
difference.  I could easily carve out weeks of time in my schedule for
OWASP, since I control my own calendar.  This could allow me to get
tons of great work done on projects.  But when it comes to paying
the bills, I have a hard time justifying to myself (and my wife)
spending more than a handful of hours on OWASP each month.

Is there a way we can compensate people involved in projects for very
specific tasks?  Including project leaders?  Suppose project leaders
carefully define what it is they are trying to achieve and there was
an oversight system in place to ensure funds aren't wasted.  Could
something like that work?  How much would we need to invest in
oversight time?  How can we avoid nepotism?  I don't know the answers
here, or how it would work specifically, but I think it would make
sense for *some* tasks on *some* projects.

The alternative is what we are doing right now:  Expect people to
carve out time in their schedules for free.  Unfortunately, security
is in high demand, so our most talented security people often have no
free time.  Some "volunteers" find ways to compensate themselves
through conflicts of interest.  (E.g.: hijacking the OWASP brand to
benefit their own companies.)  That may still happen no matter what we
do, but we can get a lot more done within a structure of oversight if
we modestly compensate trustworthy contributors.

Now I'm just going to sit back and watch the flame war ensue. ;-)

More information about the OWASP-Leaders mailing list