[Owasp-leaders] Notice of Board Action

Matt Tesauro matt.tesauro at owasp.org
Wed Feb 8 08:06:40 UTC 2012 

First, let me say that I fully support Michael's statement.  While he may
have sent that email, it was after much discussion with the board and
consensus with its content.

As to your point #1 below, here's my thoughts:
[snip]
I also wonder (as Dinnis) what does revoke membership means?
[snip]
Without a doubt, OWASP is open.  That said, over the years I've been
involved with OWASP, membership has increased from a nice way to say
"thanks" to the OWASP foundation to a growing list of benefits.  Off the
top of my head (and therefore likely to be missing some) membership
includes:
* use of an @owasp.org email address
* discounts to partner events, conferences, trainings, etc.  Mark just
posted "AppSecDC free admission & training for OWASP" to the leaders list
today.
Revoking membership would remove the above plus:
* no longer allowed to be a chapter leader or project leader
* no longer a member of the OWASP Leaders list  (please don't under
estimate the worth of  reaching out to the enormous knowledge base that is
this list)
(other possible sanctions could include items such as)
* disqualification from CFT/CFP for Global or Regional AppSec events
* disqualification from renewing membership for a period of time (e.g. 24
months)
Have all these details been fully vetted, documented, posted to the wiki?
 Nope, not yet. Please remember that this decision is very fresh and the
board and committees are going to take this opportunity to best resolve
this for today _and_ tomorrow. I can definitely say that I'd prefer to
spend my time and focus on making OWASP even better then spending time that
does not further OWASP's mission of making security visible.  However, from
time to time, there are tough decisions to be made and precedent set.

Fundamentally, this organization needs to maintain a controlled chaos, an
environment where there is enough structure to ensure it continues on into
the future but not so much that smothers the inventive, creative and
passionate minds that make up the community.  I don't think we've found
that balance entirely but we continue to improve year after year.

[snip]
I have never paid an individual membership (yet I have indirectly donated
greater amounts via sponsorship of OWASP Mexico events every year) so I
guess my non existing membership is not subject to revocation?
[snip]
Agreed that you can be an active participant in the OWASP community without
out every officially becoming a member.  "O" is for Open after all.  As
noted above there are some benefits to membership currently.  Also, the
membership committee has been working to untie that very tricky knot - in
such a way that non-financial contributions can be recognized is some
fashion.  This is in addition to figuring out how to make memberships more
Global and not strictly US-centric .  Some early work on non-financial
contributions was done for the last Summit and the honorary membership idea
also grew out of this.  Many of the pitfalls we found trying to determine
contributions highlighted areas where, operationally, OWASP was weak.
 Using Salesforce/RegOnline to track memberships is a unified and
scale-able fashion has helped in many ways.  The truth of it is that the
vast majority of us are volunteers and human therefore imperfect.  However,
I'm confident that with every iteration, OWASP grows into a stronger, more
Global and scale-able organization.

[snip]
I guess then some level of respect should be expected for OWASP
“contributors” as (I indirectly understand) on Ethic value on OWASP Values?
And if so how offensive actions will be managed?. BTW there is in OWASP
Values or Core Values page displaying the official values set to the public.
[snip]
The power of OWASP is in its community.  For a community to continue to
thrive, some level of respect, civil behavior and general courteousness is
required.  The "About OWASP" wiki page lists our Core Values, Core Purpose,
Code of Ethics and Principals:
https://www.owasp.org/index.php/About_OWASP
I also wrote a draft "Code of Conduct" to start the discussion with the
membership committee.  (Please don't confuse this with the OWASP Codes of
Conduct _Project_ - that's something completely different).

There have been a couple of times where the community has raised concerns
to one of the Global Committees or the Board.  For those that the group
(committee/board) determined had sufficient merit, inquiries/investigations
were conducted and results documented.  I coordinated the first "formal"
one of these to my knowledge.  While it is true that some minor
deficiencies or misunderstandings where found, the cost of these results
were many volunteer hours diverted from positive activities.  And for those
involved, no matter their level of guilt or innocence, lingering negative
feelings were inevitable.

So please understand that I personally, and I suspect the board shares the
view, that I'd prefer to keep my contributed time focused on positive
outcomes and enhancing the community and the foundation.  I am willing to
do the less-than-glamorous work (or else I'd never have run for the board)
but feel compelled to warn the community that dwelling on the negative is a
cancer which can weaken and destroy formerly vibrant communities.
 Criticism is great - but should be in a positive and respectful fashion
that helps to strengthen OWASP.

Jim Manico called out a quote I made a while back that I fervently believe:
"I want to make sure my kids can be part of OWASP"  This is only going to
come to pass if we rally as a community and focus on how to make OWASP even
better then it is today.

Now I must go to bed so I can may get a couple hours of sleep in before I
head to work.

Cheers!

