[WASC-WAFEC] Question about WAFEC.

Robert A. robert at webappsec.org
Fri Jun 20 18:21:29 EDT 2014

> On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert at webappsec.org> wrote:
>> WASC has avoided these situations for nearly a decade. We require project
>> material discussions to be held on a public list, so that people can spot
>> any bias material and question it. While I appreciate your dedication to
>> ensuring materials are unbiased, I don't believe grilling 'contributors' on
>> their background is the right approach. If you observe an individual who
>> 'currently works' at a vendor/service provider, and is trying to hide this
>> fact, then call it out. Otherwise please refrain from interigating
>> contributors, this will not be tolerated. If you observe a project leader
>> who is outright in a position of 'conflict of interest' then please feel
>> free to call it out on the list.
>> As always, if you see bias in a direction of a project, call out the
>> specific instance.
> I don't believe this type of situation would arise but I will escalate
> it on to Ofer to resolve.

Great. If you ever escalate a 'bias' or 'conflict of interest' issue to a 
project leader, and don't believe it's being properly addressed bring it up on the list.
If it's just a matter of personal opinion about a project direction, then 
it's up to the project leader to ultimately decide.

> Plus, it would be up to the various WAF vendors, including FOSS, to
> highlight if WAFEC is bias towards a particular vendor(s) feature or
> feature "x" is called feature "y" in their product during the Release
> Candidate (RC) period i.e. when the draft is published to a wider
> audience.

Precisely. No vendor wants marketing FUD from a competitor in a standard. 
So far WASC has been really good at avoiding this situation. People keep
each other in check in this way.

> I believe there is some merit in listing experienced end users as
> contributors because this demonstrates to the reader that WAFEC was
> created by end users for end users.  Vendors should also be listed as
> it demonstrates that their awareness of WAFEC.

We should include this in the final deliverable, end users don't 
really read the project lists. How this is to be represented can be 
discussed but is ultimately the decision of the project lead.

> On Sat, Jun 21, 2014 at 2:35 AM, Robert A. <robert at webappsec.org> wrote:
>> This email is nearly 5 years old, and honestly we don't care how people
>> speculate about us. We let facts dictate how we are observed.
> Unfortunately our reputation, although underserved and created by
> rumour represents our first impression.

We'll agree to disagree. WASC has not had nearly the drama of OWASP, and 
we're going to keep it that way. Facts dictate reality as far as I, and a 
few other WASC officers are concerned who I have spoken to this about.

> Hence the reason I have raised this now rather than when it becomes to
> late to address.

I really do appreciate the care you're putting in to making this a 
solid project. Please just remember we are a seperate organization than 
some of the others you've worked with and should be treated as such.

Robert Auger
WASC Co Founder/WASC Officer

More information about the wasc-wafec mailing list