Friday 1 October 2010

Great Comments on the O2 Subscription Model

OWASP Leader Michael Coates had a some great comments on the O2 Subscription model when I asked a while back if it was compatible with OWASP's values and mission.

Here are his words (slightly edited since the original version was commenting on the previous version which had a couple extra OWASP membership related items):

"...To my knowledge, this is the first OWASP project that has attempted a financing model.  It is important for us (OWASP leaders) to be open and communicate the correct ways for OWASP projects to offer services that are not free.  Below I've included the OWASP principles and my thoughts on their relation to Dinis's idea.

OWASP Principles -

Free & Open

As Dinis mentioned, his code is open to everyone at no charge.  The O2 tool can be downloaded and used without paying any of the subscription fees. No problem here.

Governed by rough consensus & running code

Not relevant to this issue except that the overall consensus of the OWASP leaders should be considered.

Abide by a code of ethics

No problems here


OWASP itself is not for profit. But what about individual projects? The O2 project is rightfully (in my opinion) charging for Dinis's time to offer premium support to commercial customers. Many of us, Dinis included, volunteer large amounts of time to OWASP. However, volunteering and providing commercial grade support or two totally different things. This is a fine move in my opinion.  Many companies will not adopt an open source software if a formal support policy cannot be established.  So although I don't personally have any problems here, how do we reconcile this situation with our principles?  Perhaps the answer is related to point #2 (rough consensus) and this sort of email discussion

Not driven by commercial interests

Although O2 technically would become "commercial" in a small way I don't see any problem here. This item is meant to address the overall objectivity of OWASP in always promoting the best security advice that is not tainted by a particular company's motivation.

Risk based approach
Not a problem. In fact
O2 reinforces this principle.

Overall I think Dinis's approach to a
subscription model for support is not a problem. This model is used by other open source organizations such as red hat ( In fact, if we want OWASP to continue to grow then I think we need to support these types of initiatives. Otherwise our tools and processes may be ignored by many companies that require these types of formal relationships.



  • I support Dinis's plan to offer a subscription service for commercial support of O2 and believe this type of model is necessary to take OWASP projects to the next level
  • I believe this is inline with OWASP principles
  • ....