[Owasp-leaders] Request for OWASP board to approves 100K for a project Summit in 2016

Tom Brennan tomb at owasp.org
Tue Jun 30 10:59:12 UTC 2015

Isn't this not the focus of Claudia?

We should back up and wait for her observations and recommendations.  I am
looking forward to the first public meeting with her and a podcast with her

On Monday, June 29, 2015, johanna curiel curiel <johanna.curiel at owasp.org>

> Would love to provide my P.O.V. about this discussion ;-)
> 2 years ago, there was a free pass to start projects, anyone could start a
> EMPTY project and make use of funds.
> The result of this action:
> After 2 years 90+ were empty(2 or 3 years without a single deliverbale)
> from an inventory of 150 (totally empty at all) and the OWASP inventory was
> a shell of empty wiki pages. It took us 6 months to clean up all this, and
> people misusing the OWASP brand for projects that were empty.We had cases
> were some leaders were even saying they were members of the board!
> We cannot trust blindly everyone to spend money (or even start empty
> projects) without at least explaining what is it for what.This works with
> small group of projects but not for +100 projects.
> I do agree that the situation of 'budget allocation' chapters vs. projects
> is an issue but so difficult to spend money is not.
> I have a full time job and get the time to write a small explanation to
> get funds for an initiative and how and under which conditions. OWASP do
> not ask an entire report to do this. Just a small explanation. The bigger
> the budget, off course you need to explain more the purpose of
> @ Dinis I do respect your pov but definitely we cannot allow this kind of
> free for all. It has been shown that people already abused from this free
> pass and now with more than +100 projects, we need regulations. It didn't
> cost you much to write an email explaining in a sentence what was it for.
> The issue : if you do not explain what is it for, everyone then wants the
> same and becomes chaotic.
> Regards
> Johanna
> On Mon, Jun 29, 2015 at 2:44 PM, Mark Miller <mark.miller at owasp.org
> <javascript:_e(%7B%7D,'cvml','mark.miller at owasp.org');>> wrote:
>> The full interview with Josh, Andrew and Dinis is now available as an
>> OWASP 24/7 Podcast: OWASP Project Funding
>> <http://www.sonatype.org/nexus/2015/06/29/owasp-project-funding-w-josh-sokol-dinis-cruz-and-andrew-van-der-stock/>
>> w/ Josh Sokol, Dinis Cruz and Andrew van der Stock. I hope you find it
>> helpful to further this discussion. -- Mark
>> On Mon, Jun 29, 2015 at 1:35 PM, johanna curiel curiel <
>> johanna.curiel at owasp.org
>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>> >Unsure how to govern this but setting up an empty wiki and not having
>>> any activity for a time after is not a project? Unsure we should fund such
>>> empty vessels :)
>>> No empty vessel, no empty wikis is the motto and has been after the
>>> latest big clean up since 2 years ago. After so many called 'projects' that
>>> were empty(more than 90), we have set as rule that a project must
>>> deliver something based on their road-map, based on the time line provided
>>> by its road-map. We evaluate the project based on the criteria we published
>>> 2 years ago  and communicate with the project leader. There is no purpose
>>> or advantage to have an empty wiki or poor content when potential OWASP
>>> users look at your project. We try to focus on a minimum quality because
>>> this goes along with OWASP reputation.
>>> @Mike:
>>> All projects, including incubators have the opportunity to go. Last
>>> Summit KBA-PMP applied to assist the summit @EU, which is an incubator and
>>> they were there , but KBA has been working on its deliverable and are quite
>>> active with meetings and research.
>>> I do not recall you sent me an agenda.
>>> Keep in mind that the Summit is about sharing with other leaders but is
>>> more about getting things done for your own project. So the question is :
>>> What do you want to achieve during those 2 days, what are your targets and
>>> what is your purpose and goals for assisting?
>>> ZAP will not be at this summit so ,(and btw Simon was fully sponsored by
>>> his employer as there are others such Appsensor)
>>> You want to participate  just like anyone:
>>>    - Create an agenda, send it to me
>>>    - I publish it on the Task force mailing list, we evaluate the
