Here are his words (slightly edited since the original version was commenting on the previous version which had a couple extra OWASP membership related items):
"...To my knowledge, this is the first OWASP project that has attempted a financing model. It is important for us (OWASP leaders) to be open and communicate the correct ways for OWASP projects to offer services that are not free. Below I've included the OWASP principles and my thoughts on their relation to Dinis's idea.
OWASP Principles - http://www.owasp.org/index.
Free & Open
As Dinis mentioned, his code is open to everyone at no charge. The O2 tool can be downloaded and used without paying any of the subscription fees. No problem here.
Governed by rough consensus & running code
Not relevant to this issue except that the overall consensus of the OWASP leaders should be considered.
Abide by a code of ethics
No problems here
OWASP itself is not for profit. But what about individual projects? The O2 project is rightfully (in my opinion) charging for Dinis's time to offer premium support to commercial customers. Many of us, Dinis included, volunteer large amounts of time to OWASP. However, volunteering and providing commercial grade support or two totally different things. This is a fine move in my opinion. Many companies will not adopt an open source software if a formal support policy cannot be established. So although I don't personally have any problems here, how do we reconcile this situation with our principles? Perhaps the answer is related to point #2 (rough consensus) and this sort of email discussion
Not driven by commercial interests
Although O2 technically would become "commercial" in a small way I don't see any problem here. This item is meant to address the overall objectivity of OWASP in always promoting the best security advice that is not tainted by a particular company's motivation.
Risk based approach
Not a problem. In fact O2 reinforces this principle.
Overall I think Dinis's approach to a subscription model for support is not a problem. This model is used by other open source organizations such as red hat (https://www.redhat.com/wapps/
- I support Dinis's plan to offer a subscription service for commercial support of O2 and believe this type of model is necessary to take OWASP projects to the next level
- I believe this is inline with OWASP principles