[Owasp-leaders] Project Sponshorship, Support, and Finance

Steve Springett steve.springett at owasp.org
Sun Dec 10 18:10:02 UTC 2017

One of the primary reasons why I choose to participate in OWASP projects as
well as start my own is the support that the OWASP organization provides
including the wiki, appsec activities, and project sponsorship.

The decision to have donated multiple open source projects to OWASP has
been tested over the past month without acceptable results.

As many of you know, I have been heavily involved in Dependency-Check since
2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
released in Q1 2018) will be the result of an entire year of work which has
resulted in the creation of several supporting and smaller projects and
many enhancements to Dependency-Check along the way.

One of those smaller supporting projects is actually a big deal to a
specific vulnerability intelligence vendor. I am working to incorporate the
service the vendor provides as an optional feature into both
Dependency-Check and Dependency-Track in an effort to bring additional
capabilities to these projects on par with their commercial counterparts.
The vendor in turn, chose to sponsor Dependency-Track, an act that I
thought was very kind and very much appreciated that would actually benefit
both the Dependency-Check and Dependency-Track projects as a result.

The vendor informed me on November 3rd they made the donation and I
immediately reached out to OWASP accounting and a few other individuals
throughout the course of November including communications on November 4th,
November 8th, November 10th, and November 28th. My purpose for this email
is NOT to point fingers at individuals. Relying on a single person in an
organization instead of an agreed upon process supported by leadership
makes OWASP no better than a recent CEO pointing fingers at a single person
for not applying a patch. It’s absurd and laughable. If relying on a single
person is strategic, that strategy is flawed and needs to be fixed.

Five weeks after the vendor made the contribution to sponsor the project
and I still have not heard any details from OWASP about the nature of the
contribution - even though the vendor shared those details with me.

Five weeks after the vendor made the contribution and I still am not able
to publicly thank them for their contribution.

Five weeks after the vendor made the contribution and I’m still not able to
follow the guidelines outlined in

Providing details on the contribution is required if OWASP expects to have
project sponsorship. Even an answer that the contribution was made in error
and was a general contribution instead would be an acceptable answer. No
answer at all is not acceptable and I question OWASP’s ability to provide
project sponsorship in the first place.

The contribution was made using the same/similar mechanism the OWASP Defect
Dojo project uses. I question if that project, or any other project using
this method have received the support they deserve.

If the donor didn’t inform me of their contribution, I would likely never
know about this situation. This is not the type of organization I want to
continue to be associated with.

I am asking for a thorough review, not only on the Dependency-Track
project, but on all projects that use this method of donation.

I have not decided whether or not to continue donating my projects to OWASP
or not. At risk for being pulled from OWASP are:

Dependency-Check Jenkins plugin
Dependency-Check SonarQube plugin

In all cases however, I will be removing the OWASP name from the above

*Steve Springett*
About:   https://about.me/stevespringett
GitHub:   https://github.com/stevespringett
Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171210/90601019/attachment.html>

More information about the OWASP-Leaders mailing list