[Owasp-leaders] Request for OWASP board to approves 100K for a project Summit in 2016

johanna curiel curiel johanna.curiel at owasp.org
Tue Jun 30 11:06:50 UTC 2015


Right on Tom
I think that Claudia's key role as Project coordinator is to support and
manage requests  for project funding and activities related to projects

On Tuesday, June 30, 2015, Tom Brennan <tomb at owasp.org> wrote:

> Isn't this not the focus of Claudia?
>
> We should back up and wait for her observations and recommendations.  I am
> looking forward to the first public meeting with her and a podcast with her
> actually.
>
>
> On Monday, June 29, 2015, johanna curiel curiel <johanna.curiel at owasp.org
> <javascript:_e(%7B%7D,'cvml','johanna.curiel at owasp.org');>> wrote:
>
>> Would love to provide my P.O.V. about this discussion ;-)
>>
>> 2 years ago, there was a free pass to start projects, anyone could start
>> a EMPTY project and make use of funds.
>> The result of this action:
>> After 2 years 90+ were empty(2 or 3 years without a single deliverbale)
>> from an inventory of 150 (totally empty at all) and the OWASP inventory was
>> a shell of empty wiki pages. It took us 6 months to clean up all this, and
>> people misusing the OWASP brand for projects that were empty.We had cases
>> were some leaders were even saying they were members of the board!
>>
>> We cannot trust blindly everyone to spend money (or even start empty
>> projects) without at least explaining what is it for what.This works with
>> small group of projects but not for +100 projects.
>>
>> I do agree that the situation of 'budget allocation' chapters vs.
>> projects is an issue but so difficult to spend money is not.
>>
>> I have a full time job and get the time to write a small explanation to
>> get funds for an initiative and how and under which conditions. OWASP do
>> not ask an entire report to do this. Just a small explanation. The bigger
>> the budget, off course you need to explain more the purpose of
>>
>>
>> @ Dinis I do respect your pov but definitely we cannot allow this kind of
>> free for all. It has been shown that people already abused from this free
>> pass and now with more than +100 projects, we need regulations. It didn't
>> cost you much to write an email explaining in a sentence what was it for.
>>
>> The issue : if you do not explain what is it for, everyone then wants the
>> same and becomes chaotic.
>>
>> Regards
>>
>> Johanna
>>
>> On Mon, Jun 29, 2015 at 2:44 PM, Mark Miller <mark.miller at owasp.org>
>> wrote:
>>
>>> The full interview with Josh, Andrew and Dinis is now available as an
>>> OWASP 24/7 Podcast: OWASP Project Funding
>>> <http://www.sonatype.org/nexus/2015/06/29/owasp-project-funding-w-josh-sokol-dinis-cruz-and-andrew-van-der-stock/>
>>> w/ Josh Sokol, Dinis Cruz and Andrew van der Stock. I hope you find it
>>> helpful to further this discussion. -- Mark
>>>
>>> On Mon, Jun 29, 2015 at 1:35 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >Unsure how to govern this but setting up an empty wiki and not having
>>>> any activity for a time after is not a project? Unsure we should fund such
>>>> empty vessels :)
>>>>
>>>> No empty vessel, no empty wikis is the motto and has been after the
>>>> latest big clean up since 2 years ago. After so many called 'projects' that
>>>> were empty(more than 90), we have set as rule that a project must
>>>> deliver something based on their road-map, based on the time line provided
>>>> by its road-map. We evaluate the project based on the criteria we published
>>>> 2 years ago  and communicate with the project leader. There is no purpose
>>>> or advantage to have an empty wiki or poor content when potential OWASP
>>>> users look at your project. We try to focus on a minimum quality because
>>>> this goes along with OWASP reputation.
>>>>
>>>> @Mike:
>>>> All projects, including incubators have the opportunity to go. Last
>>>> Summit KBA-PMP applied to assist the summit @EU, which is an incubator and
>>>> they were there , but KBA has been working on its deliverable and are quite
>>>> active with meetings and research.
>>>> I do not recall you sent me an agenda.
>>>>
>>>> Keep in mind that the Summit is about sharing with other leaders but is
>>>> more about getting things done for your own project. So the question is :
>>>> What do you want to achieve during those 2 days, what are your targets and
>>>> what is your purpose and goals for assisting?
>>>>
>>>> ZAP will not be at this summit so ,(and btw Simon was fully sponsored
>>>> by his employer as there are others such Appsensor)
