[Owasp-board] Results of AppSec USA 2010 objection to profit sharing policy being applied

Mark Bristow mark.bristow at owasp.org
Fri Apr 1 20:09:16 UTC 2011


Tin, Cassio, Neil, and Richard,

Thanks for bringing this issue to our attention.  We took a look at the
information you sent us and there is no doubt that there has been a
mis-communication here.  Overall the Conferences Committee needs to do a
better job of communicating OWASP Conference Policies to it's planners, for
that we apologize.


However, despite the mis-communication, the GCC does not feel that
this warrants an exception to the OWASP policy on profit sharing beyond what
has already been allocated to your chapters.


I’ve included the vote thread on this matter in the below email to provide a
bit more context. If you guys want to dispute this outcome, that’s fine, we
can bring it up at the GCC portion of the Board meeting on Monday.


Regards,
The Global Conferences Committee

======================================VOTE THREAD
====================================================
---------- Forwarded message ----------
From: Mark Bristow <mark.bristow at owasp.org>
Date: Wed, Mar 30, 2011 at 2:51 PM
Subject: VOTE: AppSecUSA 2010 Revenue Split
To: Ralph Durkee <ralph.durkee at owasp.org>, John Wilander <
john.wilander at owasp.org>, Lucas Ferreira <lucas.ferreira at owasp.org>
Cc: Kate Hartmann <kate.hartmann at owasp.org>, Eoin <eoin.keary at owasp.org>,
Sarah Baso <sarah.baso at owasp.org>


Ralph, John and Lucas,

Please vote on one of the following actions in regards to the AppSecUSA 2010
Revenue Split.  Please no discussion in this thread, simply a vote, and if
you'd like to make a statement about that vote feel free to do so.  This
thread will be made public once this has been completed.

   - Leave the policy as stands, apologize for the mis-communication and
   escalate to the board if necessary
   - Allocate an additional $3,000/chapter
   - Rather than give them any additional revenue, let them know that the
   limitations on the “OWASP on the Move” project have been lifted for them for
   the next 12 months for an amount up to what they feel they are missing.
   - Donate the extra $ to chapters' committee general budget

=========================== Issue (from and email from Mark Bristow to the
Conference Planners (CC GCC) ================

Richard has recently brought to our attention that you all feel that the GCC
profit sharing split was inappropriately applied to AppSecUSA 2010.  It is
the responsibility of the Global Conference Committee to adjudicate these
types of cases and as such I've started an inquiry based on the board
inquiry process.  As Richard, Neil and Cassio were intimately involved with
this event and have a conflict of interest as defined in the GCC Governance
policy<http://www.owasp.org/index.php/Global_Conferences_Committee_Governance#Conflict_of_Interest>,
I've recused them from the discussions related to this inquiry so that they
may be free to fully present their case from the position of AppSec USA 2010
event planners and chapter leaders.  The remaining GCC members will take
this matter into consideration and discuss it early next week.  We will come
to a resolution and provide it to the board for final approval (as it
involves a substantial amount of OWASP foundation funds).  Once this is
complete I will put the inquiry information and decision rational on the
wiki as well as how the committee voted on the matter and will encourage the
board to do the same.

At issue here is the application of the GCC "Profit Sharing
Policy<http://www.owasp.org/index.php/Global_Conferences_Committee#tab=Committee_Policies>"
in which the local host chapters of Global AppSec events receive "25% of
event profits with a $5,000 USD cap ($10,000 for multi-chapter events)".
It's our understanding that you are contending that you were under the
impression that the split would be provided at the rate of 25% of profits to
the local with no cap.  According to the foundation's records, AppSecUSA
2010 made a profit of $96,449.92 and $10,000 has already been provided to
the LA and OC Chapters.  Your position is that the chapters should be
allocated an additional $14,112.48 (25% of $96,449.92 - $10,000 which was
already dispatched) for a total of $24,112.48 to be split by your chapters.

The committee would like to get the following from the AppSec USA planners
in order to render a decision on this issue.

   1. A statement outlining your position of why you feel the policy was
   improperly applied
   2. As we understand it you feel that you were told that the 25% w/ no cap
   was the policy and was agreed to, we'd like to know more about how this came
   to be.
   3. A copy of your internal AppSecUSA budget (as it stands, need not be a
   heavy lift) for comparison to the foundation records
   4. If you'd like to also describe how your chapters plan to use the
   additional funds, your welcome to do that also, although not strictly a
   conference issue, some of the committee have asked for this information if
   you'd like to provide it.

