[Global_conference_committee] [Global_chapter_committee] [Global_membership_committee] Conference/Chapter Revenue Splitting

Kate Hartmann kate.hartmann at owasp.org
Wed Dec 22 09:26:53 EST 2010

Tin, I am really not picking on you, individually, but need to really speak
up on this subject since it is a very critical one for the foundation as an


Tin, please be careful when you bring in phrases like, "this is the core of
the matter here."  Really, I disagree with that statement.  The idea is not
that simple - guilt.

We are working on a global solutions to the chapter funding.  Not every
chapter can host an AppSec and the regional events do not bring in that much
revenue.  We need to think about the message we send to EVERYONE.

Hosting an AppSec or any conference should really not be about the money.
In fact, until very recently, the local chapter did not receive ANY split
and we still had lots of chapters asking to host the conference.  In 2008,
as a result of the first Summit, the Membership model was modified to
provide local chapter's a 40% share of incoming membership fees.  This means
that a corporate supporter attached to a local chapter would generate $2K.
There are many chapters who have used this "seed money" to drive membership,
participation, and bring in additional chapter revenue through corporate


Looking  at the first paragraph about OWASP on the website, at the mission
of OWASP, it reads:  


"The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit
worldwide charitable organization focused on improving the security of
application software. Our mission is to make application security visible,
so that people and organizations can make informed decisions about true
application security risks. Everyone is free to participate in OWASP and all
of our materials are available under a free and open software license. "


It is MY OPINION based on what I have seen Globally, energy spent on
Membership is more financially rewarding in the long term, and, hour for
hour, provides a greater return on investment.  The profits for an AppSec
conference are really the result of turning the membership relationships
into sponsorships.  


Tin, really, I challenge you to look at the sponsorship revenue from AppSec
US and point to the local companies that stepped up to sponsor the event.
Most of them are Corporate sponsors at the foundation level that I was able
to connect with to generate sponsorship for the event.  Additionally, it was
the mailing lists created by the foundation and the blasts that generated a
good portion of the attendance for the conference. 


The conferences committee is debating an opportunity to essentially reward
the local chapter for their investment in time with the equivalent of 2 or 3
corporate membership splits as funds to continue the efforts in that region.
One of the proposals on the table is to use the remaining split of the
profits to assist other, smaller, newer chapters who otherwise would not
have the funds to secure a venue, print flyers, bring in speakers, or find
other ways to promote OWASP.

I am sorry if it seem like I'm being harsh on you.  I see OWASP from the
center and therefore very often try to find a compromise that benefits the
entire organization.


Kate Hartmann

Operations Director


 <http://www.owasp.org/> www.owasp.org 

Skype:  Kate.hartmann1


From: global_conference_committee-bounces at lists.owasp.org
[mailto:global_conference_committee-bounces at lists.owasp.org] On Behalf Of
Tin Zaw
Sent: Tuesday, December 21, 2010 10:47 PM
To: Mark Bristow
Cc: global_chapter_committee at lists.owasp.org; Eoin; Lucas Ferreira;
Global_membership_committee at lists.owasp.org; global_conference_committee
Subject: Re: [Global_conference_committee] [Global_chapter_committee]
[Global_membership_committee] Conference/Chapter Revenue Splitting


Mark, you do not need to snip anything. I said it on the record and I stand
by it.


And I agree, OWASP's needs come first, hence 75% of the proceeds, and the
local chapter's needs come second, hence 25% of the proceeds. In this case,
the local chapters over-fund OWASP, not the other way around.


After such split, with OWASP being first, local chapters should have certain
freedom, within OWASP guidelines, on how they allocate their funds. They
should not feel guilty for it. In case it is not noticed, this is the core
of the matter here. 


As I mentioned for the Summit cost, I am willing to negotiate, and I believe
Kate and Dinis have made some good arguments on why spending chapter funds
for the Summit is a good idea.

We could go a long way if we all collaborate.





On Tue, Dec 21, 2010 at 6:52 PM, Mark Bristow <mark.bristow at owasp.org>

This to me is a great example of why we should not over-fund chapters....


