Well I don't know what you mean by rubbish, but I think you have misunderstood an earlier post The post with 'the position name :' is meant to be read as if that role is saying it. It is about where the time goes, and it varies depending upon who is talking OpenSource CARTS (<-- note not open source operating systems or development tools) are perhaps the least secure, then come off the shelf carts, because again you can get at the source or disassemble it and they have many installs. Bespoke done well is the most secure in this way, but done badly sure you can fuzz stuff out but that tends to trip IDS. Many eyes argument, have you looked at source code and identified security problems and then sent them up stream? Many eyes argument got blown out with OpenSSL in Debian, and that is something you would expect to get more attention. Crackers look at source code, because they can use those vulnerabilities, same with pen testers but neither send upstream to get it fixed because their revenue stream is based on it. In fact some security researchers have been muzzled for their efforts of talking about specific compromises. 2K I think is too low, you might get it done on a favour, and then perhaps just to test the waters with a site with the items, basic layout and all content supplied by client, but not the account, basket and payment gateway integration functionality. You will need more in the kitty to go forward and should budget for that. It sounds like you have had some problems with agencies, and yeah sure they are not set up for the smaller player, they are there for the big player and corps. Though corps often hirer smaller developers, tends to be for close relationship, lot have moved their IT systems inhouse, and prefer control over the development cycle and code base. A lot of the agencies also use software developers, so yeah if you can get to the people then you don't pay middle man fees.