[Owasp-board] [Global_conference_committee] Loss from AppSec Asia

Mark Bristow mark.bristow at owasp.org
Wed Dec 7 21:00:32 UTC 2011


I can't read google docs from here.

On Wed, Dec 7, 2011 at 3:59 PM, Sarah Baso <sarah.baso at owasp.org> wrote:
> Mark -
> What about this agreement?
> https://docs.google.com/a/owasp.org/viewer?a=v&pid=explorer&chrome=true&srcid=0B5Z9zE0hx0LNNmNlNmUyMzMtZmYzNC00NWU3LWIyNzgtNzRlMTdlZGMxMTBj&hl=en
>
> Sarah
>
>
> On Wed, Dec 7, 2011 at 2:53 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>
>> Tin,
>>
>> This is how I also understand our relationship with one caveat.  I
>> don't believe that there is a formal agreement between SecZone and
>> OWASP for them to act as our representative.  Had this agreement been
>> in place, we could have clearly defined how profit/loss would be
>> shared for the event, as well as a bunch of other requirements that we
>> impose on legal entities representing OWASP elsewhere in the world.
>> This however is a larger question beyond this event, and is one the
>> board has taken for action.
>>
>> There are a few points here:
>> 1. In this case, it seems to that the OWASP foundation should realize
>> a $5,500 loss for this event (The fact that this was not spelled out
>> before hand is troubling)
>> 2. We need to clarify and formalize our relationship with SecZone as
>> it relates to OWASP in China (Board Action)
>> 3. We need to better define and vett budgets and impose additional
>> auditing requirements as event planning is in process
>> 4. We need to be more dilligent in determining the exact composition
>> of the on-site planning team earlier in the process to identify
>> potential issues earlier in rather than ex-post facto.
>>
>> On Wed, Dec 7, 2011 at 3:38 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>> > I am not sure if Mark's comments or understanding is in sync with what
>> > conference organizers -- Rip, Ivy, Frank -- had told me.
>> >
>> > To me, it was 100% OWASP conference. OWASP, not SecZone or others, was
>> > the name used, as you can see in the photos here.
>> >
>> > https://plus.google.com/photos/106576365897061578673/albums/5678655625299333025
>> >
>> > SecZone is listed as one of the supporters, just like Frank's company
>> > and other supporters.
>> >
>> > OWASP does not have a legal entity in China and you need a legal
>> > entity in China to do a conference like that. So SecZone (a registered
>> > non-profit in China, that I was told) was used as a legal entity to
>> > organize things for OWASP, on OWASP's behalf.
>> >
>> > On the bigger scope, OWASP China is "housed" inside SecZone. My
>> > understanding is that this is not dissimilar to NASA JPL housed inside
>> > Caltech.  SecZone/Caltech provides administrative support while the
>> > housed organization carries out OWASP's/NASA's mission. The main
>> > reason for this is that an organization in China needs to be a
>> > registered legal entity with the government. (Let's not forget that
>> > "Communist Party" still rules China). They also informed us that OWASP
>> > is not the only organization housed inside SecZone. There are others
>> > but OWASP is the major org supported by SecZone.
>> >
>> > I think it is correct to consider SecZone's and OWASP's budgets (for
>> > conference and the chapter) separate. But we should understand the
>> > nuances we face when we advance our mission in different cultural
>> > contexts.
>> >
>> > On Wed, Dec 7, 2011 at 11:46 AM, Mark Bristow <mark.bristow at owasp.org>
>> > wrote:
>> >> So before we get to far down this road.  AppSecASIAPAC was an anomoly.
>> >>  GCC (at least I) was not aware that there was another organization
>> >> involved until VERY late in the game (weeks before the event).
>> >> Technically it should have been classified as a partner event, where a
>> >> contract between our two organizations would have been signed (by the
>> >> board) up front, clearly identifiying these issues.
>> >>
>> >> In this case, this was presented as a 100% OWASP event when it reality
>> >> it was not.  That's the root of the problem here and unlike LATAM the
>> >> other organization is more "partner" than "contractor".
>> >>
>> >> On Wed, Dec 7, 2011 at 1:50 PM, Sarah Baso <sarah.baso at owasp.org>
>> >> wrote:
>> >>> I agree with capping the loss. I also think we should have some more
>> >>> strict
>> >>> budget requirements for global appsec conferences, especially when we
>> >>> have
>> >>> 3rd parties handling the money.  If Alison is the one making payments
>> >>> and
>> >>> accepting money, we can check in with her at any point to find out the
>> >>> status of an event; however, we don't have this
>> >>> visibility/transparency
>> >>> right now with the 3rd parties.
>> >>>
>> >>> I think before we go forward with signing contracts for 2012 events
