[Technical Initiative Funding Request]: Funding for Contractors To Work On Security Tools

[ware]

Problem Statement

OpenSSF has lots of ideas and volunteers, but not enough people creating software reflecting those ideas. We need to be able to higher contractors to work on these tools.

Who does this affect?

The majority of the WGs

Have there been previous attempts to resolve the problem?

Other than a call for volunteers, I do not believe so.

Why should it be tackled now and by this TI?

Many of the groups have tools they would like to see or need help developing the tools they currently have

Give an idea of what is required to make the funding initiative happen

This question is pretty open ended so I'm unsure of everything that is being asked of it. That said, many people look at the Security Tooling WG as a place where security tools can be created. Yes, that is being done in relation to some of the SBOM tooling, but there are other tools that need to be developed and then maintained. To make this really valuable, the ST:WG needs to work with all of the other WGs, do a survey with them on the tooling efforts that they need, and then hire 2-3 contractors to help those WGs build out those tools.

What is going to be needed to deliver this funding initiative?

A completed survey with other WGs to determine their needs.

Are there tools or tech that still need to be produced to facilitate the funding initiative?

There are no tools or tech that would be needed by this funding initiative. However, this funding initiative could be used to help other WGs with their tools or tech needs.

Give a summary of the requirements that contextualize the costs of the funding initiative

This summery of the need here is for there to be funding in place to hire 2-3 contractors working full time to help create new OpenSSF tools and where possible contribute to existing tools that need help.

Who is responsible for doing the work of this funding initiative?

Ryan Ware

Who is accountable for doing the work of this funding initiative?

Ryan Ware

If the responsible or accountable parties are no longer available, what is the backup contact or plan?

Arun Gupta

Which technical initiative will this funding initiative be associated with, and will it report to which WG or project?

This would be a part of the Security Tooling WG

What license is this funding initiative being used under?

Variable

Code of Conduct

• [X] I agree to follow the OpenSSF's Code of Conduct

List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.

• End of Q2 do survey of all WGs to determine their security tooling needs
• End of July, have a priority list of projects
• End of Q3, have 2-3 contractors hired to work on the projects with appropriate skill matching

If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.

There would undoubtedly be a contract with contracting agencies that would need to be put in place. The SoW would depend upon the projects being tackled.

[steiza]

I'm supportive of this idea generally, and I love the milestones, but I'm not sure I understand the sequencing and what is being asked for today.

@ware are you requesting funding for a contractor to run the WG survey in Q2? Or are we saying that once we have the results of that survey we'll be making more concrete funding requests? Or maybe there's a third option, where we're requesting funds for the whole project in advance, to shape the survey and scope the projects we consider for Q3?

Again, I think this is promising, but I could use help in clarifying the request. Thanks!

[ware]

Excellent question! To be clear, the contractor will be to do coding after we do the WG survey. The survey is to identify areas where OpenSSF WGs need help getting coding done. I think the survey itself can be done by me and others in the ST WG. When the survey is complete, we would work collaboratively with TAC to determine what the right priority is.

I envision this more as a pilot on how we can get code written for critical needs across OpenSSF. In conversations with various folks in OpenSSF, I regularly hear that we create lots of documentation but don't have the right people to write code. I'd like to make sure OpenSSF has a place to go to address those needs in a prioritized manner.

Does that answer your question @steiza?

[mlieberman85]

I think this would be useful especially in cases where among the contributors/volunteers on the projects aren't experts in a particular thing. For example having someone who is an expert in databases to help with optimizing queries when the engineers on the project aren't experts.

We also probably want to be sensitive here as there's a lot of projects with devs working on it already that could use help and there's various projects that have no engineers that could use help and I want us to be careful not view the latter case as the obvious one that is in need of help. We don't want to end up in a situation where member companies view the OpenSSF as a way to subsidize work potentially on projects they want to productize.

[sevansdell]

I recommend after the survey, when you have a list of TIs that could benefit from code support, to put in a time boxed request for support and what they'd do. We should do an ask of members to participate, and barring anyone stepping forward, could fund timeboxed work with a future TI proposal review with the specifics: its a need, no members have responded, here's what they'd do for x amount of time. And then take those on a case by case basis.

