Thursday, 10 January 2013

On how to get paid to work on OWASP projects

Here is an old blog post (from May 2012) that I never got around to publish (got lost on the drafts folders), that provides more info on why OWASP cannot pay its leaders, and how to get paid to work on OWASP projects

Since this was a personal email, I replaced the OWASP leader name and project with  XYZ and Project ABC


(before you read my answer below, read this email to the leaders I sent last year: about the opportunity to hire Sandra to work on OWASP Projects)

I know you are not doing it for the money (none of us are), and I agree that if you were able to have dedicated time to work on the Project XYZ it would make massive progress (same thing for a lot of other projects)

The problem is that YOUR fees cannot be paid by OWASP (for all the reasons I mention in the 'Why OWASP can't pay OWASP Leaders' blog post). Even worse, if OWASP would pay your fees, it would probably be a disservice to you since you probably would not be able to charge close to your commercial value (i.e. what a company would pay you). Again that would not be scalable, since it would mean that the the only way you could get paid to work on OWASP is to take a big pay cut.

Now two things:

1) The way you are currently planning to spend the funds (which you applied for) is exactly the way I think OWASP can support your (and other leaders) efforts. In fact my idea with OWASP GSD Project (GSD = Get Stuff Done)  is to take that to another level and say "Hey... we trust XYZ so he can just get on and get it done (no need to 'submit proposals', just list where he wants to spend it)"

2) You are asking your currently employer to 'sponsor' you with paid time. Now THAT is the way to get you paid. Recognizing when an OWASP Leaders is being sponsored by a company to spend 'Company time' on a project is one of the areas that we have failed miserably at OWASP. I tried to move things on the right direction when at the Summit I was able to inject that information into the Attendee list (see "Summit Time paid by' column in And this type of 'payment' is the most effective one, since you can negotiate your contract with the company that is hiring you (in Private) and it would not break the contributors model. Note for example that that type of deal is the one I have with SI at the moment. I am able to spend my paid time on OWASP and O2 (with no cost to OWASP). And this also happens with a LOT of other OWASP leaders

So XYZ , I still want you (and) other OWASP leaders to be paid for working on OWASP projects. In fact I want you to be paid your full (or close) commercial rates. The key is that we need to figure out a model where 3rd party companies (or governments) pay that bill.

I think we are getting closer now, but with everything, if there isn't a model created, it will not scale and we will not be able to take it to the next level. This is what I tried to create last year with Sandra's proposal ( and unfortunately there wasn't momentum (and vision) on our community to push it (I was also leaving the OWASP Board so I was not comfortable in pushing that concept without full support and commitment from the board and leaders).

Basically the model at is the one that I think will work for you (note how in that case the fees where arranged between SI and Sandra, which is how it should be) 

Dinis Cruz

On 15 May 2012 09:55, XYZ wrote:
Hi Dinis,

I've agreed to disagree with you on this one; I'm not in it for the money. I just want it to get it done, but I can't do that (in a reasonable time) whilst working 12-14 hour days. My job allows me to pay my rent, health insurance, car payments, and allow my family to eat. However, it's not to be, so my time will necessarily limited to weekends, nights after my daughter goes to sleep, and train rides when my paying job doesn't have too much on. 

If OWASP could fund me so that I could take leave without pay (i.e. a career break) for say six months, the headstart would be fantastic. You experienced that headstart when you did O2, and I understand your family's sacrifice to make that work. Realistically, I don't have the luxury of savings, so even though I know what is a minimal amount of money I need to live, one to two weeks is not going to get that far on the Project ABC. 

I've put a budget submission in for the new Project ABC, primarily to organize a face to face at appsec research to do a planning session and most importantly, a hack-a-thon. I have asked my work to sponsor the Project XYZ effort so that I can travel to Athens, but if they don't agree to allowing me time off and 20% time (i.e. the sponsorship element), then I can't be there. The reality is that if they say "no" then there's every chance I can't work on the project until I leave Company ABC. I hope it's not a "no". This is one of the reasons I've never done Project ABC work in my employer's time or on their equipment. 


On Sat, May 12, 2012 at 1:50 PM, Dinis Cruz <> wrote:
Hi XYZ, I know that we have disagreed in the past on how to best support efforts like the one you are doing, hopefully we can find some common ground on the GSD project .

I've just started a new OWASP project (called GSD) that represents how I think OWASP projects can be supported by OWASP:
Note on the 'where to spend the funds' examples, that both your projects are perfect fits :)

What do you think?

Dinis Cruz