>>>    project. I know that already Timo did a quick review.
>>>    - Describe What do you want to get done during this period
>>>    - We evaluate your project to see how far you are regarding the
>>>    road-map and maturity level
>>>    - We evaluate your proposal and based on this you get the opportunity
>>> Budget is tight so first come first served based on the agenda and
>>> deliverable. Your project is quite new (June 2, 2015). So please bear with
>>> us also that the summit budget allocation is based on how much a project
>>> has delivered.
>>> If you have questions, please let us know
>>> regards
>>> Johanna
>>> On Mon, Jun 29, 2015 at 12:54 PM, Eoin Keary <eoin.keary at owasp.org
>>> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>>>> Unsure how to govern this but setting up an empty wiki and not having
>>>> any activity for a time after is not a project? Unsure we should fund such
>>>> empty vessels :)
>>>> Eoin Keary
>>>> OWASP Volunteer
>>>> @eoinkeary
>>>> On 29 Jun 2015, at 18:41, Mike Goodwin <mike.goodwin at owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','mike.goodwin at owasp.org');>> wrote:
>>>> Hello all,
>>>> I agree that we want to encourage activity and forward progress on
>>>> projects, but does that mean that a summit should only be for established
>>>> projects that have delivered already? I am just in the process of starting
>>>> a new OWASP project - I'm waiting anxiously for its approval by the Project
>>>> Task Force. I'm the sole contributor at the moment,  but I am active on it,
>>>> it has regular code checkins and there is a working prototype that is
>>>> moving forward with a clear goal (it is
>>>> https://www.owasp.org/index.php/OWASP_Threat_Dragon for anyone that
>>>> want to take a look).
>>>> I would benefit a lot from the experience of other project leaders both
>>>> directly in terms of their opinion on the project and indirectly in terms
>>>> of how to promote a project and build its visibility and eventually its
>>>> user base. I'd love it to be the next ZAP! The time I need that support
>>>> most is now, at the start of the project, rather than once its already
>>>> succeeded. Or maybe to put it another way, I need a different type of
>>>> support as the leader of an incubator compared to the leaders of flagship
>>>> projects.
>>>> I appreciate that this is a tricky issue. Many organisations and
>>>> businesses suffer from the inability to end projects that have no chance of
>>>> furthering their mission. Given that our projects are volunteer-led, this
>>>> will be even more difficult for us. However, the best companies are the
>>>> ones that can judge where to focus their efforts, keeping a balanced
>>>> portfolio of established products alongside early stage ones. This is an
>>>> extension inn some ways of the the "risk taking in NFPs" discussion that
>>>> Diniz Cruz raised.
>>>> I'm not sure what the answer is, but I'm pretty sure that I could
>>>> benefit from the experience of meeting and talking with people who have
>>>> already turned incubator projects into flagships ones.
>>>> Thoughts and comments welcome!
>>>> Mike
>>>> On 28 June 2015 at 19:33, johanna curiel curiel <
>>>> johanna.curiel at owasp.org
>>>> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>>>>> 100K can allow us to involve more projects but I believe in
>>>>> regulations.
>>>>> After having review so many projects, there are many people that were
>>>>> starting a project with no content and after a year or 2, an empty wiki
>>>>> page has hanging with the title project, but there was no project content
>>>>> to be found.
>>>>> I don't think we want to sponsor this kind of behaviour.
>>>>> We want to sponsor and support those projects that are working hard to
>>>>> get things done. Recession period is not the point here. It's about
>>>>> starting a project in a wiki page that never comes with a deliverable. But
>>>>> lets also consider that if a project has been inactive for more than 3
>>>>> years and suddenly a project leader wants to 'revive the project', the
>>>>> summit should not be used as a kind of paid vacation and 'by the way'
>>>>> participate in the summit.
>>>>> Thats why we need some kind of rules for participation and regulation
>>>>> to avoid abuses.
>>>>> I think we need to make clear that anyone that wants to make use of
>>>>> funds for summits, have to produce a clear deliverable that contributes to
