[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Mike Goodwin mike.goodwin at owasp.org
Wed Dec 2 17:15:17 UTC 2015

> Now I'm just going to sit back and watch the flame war ensue. ;-)

Flame war? Surely not? Paying people to work on OSS works for other
organisations (Joyent, HortonWorks, Mozilla, etc.). Why not OWASP? Does our
charitable status somehow prevent it?

On 2 December 2015 at 16:56, Tim <tim.morgan at owasp.org> wrote:

> > I believe a significant reason OWASP isn't a good home for many projects
> is
> > that we are unable to spend funds on people's time.
> I have agreed with this for quite some time.  While I also understand
> the reasoning on why it is dangerous to pay "volunteers", we aren't
> going to get nearly as much done if people aren't compensated for
> their time at some level.
> Case in point: I work for myself as a consultant.  I believe in the
> OWASP mission and I'm still naive enough to think I can make a
> difference.  I could easily carve out weeks of time in my schedule for
> OWASP, since I control my own calendar.  This could allow me to get
> tons of great work done on projects.  But when it comes to paying
> the bills, I have a hard time justifying to myself (and my wife)
> spending more than a handful of hours on OWASP each month.
> Is there a way we can compensate people involved in projects for very
> specific tasks?  Including project leaders?  Suppose project leaders
> carefully define what it is they are trying to achieve and there was
> an oversight system in place to ensure funds aren't wasted.  Could
> something like that work?  How much would we need to invest in
> oversight time?  How can we avoid nepotism?  I don't know the answers
> here, or how it would work specifically, but I think it would make
> sense for *some* tasks on *some* projects.
> The alternative is what we are doing right now:  Expect people to
> carve out time in their schedules for free.  Unfortunately, security
> is in high demand, so our most talented security people often have no
> free time.  Some "volunteers" find ways to compensate themselves
> through conflicts of interest.  (E.g.: hijacking the OWASP brand to
> benefit their own companies.)  That may still happen no matter what we
> do, but we can get a lot more done within a structure of oversight if
> we modestly compensate trustworthy contributors.
> Now I'm just going to sit back and watch the flame war ensue. ;-)
> tim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

*Mike Goodwin*
OWASP Newcastle UK Chapter Leader
OWASP Threat Dragon Project Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/434586bf/attachment.html>

More information about the OWASP-Leaders mailing list