[steiza]

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

[ware]

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work.

[SecurityCRob]

I don't see a specific dollar request in this. I see "2-3 contractors", but no projected cost. It is hard to approve funding without specific figures. @ware

[sevansdell]

@ware we're doing some issue housekeeping - can we close this issue out? My understanding is that you're going to conduct a survey and come back with a more detailed request for funding - is that the case?

That wasn't the intent. I was going to do the survey if there was going to be funding. I'm happy to go work with all of the WGs & SIGs to determine their needs and work with all key stakeholders to prioritize what gets worked on, but that's a lot of prospective work to do if I have no idea there's going to be funding. If there's going to be funding, happy to do all that work.

@ware What I am hearing from Budget and Finance committee - we have funds to distribute to TIs for one time activities, not those that will become an annual or long term expense. I believe work you do to survey and come back with TI requests will be well received....OpenSSF wants to support TIs with one time funding this year! Your surveys could help accelerate this.

[ware]

Thank you @SecurityCRob & @sevansdell both for your thoughts. I think there is a good way to address your thoughts and some others that I've seen: Let's make this a 1-time pilot to prove the concept, and if it's successful, we look for other avenues of funding that are cyclical.

As such, I would like to amend this TIFR for us to hire one developer (contractor) for 1 quarter. I think experienced developers are about $50k/quarter so that is the specific ask.

I can survey the various WGs and SIGs over the next 6 weeks and then we can work on hiring an appropriate contractor for the work we all agree upon.

Thoughts?

[SecurityCRob]

Perfect, tyvm. The TAC will discuss this in our next call (11June)

[sevansdell]

I will be out the June 11 and am trying to proactive. I support this TI funding request with your additions @ware.

[ware]

I want to respond to a suggestion that was brought up. It was suggested that I pick a project for this that has already been brought to my attention. I feel this runs directly counter to concerns that were brought up by others implying that we don't want to show any type of favoritism. We need to ensure that if we are going to do this pilot, that we fairly evaluate the needs of all TIs and not just ones that have been brought to my personal attention. Without doing that, this feels much less open and community focused. Maybe we turn this around and have TI's come make requests of the ST WG?

[steiza]

I support this funding request.

In the future, I think we want funding requests to have the specific work already defined (see for example https://github.com/ossf/tac/issues/339). But I don't think our existing process made that clear. Since the TAC meeting I've learned that after the TAC reviews the technical merits of the request it goes on to the budget committee to figure out a way forward. That sounds fine to me!

[lehors]

@ware I can certainly appreciate the intent to have a fair and balanced approach on how to choose which particular development to support but I'm concerned that doing an organization-wide survey will take a lot of time during which nothing will be done. Having the TIs come and make requests would probably be better but I don't understand why they can't just come to the TAC to make those requests then. As I mentioned on the TAC call, this is essentially adding another layer of process which I don't think we need.

[SecurityCRob]

I agree with the objective, but I would prefer to see this application come from a specific TI instead of us hunting one down. I think @ware 's suggestion of doing some legwork to identify a pilot project that has the need within our TIs would help us prove out the need and see a measured result from a more specific focus. Alternatively, we can reach out to the software projects within the foundation to highlight this as an option for them to see if anyone takes up the effort.

[lehors]

In a way, @ware came to ask the TAC if we'd support that kind of request because, understandably, he didn't want to do all the legwork of figuring what tool to develop and put together a more detailed request without knowing whether this was time well spent. I think the answer to that question is clearly yes. But it's too vague for us to be able to fully commit. So, I hope this is enough reassurance for @ware to further investigate and put together a concrete proposal we can then review and approve.

[ware]

@lehors & @SecurityCRob, I really appreciate the thoughts and feedback. I'll try and figure out some time to do some more investigation.

[marcelamelara]

Chiming in since we're getting close to the decision deadline. I generally support this request, but I would prefer to see a more concrete SoW and involved TIs before fully agreeing to fund the contractors. So I vote to defer this request.