We'd appreciate a reply by noon Monday if possible.  However if you need
more time, that's fine, wer're just trying to be expeditious and get this
resolved.  As described and as it represents a reasonably substantial
portion (about 16%) of the OWASP annual operations budget we will also have
to have the board weigh in on this.  However at the summit the board
indicated that they'd like to have the committees debate it out first and
present their conclusions to the board for review.

Regards,
The Global Conferences Committee

====================== Additional Information (from GCC investigation)
==============================
==

   - At the time the Event was established, there was *NO* GCC policy on
   conference profit splits with local chapters
      - The GCC set a policy on 2011-01-13 setting the official OWASP split
      policy (later ratified by the board at their March meeting) (GCC Vote:
      https://docs.google.com/a/owasp.org/document/d/1eVX6lDyAtsUBrDKp6C7pcPTk8ObCv-QgnFAGq_zj510/
      )
      - The new policy was under consideration since mid year by the GCC and
      applied to AppSec USA, AppSecDC and LASCON as well as all
conferences moving
      forward.
      - None of the GCC members at the time were asked about, or aware of
   the profit sharing expectations of the AppSec USA team
   - The LASCON team also had a varied expectation on what the split was
   supposed to be (they thought 60/40) prior to the policy being established.
   - This was not also communicated to any of the GCC members at the time
      - LASCON has accepted the GCC policy
   - AppSecUSA 2010 made $96,449.92 in profits and $10,000 has already been
   provided to the LA (Richard and Cassio are Board members) and OC Chapters
   - The difference between 25% of profit and what's already been given is
      $14,112.48
   - OWASP annual "profit" is roughly $150k.  The requested $24,112.48
   represents about 16% of OWASP's *ANNUAL* profits

=======Statement from Richard Greenberg on behalf of the
event================

The OC and LA Chapters were extremely surprised upon hearing that the
recently adopted policies, particularly the cap, regarding conference splits
with local chapters were being used retroactively to disperse funds from
AppSec SoCal. Clearly, I don't think any members of this committee would
intentionally proceed in this fashion. I am presuming that the understanding
was that there was no other agreement in place. However, this was not the
case.



You may or may not have seen the discussion threads I am including below.
They give a pretty definitive indication to the LA and OC Boards that the
agreed upon AppSec split was 25/75. However, there has been quite a bit of
discussion and some compelling thoughts on the finances of the organization
as a whole, and "the needs of the many outweigh the needs of the few" (one
of my favorite movie scenes). With that said, I am proposing some type of
compromise that would honor the pre-conference agreement and understanding,
yet not take too much of the revenue needed by OWASP, the mothership. Rather
than my stating a specific additional percentage, I am asking the GCC to
come up with a compromise figure. I think that this is essential to honor
the spirit and openness of what we are all about, and what we stand for as
an organization.



As requested, a working version of AppSec USA 2010 budget is attached. The
real budget (P&L statement) resides with Alison (we left detailed
bookkeeping to Alison once we figured out that we are making a profit).



The OC and LA chapters intend to use the proceeds from AppSec USA 2010 to
advance the OWASP mission in OC and LA counties, in accordance with OWASP
chapter guidelines. Activities planned include, but are not limited
to,bringing in the best of class speakers to chapter meetings,
providing free
or discounted training opportunities, and covering increased venue costs
when attendance exceeds current facility capacity. We also are firm
believers that our future lies with the upcoming generations, and we intend
to support local student chapters as best as we can.



Keep in mind that larger cities like LA, NY and Dc have higher costs than
most of the country. The arguments that I have heard that there should be no
rich chapters aren’t really sound ones. Strong chapters are the best allies
a centralized OWASP could possibly have. Keep in mind that in emergencies,
funds can always be reclaimed from chapters.



We appreciate your consideration of our position, and trust that when all
the facts are reviewed, a compromise can indeed be reached that is equitable
and will leave all of us happy to move ahead with our important work.


I am available for any questions you may have in this matter: 323-869-8120.


Thanks, again, for agreeing to resolve this issue.