--
-- Matt Tesauro
OWASP Board Member
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site


On Tue, Feb 7, 2012 at 9:50 AM, Juan Carlos Calderon Rojas <
juan.calderon at softtek.com> wrote:

> This is very sensitive topic, and I think open it for leaders discussion
> was a very good idea, so small borders can be polished. I agree with the
> need for something like this for these special cases, openness should not
> conceal disrespect or dishonesty.****
>
> ** **
>
> Eoin/board, I have a couple of doubts:****
>
> ** **
>
> **1.       **I also wonder (as Dinnis) what does revoke membership means?
> I have never paid an individual membership (yet I have indirectly donated
> greater amounts via sponsorship of OWASP Mexico events every year) so I
> guess my non existing membership is not subject to revocation? I guess then
> some level of respect should be expected for OWASP “contributors” as (I
> indirectly understand) on Ethic value on OWASP Values? And if so how
> offensive actions will be managed?. BTW there is in OWASP Values or Core
> Values page displaying the official values set to the public.****
>
> ** **
>
> **2.       **Personally I think this process should be treated like law
> enforcement, make it available only for the concerned parts while it is in
> progress to not affect any reputation while all parts are listened and once
> a decision is taken it should be made public (At least that is what happens
> in Mexico’s legal system). Not sure about showing or not names, that is
> very hard for me to discern.****
>
> ** **
>
> Because, If not openly public (do to inherent privacy concerns) where are
> these decision outcomes would reside. I mean, 20 years from now when
> someone wonders why John Doe membership was revoked from OWASP and the
> board was gone for long time, where would the basement to make that
> decision will remain?. ****
>
> ** **
>
> Regards,****
>
> *Juan C Calderon*****
>
> ** **
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Eoin
> *Sent:* Tuesday, February 07, 2012 9:10 AM
> *To:* Castle, Dale (dc9pc)
>
> *Cc:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Notice of Board Action****
>
> ** **
>
> Thanks guys.
> Very happy you agree with our approach.
>
> ****
>
> On 7 February 2012 15:04, Castle, Dale (dc9pc) <dc9pc at virginia.edu> wrote:
> ****
>
> I agree with Jason’s comment. We have open standards and open elections,
> but I don’t think it’s necessary to publicly embarrass volunteers.****
>
>  ****
>
> Dale Castle****
>
> OWASP Charlottesville Chapter Founder and Leader****
>
>  ****
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Jason Alexander
> *Sent:* Tuesday, February 07, 2012 7:22 AM
> *To:* daniel.cuthbert at owasp.org; eoin.keary at owasp.org
> *Cc:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Notice of Board Action****
>
>  ****
>
> I think some decorum is required. Ask yourself if knowing the details will
> be a benefit to you and your owasp chapter/project etc.****
>
>  ****
>
>
> Jason Alexander
> OWASP Chapter Founder And Leader
> Twitter: 0wasp
> Sent From My Samsung Droid Phone ****
>
>
>
>
> daniel cuthbert <daniel.cuthbert at owasp.org> wrote:
>
>
> So if that's the case, surely the "we've done something that we wanted you
> to all know but won't mention who/what in order to keep privacy" approach
> wasn't really fitting. ****
>
>  ****
>
> I'm confused. ****
>
>  ****
>
>  ****
>
> On 7 February 2012 11:50, Eoin <eoin.keary at owasp.org> wrote:****
>
> Hi Dinis,
>
> Should we not respect peoples privacy?
> I don't think it is fair to name the individual(s) involved.
>
> Point to be made is that we (the board) are trying to maintain OWASP as a
> fun organisation to work with and we can not tolerate activities which may
> upset or offend other members of the organisation. We are open, but also
> sensitive to life outside of OWASP.
>
> -ek****
>
>
>
> ****
>
> On 7 February 2012 10:00, dinis cruz <dinis.cruz at owasp.org> wrote:****
>
> Humm, who is this for?****
>
>  ****
>
> Can you provide more details on what happened?****
>
>  ****
>
> Since we are an open organization, all details about issues like this must
> be published in our wiki. Is there a page I'm missing?
>
> Dinis Cruz****
>
>  ****
>
> On 6 February 2012 21:06, Michael Coates <michael.coates at owasp.org> wrote:
> ****
>
> OWASP Leaders,
>
> OWASP is open open organization that values the time and contributions of
> all of our volunteers.  As your elected board it is our goal and
> responsibility to foster the community and OWASP platform upon which we all
> pursue the OWASP mission.
>
> At times it is necessary for the board to evaluate specific situations and
> make difficult decisions that are necessary to uphold the values of our
> organization.  In the spirit of our open organization, today I am writing
> all leaders to make you aware of a recent board decision to revoke the
> membership of an individual.  This is not a decision we take lightly and
> have given it significant consideration.
>
> The following actions were taken:
> 1. Per OWASP ByLaws section 4.03 the board voted and passed the measure
> with the required two-thirds vote
> 2. The individual was notified and offered an opportunity to appeal the
> board's decision
> 3. The appeal was scheduled and all board members participated along with
> the individual
> 4. The board held a second vote based upon the material presented during
> the appeal and concluded that the original measure to revoke membership
> would be upheld
>
>
> This matter is being brought to the attention of the leaders list as we
> believe it is important to be open in all actions of the organization.  On
> that same token, I also encourage people to handle this issue with the
> appropriate level of sensitivity and respect for those involved.
>
>
>
> Michael Coates
> OWASP
> michael.coates at owasp.org
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
>  ****
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
>
>
> ****
>
> --
> Eoin Keary
> OWASP Global Board Member (Vice Chair)
>
> https://twitter.com/EoinKeary****
>
>  ****
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
>  ****
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders****
>
>
>
>
> --
> Eoin Keary
> OWASP Global Board Member (Vice Chair)
>
> https://twitter.com/EoinKeary****
>
> ** **
>
> ** **
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120208/290a19d8/attachment-0001.html>

More information about the OWASP-Leaders mailing list