[Owasp-leaders] Should OWASP projects (and in particular ZAP) aim to leave the OWASP nest?

Eoin Keary eoin.keary at owasp.org
Wed Dec 2 17:18:38 UTC 2015


Snap!

Eoin Keary
OWASP Volunteer
@eoinkeary



On 2 Dec 2015, at 5:15 p.m., Mike Goodwin <mike.goodwin at owasp.org> wrote:

>> Now I'm just going to sit back and watch the flame war ensue. ;-)
> 
> Flame war? Surely not? Paying people to work on OSS works for other organisations (Joyent, HortonWorks, Mozilla, etc.). Why not OWASP? Does our charitable status somehow prevent it?
> 
>> On 2 December 2015 at 16:56, Tim <tim.morgan at owasp.org> wrote:
>> 
>> 
>> > I believe a significant reason OWASP isn't a good home for many projects is
>> > that we are unable to spend funds on people's time.
>> 
>> I have agreed with this for quite some time.  While I also understand
>> the reasoning on why it is dangerous to pay "volunteers", we aren't
>> going to get nearly as much done if people aren't compensated for
>> their time at some level.
>> 
>> Case in point: I work for myself as a consultant.  I believe in the
>> OWASP mission and I'm still naive enough to think I can make a
>> difference.  I could easily carve out weeks of time in my schedule for
>> OWASP, since I control my own calendar.  This could allow me to get
>> tons of great work done on projects.  But when it comes to paying
>> the bills, I have a hard time justifying to myself (and my wife)
>> spending more than a handful of hours on OWASP each month.
>> 
>> Is there a way we can compensate people involved in projects for very
>> specific tasks?  Including project leaders?  Suppose project leaders
>> carefully define what it is they are trying to achieve and there was
>> an oversight system in place to ensure funds aren't wasted.  Could
>> something like that work?  How much would we need to invest in
>> oversight time?  How can we avoid nepotism?  I don't know the answers
>> here, or how it would work specifically, but I think it would make
>> sense for *some* tasks on *some* projects.
>> 
>> The alternative is what we are doing right now:  Expect people to
>> carve out time in their schedules for free.  Unfortunately, security
>> is in high demand, so our most talented security people often have no
>> free time.  Some "volunteers" find ways to compensate themselves
>> through conflicts of interest.  (E.g.: hijacking the OWASP brand to
>> benefit their own companies.)  That may still happen no matter what we
>> do, but we can get a lot more done within a structure of oversight if
>> we modestly compensate trustworthy contributors.
>> 
>> Now I'm just going to sit back and watch the flame war ensue. ;-)
>> tim
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> -- 
> Mike Goodwin
> OWASP Newcastle UK Chapter Leader
> OWASP Threat Dragon Project Leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151202/3d0219ec/attachment-0001.html>


More information about the OWASP-Leaders mailing list