[Owasp-board] Fw: OWASP election thoughts

Tom Brennan - OWASP tomb at owasp.org
Thu Aug 5 21:02:00 UTC 2010


Semper Fi,

Tom Brennan
OWASP Foundation Inc.
Tel: (973)506-9303

-----Original Message-----
From: Dan Cornell <dan at denimgroup.com>
Date: Thu, 5 Aug 2010 13:06:49 
To: Kate Hartmann<kate.hartmann at owasp.org>
Cc: Dan Cornell<dan at denimgroup.com>; tomb at owasp.org<tomb at owasp.org>
Subject: FW: OWASP election thoughts

Here you go.  This isn't necessarily "formal documentation" but it at least laid out what we did and some suggestions for the future.



-----Original Message-----
From: Dan Cornell 
Sent: Thursday, November 19, 2009 12:40 AM
To: Tom Brennan; Kate Hartmann; Michael Coates; 'Stephen Craig Evans'
Cc: Dan Cornell
Subject: OWASP election thoughts


Here are some thoughts on the Board vote that we could use to make future elections better.  I'm open to others' thoughts as well.  My goal would ultimately be to put together a HOWTO document that could go up in the Wiki or at least be a resource for future elections.

In all I felt like it went well, but I wanted to highlight stuff that could have caused troubles so we proactively head off potential trouble in future elections.




-We didn't have a strong policy on who would be allowed to vote and that led to some confusion during the election and could have led to a lot of troubles.  For example, the current Board was added to the election process during the conference whereas the previous decision had been to have them not vote.  One person had contributed to OWASP for several years, but did not meet the specific criteria but we set them up with a vote anyway.  Two people renewed their expired memberships during the election and were also given a vote.  None of these decisions were necessarily wrong, but it would have been good to enumerate our policies publicly beforehand so that less was left to discretion during the election.

-It was hard to collect accurate info about the voters -  most specifically their email addresses.  We actually had one of the candidates emails (Eoin's) incorrect as well as a number of bounced emails from well-known OWASP contributors such as Alex Smolen.  Tom Brennan's work with Salesforce.com may help in this area as we will have a single repository of people's "true" contact information.

-We had one identified problem with people not receiving ballot emails (John Steven) and possibly others that went unreported.  The assumption is that some sort of edge spam filter caught the message at a point where it could not be found later.  This is hard to combat as OWASP is a virtual organization and we need to rely on email to communicate.  Calling or snail mailing every member is not a practical alternative.

-There was no up-front policy on how we let folks campaign.  Was the wiki the only place to post the info or was emailing the Leaders list acceptable as well?  We ended up with some traffic on the mailing list toward (and past) the end of voting.  No one complained about the use of the leaders list, but I could see a world where that might have rubbed some folks the wrong way.

-There was some dissatisfaction (one person) who did not want to have to vote for two candidates because they only knew one of the candidates and did not want to vote for someone they did not know.  That is a fair input although I'm not sure that we should necessarily change our policy next time.  After all - many voters might not have met any of the candidates, but could have voted after reviewing their position information on the wiki.

-We needed a better plan for how to certify and disseminate the results.  What we did was ad hoc (calls, emails to candidates, emails to lists) and that could have been pre-planned.  Prior planning would have let us disseminate the results more quickly.

-We used VoteNet's password generation and mass email service for the first email and that cost an extra $350 (I think)  That probably could have been avoided, as I wrote a Perl script (attached) to send the subsequent mass emails.

-VoteNet's application apparently doesn't work well in Google Chrome.  Not the worst problem in the world, but something to note.

-I would have preferred to have been able to do some security testing of the voting solution prior to the vote.  I'm not sure that is practical from what is really a pretty entry-level voting solution - the VoteNet folks wouldn't let us run a test election which isn't surprising because of the cost of the election product we used.  If we were spending $5k for a vote then perhaps, but for a couple hundred dollars this is more of a transactional sale.  Everyone appeared to be well behaved this time around, but that doesn't have to be the case.  I guess I'm glad we're a "Builder" community rather than a "Breaker" community :)

-The VoteNet folks were very helpful and responsive.  My interactions with Caitlyn Radack (cradack at votenet.com) for sales and with Ramon Graham (rgraham at votenet.com) for support were all very positive.  They turned around the password generation and mass email ahead of their typical two business day timeframe.

-We (well, I) made the decision to make the election anonymous and therefore not auditable.  I think that was the right call, but might be something to discuss in the future.  Also the results were not available until the end of the election and I think that was appropriate so we didn't see any bias introduced where folks selected their votes based on the current leaders in the election.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email.pl.renamed
Type: application/octet-stream
Size: 1341 bytes
Desc: email.pl.renamed
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20100805/a5e3c9d8/attachment-0002.obj>

More information about the Owasp-board mailing list