[Owasp-leaders] Notice of Board Action

Fri Feb 10 00:48:51 UTC 2012

I think Dinis makes some really good points here, specially with this
case setting a precedence. With that said, another good point is no
turning this into a fight but rather, let's keep the topic going and
find ways to make things better? Perhaps, establish what criteria or
type of details we think should be documented and released in regards
to membership violation incidents? Process or format? I don't know
just throwing some ideas out there fwiw.

Kudos the board handling this case! I can imagine dealing with
incidents like these, is probably NOT fun or the greatest of
experiences to go through for all parties involved, that is.

Kuai

On Thu, Feb 9, 2012 at 9:25 AM, dinis cruz <dinis.cruz at owasp.org> wrote:
> Michael, you (and I think the entire board) are still missing the point.
>
> I don't think anybody has any doubt that the board acted accordingly or that
> they were not diligent in their actions.
>
> My felling (since I don't have real information), is that the board acted
> correctly ... up until the end.
>
> By not providing FULL details on what happened, and what decisions were
> made, the board is actually making a WORSE action than the ones done by
> 'He-Who-Must-Not-Be-Named'.
>
> I know these are hard words and I don't say them lightly.
>
> Having a closed trial, with no official information about WHO was affected
> and what actually happened (namely the 'offence'), is as far away from
> openness and transparency as you can be. Juan was right, when he said that
> it is understandable that during an investigation stage, some caution should
> be taken, BUT, after a decision is made, ALL, and I mean ALL, information
> must be made public.
>
> The board is actually missing a massive opportunity to set a good precedent
> (i.e. this is how OWASP handles the cases of owasp-leaders/members that have
> not acted accordingly to our values), and is instead creating a even worse
> precedent, which is 'the board ability (by majority vote) to expel any
> owasp-leader/member without any accountability.
>
> What you have to think is what  happens next time! Now that we have this
> precedent.
>
> The irony of all this, is that this type of situation is one where MORE
> information is much better than less (or scattered) information.
>
> Just to be clear, I expect at least, a page in our Wiki that contains the
> full details of what happened in this case (like we did for the last two
> cases)
>
> There are also a number practical problems of not disclosing You-Know-Who
> name:
>
> What behaviour triggered this action? i.e. what did You-Know-Who actually
> do?
> Is You-Know-Who  still an OWASP Leader?
> What happens if You-Know-Who  joins an mailing list under his name? or
> another name? Can the list admin remove him?
> What happens if You-Know-Who behaves in a similar way on a OWASP mailing
> list, chapter meeting or conference?
> What happens if You-Know-Who continues to 'represent' owasp?
> What happens if another OWASP leader/member acts the way You-Know-Who did?
> How can we identify that behaviour?
>
> Although this not a nice situation, I'm 100% with Dennis Groves in that this
> is one of the most important threads (on the topic of OWASP's culture) that
> we had for a while. It is as important for OWASP to define what it is, as it
> to define what it isn't. And this is one of those moments where it matters
> to make one's voice heard.
>
> Btw, the whole legal threat is FUD of the highest order, and apart from the
> fact that I don't think that anybody on this list as actually got official
> legal advise on this topic (if you do, please show it), the ones that are
> worries about it, should think hard about they are implying. Should OWASP
> really be prevented from talking about an issue (core to its values) due to
> the 'vage threat' of legal action? If so, we should close down the wiki and
> stop doing conferences (somebody might find out that the also have/teach
> 'offensive' techniques)
>
> Finally, let's not turn this issue into an internal fight. All that it is
> asked is for more transparency and openness into an process that was
> (apparently) very well executed.
>
> Let's learn from the past, so that we don't repeat it in the future
>
> Dinis Cruz
>
>
> On 9 February 2012 00:03, Michael Coates <michael.coates at owasp.org> wrote:
>>
>> I'm happy to setup time to talk with those interested.  We can hold a
>> meeting available to all or address at the board meeting.
>>
>> I wouldn't say things were performed in secret.  The goal has always been
>> to professionally address the issue with respect for all parties involved.
>>  The individual involved was provided an appeal to voice their opinions and
>> was able to invite anyone they wanted to be involved on their behalf.  We're
>> also providing the entire course of events to the membership committee so
>> they can review and see how we can further refine this process with any
>> possible modifications.  Clearly we hope it never needs to be used again.
>>
>> Lastly, the board meetings are open - always have been.  This issue was
>> discussed during the board call and the votes are all publicly captured.
>> https://www.owasp.org/index.php/OWASP_Board_Votes
>>
>>
>> Since this thread has gotten long I did want to paste in the process that
>> was taken to again clarify the actions taken.
>>
>> The following actions were taken:
>> 1. Per OWASP ByLaws section 4.03 the board voted and passed the measure
>> with the required two-thirds vote
>> 2. The individual was notified and offered an opportunity to appeal the
>> board's decision
>> 3. The appeal was scheduled and all board members participated along with
>> the individual
>> 4. The board held a second vote based upon the material presented during
>> the appeal and concluded that the original measure to revoke membership
>> would be upheld
>>
>>
>> Glad that people are passionate about our organization and wanting to
>> ensure we're operating in the best methods possible. Sometimes this leads to
>> longer threads that interest some and not others, but they are often
>> important items.
>>
>>
>>
>>
>> Michael Coates
>> OWASP
>> michael.coates at owasp.org
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-- 
Kuai Hinojosa
OWASP Global Education Committee
OWASP (MSP) Advisory Board
OWASP (NYC/NJ) Board member
http://www.owasp.org/.