[Governance] Formal Complaint Against Josh Sokol

Christian Heinrich christian.heinrich at cmlh.id.au
Fri May 16 08:08:47 UTC 2014


On Fri, May 16, 2014 at 8:36 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> I would request that Christian elaborate on what is either proprietary or
> sensitive regarding the statement I made on the Board list a month ago.
> Confidentiality agreements (of which I have none with Christian) are
> typically only binding until such time as the information has been publicly
> disclosed.  At the time of my notification of the Board and Martin (my
> fiduciary responsibility to the OWASP Foundation), all details disclosed
> were a matter of public record by virtue of it being a formal legal
> proceeding in Australian courts.  At no point did I share information that
> was either proprietary or sensitive as I do not have access to any
> information that is proprietary or sensitive on this matter.

Due to http://blog.diniscruz.com/2013/01/why-ndas-have-no-place-at-owasp.html
I never had an expectation that OWASP would agree to an NDA.

I cannot identify the public interest in revealing that Chris Gatford
and I are in court on a public mailing list of which there is a large
number of subscribers.

A "reasonable" person would consider attendance at court as "sensitive".

On Fri, May 16, 2014 at 8:36 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> There was no service of a subpoena.  The original request was for me to give
> Christian confidential information relating to a phone call that I had
> conducted as part of a Board investigation.  There was no evasion or
> obstruction either, I simply let Christian know that OWASP would maintain
> confidentiality on this matter unless instructed by a court to do otherwise.
> And my "election to deal with the Australian courts" was due to my having
> the information that Christian was seeking.  So, yes, I told him that I was
> more than happy to speak with the Australian authorities on the matter.
> Christian first insisted that I give him the recording, then threatened
> OWASP with legal recourse if we did not give him the recording, then became
> insistent on an Australian address to deliver a subpoena to (of which we
> have none), then threatened to deliver it to Norman as the chapter leader.
> While the service of a subpoena is not harassment, the threats and bullying
> certainly was and being contacted twice after telling him I considered it
> harassment and asking for it to stop showed a continued disregard for my
> feelings.

This is incorrect and never my intention from the onset, including the
need to serve a subpoena on OWASP.

I had asked Josh to provide the "source" that Andre Ludwig referred to
within http://lists.owasp.org/pipermail/owasp-board/2010-June/008481.html,
of which the resulting Google Hacking Inquiry was conducted unfairly
in the public domain and if Chris Gatford had been provided a Google
Drive URL to download the conference call (I don't want the MP3 file
itself from OWASP).

Once this was disclosed then the subpoenas would be served to Chris
Gatford (if applicable) and OWASP would have no further involvement.

On Fri, May 16, 2014 at 8:36 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
> What Christian is actually asking for is a breach of the confidentiality of
> something that is actually confidential while accusing me of breaching
> confidentiality for something that is not.  I've made it clear to Christian
> from the beginning that I have the data that he is looking for and am happy
> to comply with a court order to provide it.  Christian, to date, has
> provided no such court order.  Christian is incorrect in that the OWASP
> ethics do not state openness and transparency, but they do state
> confidentiality, which I have maintained despite Christian's repeated
> threats, bullying, and now formal complaint.
> The path is clear and simple and Christian has already referenced it in his
> other e-mail.  The Hague Convention provides for the proper procedure for
> subpoena of a foreign party.  I would be more than happy to comply with the
> law.  I am not, however, compelled to comply via intimidation.  I have
> apologized for what I believe may have been misunderstandings of the
> situation, and certainly not intentional, but I fail to see any breach of
> the OWASP Code of Ethics that Christian has stated nor implied.

Refer to https://www.owasp.org/index.php/Suggested_Core_Values_Emails
for "radical transparency".

The other companies based on the USA have been willing to informally
respond to the subpoena if it was issued by a court outside of their

I await the reply from Perlman & Perlman LLC

Christian Heinrich


More information about the Governance mailing list