Tuesday 2 June 2009

OWASP: Proposed change for SoC: Use budget to pay for project related expenses

Just posted this to the owasp-leaders list, and would also like to hear your opinion on it:

Hello OWASP leaders,

Since its creation at the OWASP Summit, the OWASP Global Projects Committee has been meeting every week (see agenda of past meetings here) to try to improve the organization and structure of OWASP Projects.

Our first major deliverable was the Assessment Criteria v2.0 which follows the footsteps of the previous version (now called Assessment Criteria V1) and aims to increase the visibility, usability and quality of the amazing projects you have created.

Our next challenge was to organize the 2009 OWASP grants scheme which (as with the Assessment Criteria) was thoroughly debated, discussed and modified, until we reached the format that is currently here: http://www.owasp.org/index.php/OWASP_Season_of_Code_2009 .

There are three main changes from the previous OWASP Season of Code:

Change #1) we are proposing that applications are targeted at the following 4 areas (each assigned to one or two committees)
Change #2) we are encouraging proposals to be made by groups of OWASP contributors instead of Individuals (or specific projects). For example I really love the idea to create a number of "super OWASP teams" made up of a mix of 'with-proven-track-record' OWASP leaders/contributors and new 'full-of-energy-motivation-
and-sills' contributors

Change #3) to use the Season of Code 2009 budget to pay for 'Project related expenses' instead of 'Contributors/Leaders work"

This last change is quite radical, but one that I really believe is key for OWASP's future.

And because this change is so important, the decision to do it is not final (hence why it is not on the SoC 2009 page), and I/We want to hear your opinion on this. So please chip-in with your comments, ideas and suggestions.

I'm quoting below two texts from internal GPC (Global Projects Committee) emails which provide additional background information on the rational behind this decision and the operational issues we need to address (these quotes also highlight the enormous value to OWASP that these Committees are creating, since in the past, these type of discussion and threads would have never existed (since apart from the OWASP Board there really was nobody else involved in these types of issues)). I would like to give special credit to Jason Li, for his hard work on this process and for taking the time to write a number of detailed emails (like the one below which I complely agree with)"

Looking forward to your comments,

Dinis Cruz (email continues below)

Jason Li on why the move to change # 3)
"...The direction ... to go with SoC funds is that they shouldn't be use to pay for technical work by our community members.

The hope is to get away from using money as the incentive for our community members to become more active and involved. Rather ... the funds ... used for things that the OWASP community could not otherwise produce - for example, physical books for promotion, graphic design costs for documentation, design work for templates, etc.

The SoC money would be allocated to the budgets for accepted projects and the budgets would be presumed for "operating costs" so to speak as opposed to "development costs".

It's a huge change in direction to be sure...."

"...I just wanted to clarify a little bit of the history of SoC. This is paraphrasing Dinis' oral history so he can correct me where I've gone wrong.

The SoC idea was intended as a way to get OWASP more recognition and also to attract new members to the OWASP community. Monetary grants were never intended to "pay for" or cover the cost of the actual work being done. Those grants were meant serve as a "reward" or sorts for participants (as you know, the grant amounts in the past certainly have not equated to the hours put in).

The hope was that OWASP would grow to the point that participating in SoC, and the positive recognition associated with leading an OWASP SoC project would be reward enough. Obviously this might be a little idealistic, and there have been discussions about how to properly "reward" SoC participants. Among the current proposals includes a guaranteed speaking slot at one of the major OWASP conferences (either US or European conferences) and prominent display in the to-be-redesigned OWASP Project website.

But SoC was never meant to pay OWASP community members for development work and a majority of the OWASP Board feels that the longer we continue to do so, the more we encourage that perception. The Board, and Dinis in particular, is extremely adamant that OWASP should not be on a path where OWASP project leaders expect to get paid for their contributions. It runs contrary to the open and volunteer philosophy of OWASP.

The 20k is still legitimate, but it needs to be clarified along with the rest of the page regarding this new direction for SoC funds. The 20k remark is trying to indicate the limits on a proposal. As a completely off the wall example, say the OWASP NeverNeverLand and Wonderland chapters got together and said, "We're located very far from the US, where OWASP servers are hosted, and it's prohibitively slow for us to get access to OWASP materials. It would take us $12k to arrange an adequate mirroring solution to improve access to the OWASP website in our part of the world. We know that's a lot of money but together between our combined regions, there are hundreds of millions of developers that could use OWASP materials. Because of this, we feel like it's a good use of OWASP funds." Obviously this is a silly example, but that is type of proposal that we want to allow by indicating large proposals will get more leeway in terms of budget...

Paulo Coimbra on the operational issues created by Change #3 (most of them still need to be sorted out)


Below, as for SoC 09, I am somewhat randomly pointing out a couple of questions that, from my point of view, are without clarification still.

1. Precisely what kind of expenses and/or investments will be and will not be paid? It seems to me we still need at the least a clear definition of the non paid rubrics.

2. What instrument will we use to clarify/define what type of expenses will be paid for each project? Will we ask for an initial estimate of expenses for the whole project? Assuming that we do – and that each applicant attaches the budget estimation to the project– can the jury decide that some expenses will be paid and others won’t? If so, what will the criteria for this decision be?

3. Let’s assume we ask for an initial estimate of expenses. Let’s assume OWASP Testing Guide made an application and it was approved. Let’s also assume the approved budget is something similar to the following:

  • Technical writing review - $ 2,500
  • Book design/content layout – $ 1,500
  • Publicity/Marketing/Public Relations – $ 2,000
  • Total = $ 6,000

3.1. Have we approved a sponsorship of $ 6,000 or have we approved the value of three distinct rubrics?

3.2. What will happen if the project’s leader ends up saying “I haven’t spent the money approved for book design but I spent more than forecasted to be spent with marketing and so I would like to have a fund re-allocation“? Who will analyse and decide upon these situations?

3.3. Who will control the overall fund allocation? How?

3.4. Who will be paid? The project’s leader or his supplier? When will the payment be done? When the project finishes or when the expenses have been done? Will the payment be made exclusively against invoices/receipts? What will be the admin circuit?

3.5. If we say "Joint proposals (up to 20k) are highly encouraged" and SoC 09 budget is =<>