 *Below is the historical record of the discussions that took place prior to
the Global SoCal AppSec:*


From: *Kate Hartmann* <kate.hartmann at owasp.org>
Date: Mon, Mar 22, 2010 at 12:37 PM
Subject: RE: [AppSec USA 2010] Trainer Split
To: Tin Zaw <tin.zaw at owasp.org>
Cc: Neil Matatall <neil at owasp.org>, Cassio Goldschmidt <cassio at owasp.org>

Yes, you are correct.  Remember, however, that the annual AppSec conferences
are one of the greatest sources of income for the foundation, so the budget
and expenses need to be monitored closely.  The expectation for the US
AppSec revenue would be in the neighborhood of $100K.



Kate Hartmann

OWASP Operations Director

9175 Guilford Road

Suite 300

Columbia, MD  21046



301-275-9403

kate.hartmann at owasp.org

Skype:  kate.hartmann1



*From:* Tin Zaw [mailto:tin.zaw at owasp.org]
*Sent:* Monday, March 22, 2010 3:36 PM
*To:* Kate Hartmann
*Cc:* Neil Matatall; Cassio Goldschmidt
*Subject:* Re: [AppSec USA 2010] Trainer Split



Thanks Kate.



I assume 40/60 split is of revenue (what we charge to students) for
training. 40% goes to trainer, and 60% goes to conference revenue (or gross
income) right?



What is the split of proceeds (net income/profit) from all 4 days? I believe
it is 25/75 (25% goes to local chapter(s) and 75% goes to OWASP Foundation).
Please confirm.



Thanks.

On Mon, Mar 22, 2010 at 11:44 AM, Kate Hartmann <kate.hartmann at owasp.org>
wrote:

The conferences committee recommends a 40/60 split (trainer/owasp)



Kate Hartmann

OWASP Operations Director

9175 Guilford Road

Suite 300

Columbia, MD  21046



301-275-9403

kate.hartmann at owasp.org

Skype:  kate.hartmann1



*From:* pc_appsec_us_2010-bounces at lists.owasp.org [mailto:
pc_appsec_us_2010-bounces at lists.owasp.org] *On Behalf Of *Neil Matatall
*Sent:* Friday, March 19, 2010 12:45 PM
*To:* pc_appsec_us_2010 at lists.owasp.org
*Subject:* [AppSec USA 2010] Trainer Split



Can someone remind me what the split is for trainers?  75/25 owasp/trainer?


Neil
============================= Statement from Kate
===============================

I am happy to step into a misunderstanding.  While I really don’t recall the
specific email, based on the other emails that had gone back and forth that
week, my response was referring to the training split.  This topic had just
been discussed during a board meeting and there had been some back and forth
about it.  Pulled out of context, however, I can see where it could be
misread as applying to the entire event, and not to just the training.
There were hundreds of other emails where I referred them to the How To Host
a conference page.



I admittedly have days where I probably fail to read and reply completely to
some emails.


---------- Forwarded message ----------
From: John Wilander <john.wilander at owasp.org>
Date: Wed, Mar 30, 2011 at 3:14 PM
Subject: Re: VOTE: AppSecUSA 2010 Revenue Split
To: Mark Bristow <mark.bristow at owasp.org>
Cc: Ralph Durkee <ralph.durkee at owasp.org>, Lucas Ferreira <
lucas.ferreira at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin <
eoin.keary at owasp.org>, Sarah Baso <sarah.baso at owasp.org>


2011/3/30 Mark Bristow <mark.bristow at owasp.org>

> Ralph, John and Lucas,
>
> Please vote on one of the following actions in regards to the AppSecUSA
> 2010 Revenue Split.  Please no discussion in this thread, simply a vote, and
> if you'd like to make a statement about that vote feel free to do so.  This
> thread will be made public once this has been completed.
>
>    - Leave the policy as stands, apologize for the mis-communication and
>    escalate to the board if necessary
>
> Approve. We do owe them an apology, so this is by no means a forced action.
I understand their case.

>
>    - Allocate an additional $3,000/chapter
>
> Disapprove. I stand by the policy because I believe in it.

>
>    - Rather than give them any additional revenue, let them know that the
>    limitations on the “OWASP on the Move” project have been lifted for them for
>    the next 12 months for an amount up to what they feel they are missing.
>
> Disapprove. Again, I stand by the policy because I believe in it. Should
the OWASP Board want to settle for a compromise I think this is the best
solution.