>>>> You want to participate  just like anyone:
>>>>
>>>>    - Create an agenda, send it to me
>>>>    - I publish it on the Task force mailing list, we evaluate the
>>>>    project. I know that already Timo did a quick review.
>>>>    - Describe What do you want to get done during this period
>>>>    - We evaluate your project to see how far you are regarding the
>>>>    road-map and maturity level
>>>>    - We evaluate your proposal and based on this you get the
>>>>    opportunity
>>>>
>>>> Budget is tight so first come first served based on the agenda and
>>>> deliverable. Your project is quite new (June 2, 2015). So please bear with
>>>> us also that the summit budget allocation is based on how much a project
>>>> has delivered.
>>>>
>>>> If you have questions, please let us know
>>>>
>>>> regards
>>>>
>>>> Johanna
>>>>
>>>>
>>>> On Mon, Jun 29, 2015 at 12:54 PM, Eoin Keary <eoin.keary at owasp.org>
>>>> wrote:
>>>>
>>>>> Unsure how to govern this but setting up an empty wiki and not having
>>>>> any activity for a time after is not a project? Unsure we should fund such
>>>>> empty vessels :)
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> OWASP Volunteer
>>>>> @eoinkeary
>>>>>
>>>>>
>>>>>
>>>>> On 29 Jun 2015, at 18:41, Mike Goodwin <mike.goodwin at owasp.org> wrote:
>>>>>
>>>>> Hello all,
>>>>>
>>>>> I agree that we want to encourage activity and forward progress on
>>>>> projects, but does that mean that a summit should only be for established
>>>>> projects that have delivered already? I am just in the process of starting
>>>>> a new OWASP project - I'm waiting anxiously for its approval by the Project
>>>>> Task Force. I'm the sole contributor at the moment,  but I am active on it,
>>>>> it has regular code checkins and there is a working prototype that is
>>>>> moving forward with a clear goal (it is
>>>>> https://www.owasp.org/index.php/OWASP_Threat_Dragon for anyone that
>>>>> want to take a look).
>>>>>
>>>>> I would benefit a lot from the experience of other project leaders
>>>>> both directly in terms of their opinion on the project and indirectly in
>>>>> terms of how to promote a project and build its visibility and eventually
>>>>> its user base. I'd love it to be the next ZAP! The time I need that support
>>>>> most is now, at the start of the project, rather than once its already
>>>>> succeeded. Or maybe to put it another way, I need a different type of
>>>>> support as the leader of an incubator compared to the leaders of flagship
>>>>> projects.
>>>>>
>>>>> I appreciate that this is a tricky issue. Many organisations and
>>>>> businesses suffer from the inability to end projects that have no chance of
>>>>> furthering their mission. Given that our projects are volunteer-led, this
>>>>> will be even more difficult for us. However, the best companies are the
>>>>> ones that can judge where to focus their efforts, keeping a balanced
>>>>> portfolio of established products alongside early stage ones. This is an
>>>>> extension inn some ways of the the "risk taking in NFPs" discussion that
>>>>> Diniz Cruz raised.
>>>>>
>>>>> I'm not sure what the answer is, but I'm pretty sure that I could
>>>>> benefit from the experience of meeting and talking with people who have
>>>>> already turned incubator projects into flagships ones.
>>>>>
>>>>> Thoughts and comments welcome!
>>>>>
>>>>> Mike
>>>>>
>>>>> On 28 June 2015 at 19:33, johanna curiel curiel <
>>>>> johanna.curiel at owasp.org> wrote:
>>>>>
>>>>>> 100K can allow us to involve more projects but I believe in
>>>>>> regulations.
>>>>>>
>>>>>> After having review so many projects, there are many people that were
>>>>>> starting a project with no content and after a year or 2, an empty wiki
>>>>>> page has hanging with the title project, but there was no project content
>>>>>> to be found.
>>>>>>
>>>>>> I don't think we want to sponsor this kind of behaviour.
>>>>>>
>>>>>> We want to sponsor and support those projects that are working hard
>>>>>> to get things done. Recession period is not the point here. It's about
>>>>>> starting a project in a wiki page that never comes with a deliverable. But
>>>>>> lets also consider that if a project has been inactive for more than 3
>>>>>> years and suddenly a project leader wants to 'revive the project', the
>>>>>> summit should not be used as a kind of paid vacation and 'by the way'
>>>>>> participate in the summit.
>>>>>>
>>>>>> Thats why we need some kind of rules for participation and regulation
>>>>>> to avoid abuses.
>>>>>>
>>>>>> I think we need to make clear that anyone that wants to make use of