Some context, this chapter is proposing that, even tho they have ample funds
to send some of their leaders to the summit, that they split the cost 50/50
with the foundation even after Tom's call for "donations" to the summit fund
from local chapter funds.  Clearly the summit is a huge priority for OWASP,
however in the isolation of this chapter, it's not as important.



As for local chapter funds, I have not been informed of, nor do I subscribe
to the notion that funds are to be used for next calendar year. Our plans
for chapter funds are for 2011 and beyond, with recognition that we will not
be hosting AppSec -- and enjoy its proceeds -- anytime soon. Our current
plans include more local outreach, support for local university chapters,
and potential rental expenses for chapter meetings or mini-conferences when
we outgrow space. In addition, I plan to leave the chapter in a better
financial shape when I step down one day.


I hope my points are understandable. I also understand that OWASP plans to
bring as many people as possible, and if and when it comes down to financial
necessity, I am willing to negotiate other options.



While I've snipped out the bits that identify the chapter, the message is
almost perfectly intact.  It's pretty clear to me that the foundation could
really use some of these funds currently, however the chapter disagrees and
therefore we have to hunt for funds elsewhere.


I agree it's a TON of work to organize a conference, I've done it directly 2
years in a row.  But the motivation for doing so should not be a financial
one and the needs of the foundation should always come first, because in the
end, it was an OWASP event, not a chapter one.


On Sun, Dec 19, 2010 at 2:58 AM, dinis cruz <dinis.cruz at owasp.org> wrote:

The Samy tour is a great example of what happens when you remove from the
Chapters the responsibility to make the initial decision (and some of the
financial cost).


John's email below is spot on, when I talk about 'financial paralysis' and
the inability from our chapter leaders to spend (or ask) for money, that is
exactly what I'm talking about. If (in the curent model) John W. doesn't
feel confortable in asking for money, then who is?

Our current OWASP culture, doesn't promote a 'spending proactivity' of our
projects and chapter leaders. In fact, it is not even enough to say 'here is
money, we trust you, go and spend it' (as we see with the 30k allocated to
Projects, Committees and Chapters which has barely been used). 


I think that this is a reflection of the normal non-OWASP world where there
are always very strong controls on the use of financial resources.


Add to that a "I don't need the headache of having to justify why I need the
money" to a "If I'm doing this for OWASP and I have the track record, why
should I even have to justify it" to a "I really like OWASP and don't want
to spend the resources badly"  to a "What are the rules for engagement if it
doesn't work out as well as I would like it to?" you have a perfect storm
for inaction

Dinis Cruz


On 17 December 2010 12:21, John Wilander <john.wilander at owasp.org> wrote:

Gosh, some heavy emailing going on here.


Just a short one to answer Mark's request for examples of chapters being
denies funding.


I think this is not a case of chapters asking for money and being denied. No
such examples to my knowledge. I think the case is "we have no money so we
don't do X and Y". Chapters don't feel empowered or comfortable to write an
email to Mark or Kate and ask for $. Instead they strive in mediocracy and
skip doing better events.


In concrete terms ... Samy Kamkar's talks at several European chapters were
a huge success. But they were not initiated by empowered chapters. It was a
central OWASP initiative with a central funding solution in place. Now OWASP
Sweden wants to pursue this path and invite Mario Heiderich, Gareth Heyes,
Dinis Cruz etc. Great! But have we written an email to Mark yet? No. Not
even I, being a member of the GCC, feel comfortable asking for the
foundation's money to run a local event.


In this case OWASP Sweden actually has money. Why? Because we got a share of
the revenue from OWASP AppSec in Stockholm. So we're going to fly Mario
Heiderich in and build upon the success with Samy. We already have more than
500 members and we asked them what we should use the chapter's money for.
Answer: More international experts giving talks and tutorials. This is what
the chapter members want.

(Of course we will try to find sponsors to lower the chapter's costs and we
will try to cooperate with OWASP Finland and Norway so we can share travel


   Regards, John



2010/12/16 L. Gustavo C. Barbato <lgbarbato at owasp.org>


I also defend the idea of collaboration between chapters in order to achieve
great conferences results - when I say collaboration I do mean collaborate
<http://dictionary.reference.com/browse/collaborate>  (to work, one with
another; cooperate, as on a literary work), in other words, without having
profits in mind. 