>
>    - Donate the extra $ to chapters' committee general budget
>
> Disapprove. I think the chapters' committee are out of scope on this issue.

   Regards, John

-- 
John Wilander, https://twitter.com/johnwilander
Chapter co-leader OWASP Sweden, http://owaspsweden.blogspot.com
Conf Comm, http://www.owasp.org/index.php/Global_Conferences_Committee

---------- Forwarded message ----------
From: Mark Bristow <mark.bristow at owasp.org>
Date: Wed, Mar 30, 2011 at 3:15 PM
Subject: Re: VOTE: AppSecUSA 2010 Revenue Split
To: Ralph Durkee <ralph.durkee at owasp.org>, John Wilander <
john.wilander at owasp.org>, Lucas Ferreira <lucas.ferreira at owasp.org>
Cc: Kate Hartmann <kate.hartmann at owasp.org>, Eoin <eoin.keary at owasp.org>,
Sarah Baso <sarah.baso at owasp.org>


All,

I vote to "Leave the policy as stands, apologize for the mis-communication
and escalate to the board if necessary"

I think that what this issue showed is that the GCC needs to do a better job
of communicating it's policies to planners.  We have taken some steps to
rectify this situation (
http://www.owasp.org/index.php/Global_Conferences_Committee#tab=Committee_Policies)
but they were not in place at the time that the issue occurred.  While I
believe that this whole issue is an unfortunate misunderstanding between the
AppSecUSA planners and Kate, and apologize for that, I still think that the
GCC acted appropriately in applying the new policy as, the previous policy
(from my point of view) was not to provide any split to local chapters.

I think it's also important to note that the requested additional allocation
($14,112.48) represents a rather large portion of the OWASP annual profit,
money that in my mind can be more wisely spent in other areas of the
organization on projects, mini-summits, outreach etc rather than be
allocated to individual chapters that have already received a $10,000
allocation for their considerable efforts in organizing an OWASP Global
AppSec Event.  I believe that a small misunderstanding, that admittedly is
partly the fault of the GCC not effectively communicating it's polices, and
partly the fault of the conference planners in not working to clarify what
the existing policy was by clearly asking the GCC for guidance, is not
sufficient to warrant the additional allocation.

Regards,
-Mark


---------- Forwarded message ----------
From: Lucas Ferreira <lucas.ferreira at owasp.org>
Date: Wed, Mar 30, 2011 at 4:13 PM
Subject: Re: VOTE: AppSecUSA 2010 Revenue Split
To: Mark Bristow <mark.bristow at owasp.org>
Cc: Ralph Durkee <ralph.durkee at owasp.org>, John Wilander <
john.wilander at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin <
eoin.keary at owasp.org>, Sarah Baso <sarah.baso at owasp.org>


My vote is: "Leave the policy as stands, apologize for the
mis-communication and escalate to the board if necessary"

Regards,

Lucas


---------- Forwarded message ----------
From: Mark Bristow <mark.bristow at owasp.org>
Date: Wed, Mar 30, 2011 at 4:58 PM
Subject: Re: VOTE: AppSecUSA 2010 Revenue Split
To: Lucas Ferreira <lucas.ferreira at owasp.org>
Cc: Ralph Durkee <ralph.durkee at owasp.org>, John Wilander <
john.wilander at owasp.org>, Kate Hartmann <kate.hartmann at owasp.org>, Eoin <
eoin.keary at owasp.org>, Sarah Baso <sarah.baso at owasp.org>


Ok,  That's a Quorum, however I want to give Ralph time to respond with his
vote as well (he mentioned limited availability this week).


---------- Forwarded message ----------
From: Ralph Durkee <rd at rd.net>
Date: Wed, Mar 30, 2011 at 8:02 PM
Subject: Re: VOTE: AppSecUSA 2010 Revenue Split
To: Mark Bristow <mark.bristow at owasp.org>
Cc: Lucas Ferreira <lucas.ferreira at owasp.org>, Ralph Durkee <
ralph.durkee at owasp.org>, John Wilander <john.wilander at owasp.org>, Kate
Hartmann <kate.hartmann at owasp.org>, Eoin <eoin.keary at owasp.org>, Sarah Baso
<sarah.baso at owasp.org>


I vote to "Leave the policy as stands, apologize for the mis-communication
and escalate to the board if necessary"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110401/34eb5a2b/attachment-0002.html>


More information about the Owasp-board mailing list