[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Eoin Keary eoin.keary at owasp.org
Wed Dec 2 17:16:14 UTC 2015

Good thoughts Tim & Andrew.
We have discussed funding many many times and we never move beyond that.

I believe funding or grants is the way to go, not only via some "summer of code" but ongoing. 

I'm unsure what zap might gain by leaving OWASP but it may not have the opportunity via conferences and events that it currently has, if it departs? I don't know.

The Mozilla model is great, non-profit funding things like zap. Should we not evolve and do something similar?  Does the foundation have the funds?

Eoin Keary
OWASP Volunteer

> On 2 Dec 2015, at 4:56 p.m., Tim <tim.morgan at owasp.org> wrote:
>> I believe a significant reason OWASP isn't a good home for many projects is
>> that we are unable to spend funds on people's time.
> I have agreed with this for quite some time.  While I also understand
> the reasoning on why it is dangerous to pay "volunteers", we aren't
> going to get nearly as much done if people aren't compensated for
> their time at some level.
> Case in point: I work for myself as a consultant.  I believe in the
> OWASP mission and I'm still naive enough to think I can make a
> difference.  I could easily carve out weeks of time in my schedule for
> OWASP, since I control my own calendar.  This could allow me to get
> tons of great work done on projects.  But when it comes to paying
> the bills, I have a hard time justifying to myself (and my wife)
> spending more than a handful of hours on OWASP each month.
> Is there a way we can compensate people involved in projects for very
> specific tasks?  Including project leaders?  Suppose project leaders
> carefully define what it is they are trying to achieve and there was
> an oversight system in place to ensure funds aren't wasted.  Could
> something like that work?  How much would we need to invest in
> oversight time?  How can we avoid nepotism?  I don't know the answers
> here, or how it would work specifically, but I think it would make
> sense for *some* tasks on *some* projects.
> The alternative is what we are doing right now:  Expect people to
> carve out time in their schedules for free.  Unfortunately, security
> is in high demand, so our most talented security people often have no
> free time.  Some "volunteers" find ways to compensate themselves
> through conflicts of interest.  (E.g.: hijacking the OWASP brand to
> benefit their own companies.)  That may still happen no matter what we
> do, but we can get a lot more done within a structure of oversight if
> we modestly compensate trustworthy contributors.
> Now I'm just going to sit back and watch the flame war ensue. ;-)
> tim
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/86d47d8c/attachment.html>

More information about the OWASP-Leaders mailing list