<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>+1</div><div>Recent behaviour has been very myopic and destructive in the name of "openness".</div><div><br><br>Eoin Keary<div>Owasp Global Board</div><div>+353 87 977 2988</div><div><br></div></div><div><br>On 21 Jun 2014, at 15:00, Tobias <<a href="mailto:tobias.gondrom@owasp.org">tobias.gondrom@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
  
    <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
  
  
    <div class="moz-cite-prefix">Hi all, <br>
      <br>
      I agree with Bil. <br>
      <br>
      First, some general information from the perspective as board
      member. <br>
      Looking at my sent folder. The vast majority of my OWASP email is
      public. And I figure the same is true for all board members. About
      95% of my outgoing email that I initiated, is to or cc to lists,
      which means it is public. <br>
      Some months ago it was even higher. <br>
      <br>
      There are certain email exchanges that have to be done in private,
      or that have been initiated in private and it is not my right to
      disregard the sender's rights for a private conversation and drag
      them into public view in all details and potentially cause
      reputation damage to others by doing so. <br>
      <br>
      Openness is our goal, but I will firmly stand for, that the
      protection and vital rights of individuals are superior to the
      demand for openness. And especially our staff deserve our full
      support and protection. Discussing some of their internal concerns
      in the public is simply unfair and inappropriate. Just think about
      that there may be personal reasons for certain things, and it is
      just not fair to demand from our staff to accept dragging personal
      aspects of their lifes out into the public just because they work
      for OWASP. <br>
      <br>
      Again, let me be clear: the vast vast majority of all emails from
      me as board member is already on public lists. The default is
      already to have conversations public, unless there are reasons not
      to. <br>
      And I believe all current board members already follow that
      guideline. <br>
      <br>
      If Dinis wishes that we should be "radically" open about the
      remaining few percent, I am not in support of that. <br>
      <br>
      And to go one step further: looking at Dinis's recent behaviour, I
      believe that his idea of "radical openess about everything" as
      Dinis is currently practising it, is disrespectful to other human
      beings, harmful to others and amounted in certain cases to slander
      and is against our code of ethics. <br>
      <br>
      Btw. I will be at AppSecEU and will be happy about conversations
      on all topics in person there - which may be in public or not - as
      chosen by the people I talk with. <br>
      <br>
      Best regards, Tobias<br>
      <br>
      <br>
      Global Board Member<br>
      <br>
      <br>
      <br>
      On 21/06/14 14:01, Bil Corry wrote:<br>
    </div>
    <blockquote cite="mid:029601cf8d50$e4e02a70$aea07f50$@owasp.org" type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.hoenzb
        {mso-style-name:hoenzb;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Arial","sans-serif";
        color:black;
        font-weight:normal;
        font-style:normal;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">Hi
            Dinis,<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">I
            am not familiar with nature of the conversations between
            board members and staff, but my own thought is that email
            communication that happens outside of a public list should
            be considered private, as that is the expectation that most
            people have with email.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">If
            we want board member communication public, then perhaps a
            new public list can be created that can be copied on for all
            communication deemed to be public.  Or perhaps new email
            addresses for the sole purpose of business communication are
            created.  Otherwise, I'm not sure how to disambiguate
            private/personal messages from official duty messages, nor
            how to even provide access to those messages.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">Hopefully
            others will chime in.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">As
            for employee reviews, unless the employee chooses to make it
            public, it should be confidential.  Requiring the employee
            to consent to making their performance review public as a
            condition of employment would have to be reviewed by an
            attorney – I doubt this is possible, otherwise employers
            would coerce employees to sign away a variety of rights.<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">-
            Bil<o:p></o:p></span></p>
        <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
            Dinis Cruz [<a class="moz-txt-link-freetext" href="mailto:dinis.cruz@owasp.org">mailto:dinis.cruz@owasp.org</a>] <br>
            <b>Sent:</b> Friday, June 20, 2014 6:58 AM<br>
            <b>To:</b> Bil Corry<br>
            <b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:governance@lists.owasp.org">governance@lists.owasp.org</a><br>
            <b>Subject:</b> Re: [Governance] Transparency Policy<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <div>
          <p class="MsoNormal">Hi Bill, I really like the view that '<i>The
              rule of thumb for transparency is to default all
              information as public,' </i>since that is exactly how I
            view it.<o:p></o:p></p>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">So for example, where would you put
              communications between 'OWASP employes with OWASP Board
              Members' and 'OWASP employees and OWASP Leaders'? Taking
              the view that all information should be public, there
              should be very few exchanges between these two groups that
              would happen in private, right? <o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">Specially when there are questions or
              issues being raised that need to be clarified.<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">For example what happened with Samantha
              is an explosion of tons of little issues that (in my view)
              should had been discussed, clarified and defended when
              they occurred (which would had prevented the drama, loss
              of an OWASP Employee and strong accusations to the
              multiple parties).<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">Another question I have is: "<i>For the
                cases when a thread starts in private, once the facts
                are clarified, and unless it falls into one the 3
                exceptions listed, the expectation is that such private
                thread will eventually be made public",</i> right?<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">Finally, '<i>where do you put
                'employees reviews</i>'? should that be private or
              public? My view is that any information about OWASP
              organisation and its staff should be public and on the
              record (so that it can be peer-reviewed and validated by
              the OWASP leaders community). This might be something that
              we will need the employees to agree to, which can/should
              part of their OWASP contract. <o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">Thanks<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <div>
            <p class="MsoNormal">Dinis<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
        </div>
        <div>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
          <div>
            <p class="MsoNormal">On 19 June 2014 11:18, Bil Corry <<a moz-do-not-send="true" href="mailto:bil.corry@owasp.org" target="_blank">bil.corry@owasp.org</a>> wrote:<o:p></o:p></p>
            <div>
              <div>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">Hello
                    Governance,</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">I
                    am proposing we create (and have the BoD adopt) a
                    policy on transparency to clarify the information
                    that should never be shared publicly.</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">To
                    that end, I've created an initial draft, which you
                    can find here:</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:.5in"><span style="font-family:"Arial","sans-serif";color:black"><a moz-do-not-send="true" href="https://www.owasp.org/index.php/Transparency_Policy" target="_blank">https://www.owasp.org/index.php/Transparency_Policy</a></span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">I'm
                    requesting discussion and feedback on the draft,
                    along with additional exclusions (I only started
                    with two).</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">Thank
                    you for your time in advance,</span><o:p></o:p></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black"> </span><span style="color:#888888"><o:p></o:p></span></p>
                <p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-family:"Arial","sans-serif";color:black">-
                    Bil</span><span style="color:#888888"><o:p></o:p></span></p>
              </div>
            </div>
            <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
              _______________________________________________<br>
              Governance mailing list<br>
              <a moz-do-not-send="true" href="mailto:Governance@lists.owasp.org">Governance@lists.owasp.org</a><br>
              <a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/governance" target="_blank">https://lists.owasp.org/mailman/listinfo/governance</a><o:p></o:p></p>
          </div>
          <p class="MsoNormal"><o:p> </o:p></p>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Governance mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Governance@lists.owasp.org">Governance@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/governance">https://lists.owasp.org/mailman/listinfo/governance</a>
</pre>
    </blockquote>
    <br>
  

</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Governance mailing list</span><br><span><a href="mailto:Governance@lists.owasp.org">Governance@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/governance">https://lists.owasp.org/mailman/listinfo/governance</a></span><br></div></blockquote></body></html>