>>>>> their project. That's why now, our rules for starting projects must have
>>>>> some deliverables, but even so, there are still many projects that produce
>>>>> very little and are called projects. Like once Josh said, we should not
>>>>> confuse concepts or ideas and call them projects.
>>>>> I also like the idea of small events based on different regions that
>>>>> are more accessible for project leaders in different regions and time zones.
>>>>> On Sun, Jun 28, 2015 at 2:16 PM, Eoin Keary <eoin.keary at owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','eoin.keary at owasp.org');>> wrote:
>>>>>> Spot on Tobias.
>>>>>> A breakdown of the 100k would be a first step. Do we need 100k or
>>>>>> more/less?
>>>>>> I'm happy to help with this given my decent track record with
>>>>>> flagship projects.
>>>>>> I'd still suggest having more than 1 summit and having them more
>>>>>> frequent globally as projects may need a summit event at different times. -
>>>>>> more frequent and smaller events.
>>>>>> Eoin Keary
>>>>>> OWASP Volunteer
>>>>>> @eoinkeary
>>>>>> On 28 Jun 2015, at 21:00, Tobias <tobias.gondrom at owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','tobias.gondrom at owasp.org');>> wrote:
>>>>>> I agree. And big thanks to all the interest and voluntary announced
>>>>>> contributions.
>>>>>> It will be great see all this come to fruition.
>>>>>> And I believe it will also be good to see some basic plan for this to
>>>>>> see how much money we like to spend and how. Some more details down the
>>>>>> road will also help motivate chapters and sponsors even more.
>>>>>> Best regards, Tobias
>>>>>> Ps.: Small addition: if people feel that a committee is too
>>>>>> complicated, we could also handle this as an "initiative". Whatever works
>>>>>> best for the team.
>>>>>> On 28/06/15 19:35, Josh Sokol wrote:
>>>>>>  It's great to see a discussion already happening around this.  For
>>>>>> context, this was something that Dinis, Andrew, Mark, and I talked about on
>>>>>> the OWASP Podcast that we recorded last Friday.  It was an "initiative"
>>>>>> that Dinis suggested as a way to encourage Chapters and Projects to donate
>>>>>> some of their "ring-fenced" account money and further the OWASP mission.
>>>>>> With Tom already offering a $10k donation from the OWASP NJ Chapter, it
>>>>>> looks like we could pretty easily raise the $100k that Dinis suggests and
>>>>>> then some.  I believe that the Board would be in full support of this
>>>>>> initiative.  What I would propose is that those interested should establish
>>>>>> a new "OWASP Project Summit Committee" under the new Committees 2.0 model (
>>>>>> http://owasp.blogspot.com/2014/07/owasp-committees-20.html).  The
>>>>>> first step in this process is for a community member to propose the new
>>>>>> committee here on the Leaders List stating their rationale and desired
>>>>>> scope for creating a new committee.  Basically, we need someone to step up
>>>>>> to lead the initial effort of scoping what this committee will be
>>>>>> responsible for doing.  Once we have that, the Board will determine if
>>>>>> there is an existing conflict (I doubt it) and then will initiate a public
>>>>>> call for people interested in membership.  By creating a committee for this
>>>>>> initiative, we are empowering those committee members to take action as
>>>>>> defined in the scope and spend money as allocated by the budget.  Is there
>>>>>> someone who would like to take lead on forming the committee?
>>>>>>  ~josh
>>>>>> On Fri, Jun 26, 2015 at 5:06 PM, Dinis Cruz <dinis.cruz at owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','dinis.cruz at owasp.org');>> wrote:
>>>>>>> And then ask for a a team or OWASP leaders to lead that effort.
>>>>>>>  Josh and Andrew can provide more details on the context of this
>>>>>>> request
>>>>>>>  Dinis
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.org <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> *Mark Miller, Senior Storyteller*
>> *Curator and Founder, Trusted Software Alliance*
>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>> Advocate, Sonatype*
>> *Developers and Application Security: Who is Responsible?*
>> <https://www.surveymonkey.com/s/Developers_and_AppSec>

Tom Brennan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150630/46d672b8/attachment-0001.html>

More information about the OWASP-Leaders mailing list