>>>>>> funds for summits, have to produce a clear deliverable that contributes to
>>>>>> their project. That's why now, our rules for starting projects must have
>>>>>> some deliverables, but even so, there are still many projects that produce
>>>>>> very little and are called projects. Like once Josh said, we should not
>>>>>> confuse concepts or ideas and call them projects.
>>>>>>
>>>>>> I also like the idea of small events based on different regions that
>>>>>> are more accessible for project leaders in different regions and time zones.
>>>>>>
>>>>>>
>>>>>> On Sun, Jun 28, 2015 at 2:16 PM, Eoin Keary <eoin.keary at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Spot on Tobias.
>>>>>>> A breakdown of the 100k would be a first step. Do we need 100k or
>>>>>>> more/less?
>>>>>>>
>>>>>>> I'm happy to help with this given my decent track record with
>>>>>>> flagship projects.
>>>>>>>
>>>>>>> I'd still suggest having more than 1 summit and having them more
>>>>>>> frequent globally as projects may need a summit event at different times. -
>>>>>>> more frequent and smaller events.
>>>>>>>
>>>>>>>
>>>>>>> Eoin Keary
>>>>>>> OWASP Volunteer
>>>>>>> @eoinkeary
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 28 Jun 2015, at 21:00, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>>
>>>>>>> I agree. And big thanks to all the interest and voluntary announced
>>>>>>> contributions.
>>>>>>> It will be great see all this come to fruition.
>>>>>>> And I believe it will also be good to see some basic plan for this
>>>>>>> to see how much money we like to spend and how. Some more details down the
>>>>>>> road will also help motivate chapters and sponsors even more.
>>>>>>> Best regards, Tobias
>>>>>>>
>>>>>>> Ps.: Small addition: if people feel that a committee is too
>>>>>>> complicated, we could also handle this as an "initiative". Whatever works
>>>>>>> best for the team.
>>>>>>>
>>>>>>>
>>>>>>> On 28/06/15 19:35, Josh Sokol wrote:
>>>>>>>
>>>>>>>  It's great to see a discussion already happening around this.  For
>>>>>>> context, this was something that Dinis, Andrew, Mark, and I talked about on
>>>>>>> the OWASP Podcast that we recorded last Friday.  It was an "initiative"
>>>>>>> that Dinis suggested as a way to encourage Chapters and Projects to donate
>>>>>>> some of their "ring-fenced" account money and further the OWASP mission.
>>>>>>> With Tom already offering a $10k donation from the OWASP NJ Chapter, it
>>>>>>> looks like we could pretty easily raise the $100k that Dinis suggests and
>>>>>>> then some.  I believe that the Board would be in full support of this
>>>>>>> initiative.  What I would propose is that those interested should establish
>>>>>>> a new "OWASP Project Summit Committee" under the new Committees 2.0 model (
>>>>>>> http://owasp.blogspot.com/2014/07/owasp-committees-20.html).  The
>>>>>>> first step in this process is for a community member to propose the new
>>>>>>> committee here on the Leaders List stating their rationale and desired
>>>>>>> scope for creating a new committee.  Basically, we need someone to step up
>>>>>>> to lead the initial effort of scoping what this committee will be
>>>>>>> responsible for doing.  Once we have that, the Board will determine if
>>>>>>> there is an existing conflict (I doubt it) and then will initiate a public
>>>>>>> call for people interested in membership.  By creating a committee for this
>>>>>>> initiative, we are empowering those committee members to take action as
>>>>>>> defined in the scope and spend money as allocated by the budget.  Is there
>>>>>>> someone who would like to take lead on forming the committee?
>>>>>>>
>>>>>>>  ~josh
>>>>>>>
>>>>>>> On Fri, Jun 26, 2015 at 5:06 PM, Dinis Cruz <dinis.cruz at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> And then ask for a a team or OWASP leaders to lead that effort.
>>>>>>>>
>>>>>>>>  Josh and Andrew can provide more details on the context of this
>>>>>>>> request
>>>>>>>>
>>>>>>>>  Dinis
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> --
>>> *Mark Miller, Senior Storyteller*
>>> *Curator and Founder, Trusted Software Alliance*
>>>
>>> *Host and Executive Producer, OWASP 24/7 Podcast ChannelCommunity
>>> Advocate, Sonatype*
>>>
>>> *Developers and Application Security: Who is Responsible?*
>>> <https://www.surveymonkey.com/s/Developers_and_AppSec>
>>>
>>>
>>
>
> --
> Tom Brennan
> 973-202-0122
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150630/82912cdb/attachment-0001.html>


More information about the OWASP-Leaders mailing list