[Owasp-leaders] Advocating for OWASP Projects - need your help

Matt Tesauro matt.tesauro at owasp.org
Fri Nov 11 17:34:18 UTC 2016

Apologies for posting the same thing to two lists, but I wanted to share my
thoughts more broadly than just the board list.

In response to the board thread here
<http://lists.owasp.org/pipermail/owasp-board/2016-November/017621.html>, I
wrote the following.

TLDR:  When projects have so little funds vs chapters, why does it take 21
emails to spend 1.4% of the Project Outreach budget on Zap - one of our
project Rockstars.

---------- Forwarded message ----------
From: Matt Tesauro <matt.tesauro at owasp.org>
Date: Fri, Nov 11, 2016 at 11:26 AM
Subject: Re: [Owasp-board] Petition budget for OWASP Bug Bounty 2016-2017
To: johanna curiel curiel <johanna.curiel at owasp.org>
Cc: Seba <seba at owasp.org>, OWASP Board List <owasp-board at lists.owasp.org>

I've written this email in my head about 5 times - at this point, I might
as well spill some digital ink and get these thoughts out of my head.


21, yeah that's right, 21 emails to request funds that represent a tiny
fraction of the funds that OWASP has to budget for next year.

In 2016, OWASP budgeted $136K for project outreach. If we do the same for
2017, and restrict this request to just that pool of funds, this represents
a mere 1.4705882% of that budget.

21 emails for 1.4% of a single budget category - 0.09% of the 2016 Net
Income for the Foundation [*

And this isn't some relatively unknown project, its by far one of our most
popular and best known projects (hard to say for sure but its easily in the
top 3).  Its also crazy mature and doing what I wish all OWASP projects
could do - having the lead paid to make the project better while bringing
on many, many additional contributors, reaching out to devs, etc.

If one of our rock star projects has to deal with a 21 email thread to get
$2,000 allocated in the 2017 budget something is very broken.

I'm not going to list this as a plus when I try to recruit new projects to

@ the donation score board (worst name ever) and unspent funds, I'd like to
provide a different perspective

Total unspent chapter funds: 758,789.51
Total unspent project funds:  75,735.54

So let be realistic when we talk about unspent funds - there's *over 10
times*, let me say that again
  10 times  10 times  10 times  10 times  10 times  10 times  10 times  10
times  10 times  10 times
the amount of unspent chapter funds vs project funds.

If I were bleeding 10 times more from one wound over the other, guess where
I'd apply pressure.

Let look at the top 5 largest unspent budgets:
              #1       #2       #3       #4      #5      Total of 1 to 5
Chapter  | 123,421 | 54,515 | 49,726 | 32,146 | 32,146 | 291,954 |
Projects |  18,972 |  8,373 |  4,939 |  4,116 |  4,000 |  40,400 |
Percent    |       15%      |       15%     |       10%    |       13%    |
       12%    |       14%      |
of Project vs Chapter

More fun facts:
Chapter with 3 or more digits of unspent funds ($1,000+): 74
Projects with 3 or more digits of unspent funds ($1,000+): 13

So, in a time where part my job as a full-time OWASP staff is to prepare
and budget for 2017 to try to make projects better, I think it time I
become a strong and vocal advocate for Projects at OWASP.

I think Chapters are great - I'm involved in 2 of them in Texas - but
Chapters don't seem to need a vocal advocate.  Plus, if you think Projects
are of equal importance to Chapters at OWASP, we have to seriously
reallocate funds in 2017 to get them on equal footing.

So, for the Project leaders at OWASP, I'm with you and want to make
Projects a great home for your awesome work.  Please let me know what isn't
working for you and I'll do everything I can to get your interests
represented in the 2017 budget and beyond.



-- Matt Tesauro
OWASP AppSec Pipeline Lead
OWASP WTE Project Lead
http://AppSecLive.org <http://appseclive.org/> - Community and Download site
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161111/419fbd5d/attachment.html>

More information about the OWASP-Leaders mailing list