This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Governance/ProjectProgramModels

From OWASP
Revision as of 23:02, 30 April 2014 by Samantha Groves (talk | contribs)

Jump to: navigation, search

Purpose

OWASP needs help from our community to define an OWASP Projects Program model that will meet the needs of our overall community. To do so we are engaging the community to discuss and flush out different options. We would like to have a vote on this to ensure that the community has a say in how the foundation moves forward.

The Options

Please feel free to add additional bullets to any of the cells. Please do not remove existing items.

Option 1 - Flagships get majority of resources to increase quality. 2 - Develop two separate programs: Quality focused and Innovation focused 3 - Community project review centric model
Summary Description

We would drop the lab designation, and only have Incubator and Flagship projects. Flagship projects would be voted on by the community, and our resources would go towards developing the Flagship projects, based on community input. Incubators would get less attention and support.

  • This approach keeps both Flagships and Incubators under the same program.
  • This model would remove resources from Incubators and funnel the majority of resources into the Flagship Projects.

This approach separates focus areas into two separate programs. One will focus on increasing the quality of a handful of projects selected by the community, and the other program will focus on developing a platform for new leaders that facilitates innovation, research, and testing.

  • This approach would take two community requests (increase quality, platform for innovation), and separate each request into to programs.
  • This method allows the foundation to have clearly defined goals for each program.

This is the approach we are currently using. This approach requires that the community conduct project reviews to graduate projects, and it requires a twice yearly project audit to demote projects that are currently inactive.

  • Current approach
  • This model requires a large task force of community reviewers to make sure our project graduation process is functioning to an acceptable level.
How are Flagships Selected? Community Vote Community Vote Community Project Health and Quality Reviews
New Project Designations
  • Official OWASP Project: As Josh suggested, these would be projects that OWASP actively maintains and uses to promote the foundation. In reality, these are what flagship projects should be under the current system. The majority of our resources and time should be used to improve the quality and sustain these projects.
  • OWASP supported Projects: These would be similar to what the incubators are under our current system. As I have mentioned before, having this space for our community is very important as it encourages innovation, and it allows starting members to become engaged and involved. These can be managed in the same way we manage incubators now.
  • OWASP Sunset Projects: This is another one of Josh’s ideas that I am very happy to support. Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we cannot directly support as they are not actively maintained or being worked on.
  • OWASP Flagship Project: These would be projects that OWASP actively maintains and uses to promote the foundation. The majority of our resources and time should be used to improve the quality and sustain these projects.
  • OWASP Incubator Projects: These would be all of the rest of our projects. These can be managed in the same way we manage incubators and lab projects now.
  • OWASP Sunset Projects: This is the same as Proposal 1. Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we cannot directly support as they are not actively maintained or being worked on.
  • OWASP Flagship Project: These would be projects that OWASP helps maintain, but does not directly manage. We will use these to promote the foundation.
  • OWASP Lab Projects: Projects with beta or stable release that wish to graduate to Lab.
  • OWASP Incubator Projects: These would be all of the new projects. These can be managed in the same way we manage incubators projects now.
  • OWASP Sunset Projects: Projects like ESAPI or WebScarab would fit under this title. These are projects that are still being used by consumers, but that we cannot directly support as they are not actively maintained or being worked on.
How are logos handled (placement, cost, logo size, etc) both on the wiki page and within any output/deliverable (e.g tool, documentation)

At the sole discretion of the project leader

By OWASP wide standard policy for project sponsorship. Logos would be included at a standard place for all projects.

There are no project sponsors. Instead sponsors of the OWASP foundation are on a listed dedicated sponsorship page which may include the logo.

How are company contributions acknowledged?

At the sole discretion of the project leader

The same as individual contributors. However, since an individual can list their company name a company with many volunteers to a project would see their company name listed multiple times on the project acknowledgement page.

The same as individual contributors. However, since an individual can list their company name a company with many volunteers to a project would see their company name listed multiple times on the project acknowledgement page.

How are individual contributions acknowledged

At the sole discretion of the project leader

All contributors will have their name, email address, company (if desired) listed on the contributors page for the project.

All contributors will have their name, email address, company (if desired) listed on the contributors page for the project.

Positives of this approach
  1. Very decentralized and scalable, no impact on operations staff
  2. Project leader empowerment
  1. Revenue generation
  2. All contributors get recognition
  3. Companies that allow employees to work on a project will show many people with @company.com contributors
  1. Maintains focus on OWASP, less dilution of OWASP brand
  2. Centralized location for sponsorship recognition. - Wall of fame
Negatives of this approach
  1. Lack of consistency across projects
  2. No clear engagement on how contributors get involved
  3. May be open to abuse due to lack of standards
  1. Individuals and companies that contribute lots of time may be trumped (in recognition) by any company that donates money
  2. Corporate Logos on projects may cause vendor neutrality concerns and discourage contribution
  1. A company would not have any branding/advertising incentives to sponsor a project that could use the funds
Any other considerations
  1. ...
  1. ...

Additional Comments

Use this space to provide additional comments on any of the existing text. For example, perhaps you disagree with something that is above. Please note your thoughts in this section.