However, aiming to compensate the collaboration on conferences and have a
fair support of OWASP, I do defend the idea of having conferences in
different cities yearly according to local chapters locations. Nevertheless,
we can't forget the hard work necessary of local chapters to host a
conference -- I know that because after the AppSec Brazil 2010 (last month),
I don't stop thinking and working on AppSec 2011 -- it's already being

L. Gustavo C. Barbato, Ph.D.
Chapter Leader, OWASP Porto Alegre / Brazil 
Global Chapter Committee Member

On 12/15/2010 12:29 PM, Mark Bristow wrote: 

Comments forwarded on Lucas's behalf (he's on vacation and can't send as the
right user.....) 



I don't like the idea of having one chapter getting so more funds then
others. For AppSec Brasil, we will have people from multiple chapters
involved and it would not be nice to have one chapter getting all the
money. Having to decide a split amongst chapters would need energy
that could be better used somewhere else.

In principle, I don't like the idea of having chapters "fighting" for
money, and we may have this in the future if the chapter split is too
high. I'm afraid collaboration may decrease in the long run. On the
oher hand, I'd like to see a solution that increases the involvement
of chapter leader in our conferences, specially to have people from
different chpaters to collaborate in conference teams.

I think that having many chapters with some money is better than
having a few chapters with a lot of money. I think we should invest
more in getting more active chapters than making a few chapters more

The fund idea seams a good solution to me.



On Tue, Dec 14, 2010 at 7:19 PM, Neil Matatall <neil at owasp.org> wrote:

Well this thread has become epic and unfortunately I haven't been able
to catch all of the ideas.  I really hope I can catch up, but why
don't we have a conference call or discuss this at the summit (those
not in attendance will have to be accommodated somehow)?

Times like these make me wish my phone has an "threaded" email view :(

On Tue, Dec 14, 2010 at 12:13 PM, Jason Li <jason.li at owasp.org> wrote:
> So taking Michael's suggestion of starting fresh, I've cleared the long
> quote of the thread.
> As an observer to the thread, I'm going to capture what I think has been
> mentioned so far on the thread.
> And then I'll weigh in with my humble opinion, keeping in mind that I am
> involved in the Conferences Committee, Membership Committee, Chapter
> Committee, or the Board (in other words, I'm a nobody in this conversation
> :)).
> ----
> Summary of Problem:
> Where does Conference revenue go?
> Points of Concern:
> 1) Conferences are put on with the assistance of local chapters and
> coordination/support from the OWASP mothership
> 2) We want a way to reward local chapters for their help with
> running/coordinating a conference
> 3) We want conference attendees the option to get OWASP Memberships
> in with the conference
> 4) Chapters need money to do things
> -------
> Now with that out of the way, my personal thoughts:
> #4 is completely independent of Conference revenue. There are lots of
> OWASP sectors that also need money to do things (Projects and Summits for
> example). If there is a need for Chapters to do something, then this
> be allocated out of the main OWASP mothership budget and not out of
> Conference revenue.
> In my view, conference revenue should go to one of three places:
> 1) OWASP Mothership fund (where the Board can then re-allocate as needed
> support Chapters or other initiatives as appropriate)
> 2) Local Chapter(s) supporting the conference (in order to recognize their
> support)
> 3) Conferences fund managed by the Conferences Committee
> I'm not even sure if #3 is really necessary as that could also fall under
> #1.
> The only real debate is what proportion of the revenue should go into
> bucket. That's where I believe this debate originally started. All this
> other talk about chapter needs and a chapter fund has clouded the
> discussion.
> -Jason

> _______________________________________________
> Global_conference_committee mailing list
> Global_conference_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_conference_committee




Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Global_chapter_committee mailing list
Global_chapter_committee at lists.owasp.org

Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org

John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com

Co-organizer Global Summit, http://www.owasp.org/index.php/Summit_2011

Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee


Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org


Global_conference_committee mailing list
Global_conference_committee at lists.owasp.org

Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org

Global_chapter_committee mailing list
Global_chapter_committee at lists.owasp.org

Chapter Leader and President, OWASP Los Angeles Chapter
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/global_conference_committee/attachments/20101222/89b436c2/attachment-0001.html 

More information about the Global_conference_committee mailing list