Simon,
I know that this really has nothing to do with ZAP, the product per se, but it has everything to do with ZAP, the development process which of course directly affects the product, ZAP.
What am I talking about? I am talking about the magic of how you have kept so many developers engaged over the past 10+ years or so, all during the time when OWASP ESAPI and many thousands of other FOSS projects were begging to find help. So many FOSS projects get abandoned, long before 5 years. (I think I read that it was close to 50%.)
I recall the halcyon days of ESAPI. When I first joined there was great excitement. ESAPI had at least a half-dozen core developers who were working on getting ESAPI 2.0-RCsomething out the door. Besides those 6 or so core developers, we also had another 4-6 developers making substantial contributions on a part time basis. But as soon as the official 2.0 release went GA and was uploaded to Maven Central, pretty much everyone stopped regularly participating except Jim Manico, Chris Schmidt, and myself. And shortly after that, Manico left and Chris stopped contributing and I was the only one making regular commits but could get no help doing a release. (No one had left instructions how to do releases either and Chris stopped answering my emails because he was busy with a new company and I think his wife grew ill.) No one is to blame, but ESAPI almost completely died off during that time.
Anyway, what I'd really LOVE to see at your first ZAPCon is a retrospective look back as to what made ZAP work and why you think people remained so committed to it when so many other FOSS projects are totally abandoned after just a few years. Commitment from you and your company's sponsorship no doubt helped immensely, but we both know that that alone is not enough to carry forth a FOSS project (unless it is really small) and make it as successful as ZAP. (I mean, ESAPI tried GSoC a few times as well, but never drew any interest.)
So, as a fellow OWASP comrade and FOSS participant, I know we'd all love to hear your wisdom and perspective of what made ZAP so successful. Because in my opinion, it is head and shoulders above every other OWASP flagship code project.
Anyway, something to think about. I am thinking of writing up a "lessons learned" on ESAPI in the not-too-distant future (after my taxes are filed), but that mostly will be a story of a project gone wrong and things to avoid rather than an inspiring story like ZAP. And during this depressing pandemic, I think we could all gain some measure of hope from an inspiring success story like ZAP.
Thus, I hope you or some other long-time core ZAP developer will consider it for ZAPCon.
Thanks,
-kevin
P.S.- If you feel this is not off-topic or otherwise inappropriate, feel free to repost to your mailing list if you wish. I just figured it was mostly OT.