>> >>> (especially in Latin America and AsiaPac where they have not run the
>> >>> money
>> >>> through the Foundation), we should discuss and decide on  a policy for
>> >>> this.
>> >>>
>> >>> Sarah
>> >>>
>> >>>
>> >>> On Wed, Dec 7, 2011 at 12:45 PM, Eoin <eoin.keary at owasp.org> wrote:
>> >>>>
>> >>>> Matt ,
>> >>>> As treasurer what are your thoughts on limiting liability for losses
>> >>>> at
>> >>>> global conferences. My view is If we don't do this we are leaving the
>> >>>> foundation exposed. Such a cap should be in a contract signed by the
>> >>>> conference organisers?? It can be a % or a figure, but right now are
>> >>>> we in a
>> >>>> position if unlimited liability??
>> >>>> Anyone, thoughts??
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On 7 Dec 2011, at 18:19, Sarah Baso <sarah.baso at owasp.org> wrote:
>> >>>>
>> >>>> Alison -
>> >>>> Can you find look to see (or maybe you know off the top of your head)
>> >>>> if
>> >>>> we sent any down payment or money (other than the approx. $3222 sent
>> >>>> recently to cover hotel costs) to China for this conference.  It
>> >>>> probably
>> >>>> would have been in late July or August of this year?
>> >>>>
>> >>>> They are currently at a $16,166.22 loss, but Frank Fan's company
>> >>>> (DBAppSecurity) still owes $4742 and SecZone has said they can cover
>> >>>> about
>> >>>> $6,000 of the loss. The leaves about $5,500 for us to possibly cover.
>> >>>>  I
>> >>>> want to make sure we have a full financial picture of what we have
>> >>>> paid
>> >>>> before anything is decided though.
>> >>>>
>> >>>> Thanks,
>> >>>> Sarah
>> >>>>
>> >>>> On Wed, Dec 7, 2011 at 9:41 AM, Mark Bristow <mark.bristow at owasp.org>
>> >>>> wrote:
>> >>>>>
>> >>>>> I believe some of the loss will be realized by each party
>> >>>>>
>> >>>>> -Mark
>> >>>>>
>> >>>>> Sent from my wireless device
>> >>>>>
>> >>>>> On Dec 7, 2011, at 10:33 AM, "Kate Hartmann"
>> >>>>> <kate.hartmann at owasp.org>
>> >>>>> wrote:
>> >>>>>
>> >>>>> I know there is a documented loss for AppSec Asia for 2011.  Is the
>> >>>>> foundation expected to reimburse SecZone for this loss?  What was
>> >>>>> the
>> >>>>> agreement for the financials for this event.  I know that much of
>> >>>>> this has
>> >>>>> come from Rip’s personal account.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> We need to clear this up before the end of the year.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> Kate Hartmann
>> >>>>>
>> >>>>> Operations Director
>> >>>>>
>> >>>>> 301-275-9403
>> >>>>>
>> >>>>> www.owasp.org
>> >>>>>
>> >>>>> Skype:  Kate.hartmann1
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> <Copy of OWASP 2011 Appsec Asia cost-1128.xlsx>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Global_conference_committee mailing list
>> >>>>> Global_conference_committee at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Global_conference_committee mailing list
>> >>>>> Global_conference_committee at lists.owasp.org
>> >>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Administrator for
>> >>>> OWASP Global Conference Committee
>> >>>> OWASP Global Chapter Committee
>> >>>>
>> >>>> Dir: 312-869-2779
>> >>>> skype: sarah.baso
>> >>>>
>> >>>> _______________________________________________
>> >>>> Owasp-board mailing list
>> >>>> Owasp-board at lists.owasp.org
>> >>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Administrator for
>> >>> OWASP Global Conference Committee
>> >>> OWASP Global Chapter Committee
>> >>>
>> >>> Dir: 312-869-2779
>> >>> skype: sarah.baso
>> >>>
>> >>>
>> >>> _______________________________________________
>> >>> Owasp-board mailing list
>> >>> Owasp-board at lists.owasp.org
>> >>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >> Mark Bristow
>> >> (703) 596-5175
>> >> mark.bristow at owasp.org
>> >>
>> >> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> >> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> >> AppSec DC Organizer - https://www.appsecdc.org
>> >> _______________________________________________
>> >> Owasp-board mailing list
>> >> Owasp-board at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>> >
>> >
>> > --
>> > Tin Zaw, CISSP, CSSLP
>> > Chapter Leader and President, OWASP Los Angeles Chapter
>> > Chair, OWASP Global Chapter Committee
>> > Google Voice: (213) 973-9295
>> > LinkedIn: http://www.linkedin.com/in/tinzaw
>>
>>
>>
>> --
>> Mark Bristow
>> (703) 596-5175
>> mark.bristow at owasp.org
>>
>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> AppSec DC Organizer - https://www.appsecdc.org
>
>
>
>
> --
> Administrator for
> OWASP Global Conference Committee
> OWASP Global Chapter Committee
>
> Dir: 312-869-2779
> skype: sarah.baso
>



-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org



More information about the Owasp-board mailing list