[Owasp-leaders] Notice of Board Action

dinis cruz dinis.cruz at owasp.org
Thu Feb 9 14:25:32 UTC 2012 

Michael, you (and I think the entire board) are still missing the point.

I don't think anybody has any doubt that the board acted accordingly or
that they were not diligent in their actions.

My felling (since I don't have real information), is that the board acted
correctly ... up until the end.

By not providing FULL details on what happened, and what decisions were
made, *the board is actually making a WORSE action than the ones done by
'He-Who-Must-Not-Be-Named'.*
*
*
I know these are hard words and I don't say them lightly.

Having a closed trial, with no official information about WHO was affected
and what actually happened (namely the 'offence'), is as far away from
openness and transparency as you can be. Juan was right, when he said that
it is understandable that during an investigation stage, some caution
should be taken, BUT, after a decision is made, ALL, and I mean ALL,
information must be made public.

The board is actually missing a massive opportunity to set a good precedent
(i.e. *this is how OWASP handles the cases of owasp-leaders/members that
have not acted accordingly to our values*), and is instead creating a even
worse precedent, which is *'the board ability (by majority vote)
to expel any owasp-leader/member without any accountability.*

What you have to think is what  happens next time! Now that we have this
precedent.

The irony of all this, is that this type of situation is one where MORE
information is much better than less (or scattered) information.

Just to be clear, I expect at least, a page in our Wiki that contains the
full details of what happened in this case (like we did for the last two
cases <https://www.owasp.org/index.php/Category:OWASP_Inquiry>)

There are also a number practical problems of not disclosing* You-Know-Who *
name:

   - What behaviour triggered this action? i.e. what did *You-Know-Who
*actually
   do?
   - Is *You-Know-Who * still an OWASP Leader?
   - What happens if *You-Know-Who * joins an mailing list under his name?
   or another name? Can the list admin remove him?
   - What happens if* You-Know-Who *behaves in a similar way on a OWASP
   mailing list, chapter meeting or conference?
   - What happens if* You-Know-Who *continues to 'represent' owasp?
   - What happens if another OWASP leader/member acts the way *You-Know-Who
   *did? How can we identify that behaviour?

Although this not a nice situation, I'm 100% with Dennis Groves in that
this is one of the most important threads (on the topic of OWASP's culture)
that we had for a while. It is as important for OWASP to define what it is,
as it to define what it isn't. And this is one of those moments where it
matters to make one's voice heard.

Btw, the whole legal threat is FUD of the highest order, and apart from the
fact that I don't think that anybody on this list as actually got official
legal advise on this topic (if you do, please show it), the ones that are
worries about it, should think hard about they are implying. Should OWASP
really be prevented from talking about an issue (core to its values) due to
the 'vage threat' of legal action? If so, we should close down the wiki and
stop doing conferences (somebody might find out that the also have/teach
'offensive' techniques)

Finally, let's not turn this issue into an internal fight. All that it is
asked is for more transparency and openness into an process that was
(apparently) very well executed.

Let's learn from the past, so that we don't repeat it in the future

Dinis Cruz

On 9 February 2012 00:03, Michael Coates <michael.coates at owasp.org> wrote:

> I'm happy to setup time to talk with those interested.  We can hold a
> meeting available to all or address at the board meeting.
>
> I wouldn't say things were performed in secret.  The goal has always been
> to professionally address the issue with respect for all parties involved.
>  The individual involved was provided an appeal to voice their opinions and
> was able to invite anyone they wanted to be involved on their behalf.
>  We're also providing the entire course of events to the membership
> committee so they can review and see how we can further refine this process
> with any possible modifications.  Clearly we hope it never needs to be used
> again.
>
> Lastly, the board meetings are open - always have been.  This issue was
> discussed during the board call and the votes are all publicly captured.
> https://www.owasp.org/index.php/OWASP_Board_Votes
>
>
> Since this thread has gotten long I did want to paste in the process that
> was taken to again clarify the actions taken.
>
> The following actions were taken:
> 1. Per OWASP ByLaws section 4.03 the board voted and passed the measure
> with the required two-thirds vote
> 2. The individual was notified and offered an opportunity to appeal the
> board's decision
> 3. The appeal was scheduled and all board members participated along with
> the individual
> 4. The board held a second vote based upon the material presented during
> the appeal and concluded that the original measure to revoke membership
> would be upheld
>
>
> Glad that people are passionate about our organization and wanting to
> ensure we're operating in the best methods possible. Sometimes this leads
> to longer threads that interest some and not others, but they are often
> important items.
>
>
>
>
> Michael Coates
> OWASP
> michael.coates at owasp.org
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20120209/67e78bd1/attachment.html>

More information about the OWASP-Leaders mailing list