[Owasp-board] Fwd: Profit sharing policy discussion

Tom Brennan tomb at owasp.org
Wed May 11 16:24:17 UTC 2011


FYI

Begin forwarded message:

> From: Josh Sokol <josh.sokol at owasp.org>
> Date: May 11, 2011 11:07:54 AM EDT
> To: Tom Brennan <tomb at owasp.org>, matt.tesauro at owasp.org
> Subject: Fwd: Profit sharing policy discussion
> 
> Would one of you guys mind forwarding my email below on to the board and the chapters committee?  I'm not able to send to either list.  Thank you.
> 
> Sincerely,
> 
> Josh Sokol (CISSP, CCNA, GWAS)
> Information Security Program Owner
> National Instruments
> 
> Begin forwarded message:
> 
>> From: Josh Sokol <josh.sokol at ni.com>
>> Date: May 11, 2011 9:59:57 AM CDT
>> To: "Mark Bristow" <mark.bristow at owasp.org>
>> Cc: "Josh Sokol" <josh.sokol at owasp.org>, "Lucas Ferreira" <lucas.ferreira at owasp.org>, "global_conference_committee" <global_conference_committee at lists.owasp.org>, "Mark Bristow" <mark.bristow at owasp.org>
>> Subject: Re: Profit sharing policy discussion
>> 
>> Mark,
>> 
>> Personally, I don't care about DC or any AppSec conference for that matter.  These conferences, regardless of which chapter is supporting, are the property of the OWASP Foundation and should rightly be treated as such with the GCC setting whatever profit splits, caps, or anything else it sees fit.  I have never desired to change that and the Austin chapter has put in a bid to support the Foundation in that effort for the 2012 USA conference out of our desire to support OWASP's core values and mission.
>> 
>> What I do not agree with is the notion that the GCC can now make policy for other conferences run by individuals and chapters.  When we started LASCON, there was no GCC that I'm aware of and at the very least no involvement in the conference from the GCC.  The notion that the creation of the GCC suddenly means that all future decision making ability and past decisions were retroactively taken out of the hands of the conference planners is simply crap.  LASCON was founded by the Austin chapter members to support the OWASP mission, but is not the property of OWASP.  It is a fundraiser for both our local chapter and the foundation, but was never intended to be governed by the GCC.  In every communication that I've seen from you on this topic you have made the assumption that we gave up the right to make decisions for ourselves when we decided that the conference would support OWASP.  Other than our agreement that the foundation would handle the income and expenditures to simplify that part of the conference for us, I'd like to know where it was ever agreed that it would be the case that OWASP or the GCC would be able to set policy for our conference.  The fact is that we never agreed to this and likely never would have given up that right had we had any say in the matter.  IMHO, the GCC should have full control over conferences that belong to OWASP and any agreements with any other conferences should be negotiated and agreed to between the GCC and the conference planners.  If you don't start treating these conferences more like a partnership and less like an owner by assumption, I can guarantee that you will lose them and any support they provide for OWASP either via it's mission or financially.
>> 
>> I've said my piece apparently "ad nauseum" at this point even though we were never consulted as stakeholders in this policy and when I tried to get involved I was told that the discussion had already been had and all that was left was a vote.  The only reason why I am still pleading my case is because the board ultimately has to approve this policy and I am hopeful that they will recognize that this policy contradicts OWASP's mission.  I appreciate the GCC's desire to bring order where there was chaos, but this policy flies in the face of everyone out there trying to support OWASP and it's values through conferences.  Since the GCC is unwilling to recognize this and overturn it's flawed policy, I can only hope that the board will.
>> 
>> Sincerely,
>> 
>> Josh Sokol (CISSP, CCNA, GWAS)
>> Information Security Program Owner
>> National Instruments
>> 
>> On May 10, 2011, at 6:12 PM, "Mark Bristow" <mark.bristow at owasp.org> wrote:
>> 
>>> I think it is important to remember in this discussion that it is ALL OWASP'S money.  Distinction between the board budget, committee budgets, project budgets, chapter budgets, conferences et all is an internal accounting practice and how the Foundation chooses to organize and prioritize it's activities, there are not separate accounts merely line items tracked by our accountant.
>>> 
>>> The Conferences Committee has visited, and revisited this topic ad-nasuem.  In the end the committee members voted on the policy and that is the policy that shall stand until it is re-visited by the committee or overturned by the board.  As Committee Chair and as a Committee member, it's my responsibility to support that policy until such time.  The intention was for the GCC to look at this subject again after we went through a Global AppSec Cycle to determine if it was effective.  I think it would be prudent to get more information and feedback about the policy before we go changing it.
>>> 
>>> Regarding Josh's comment regarding how the language was drafted, I agree it may stem to incentivize the wrong types of behavior by calling out the additional money one can earn for their chapter.  Financial gain for the chapter should NOT be a primary goal in hosting a conference, it should be done as an effort to further the OWASP mission and the Application Security community.  What I was trying to do was help "incentivize" and "sex up" the statement to drive more people to host events and ultimately spread awareness about OWASP and application security.  Hosting a conference is a TON of work but it is one of our greatest outreach efforts and we need to find ways to encourage events in a controlled and coordinated way.
>>> 
>>> In regards to the comment about events handing 100% of profits to the foundation prior to this policy being implemented, to my knowledge (I can say it definitively with APpSec DC) this was completely true and if you want me to pull the records for all events I will do so.  I believe the first time that any type of profit sharing was tried was AppSec EU 2010 as a pilot program.
>>> 
>>> Comments about the need for chapter budgets are really outside this conversation and is a matter for the chapters committee.
>>> 
>>> On Tue, May 10, 2011 at 6:56 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>> Gentlemen,
>>> 
>>> First off, the initial point of this thread was a report of the GCC of a completed action item it was assigned by the board.  I have re-named this discussion to get it more on topic.  I would really appriciate it if we could, as a general rule, keep to the topics discussed in the subject lines.  Everyone is always welcome to voice their opinion and if it is only tangential to the original topic, a simple rename of the subject will move it into a new thread (I can't wait till we have forums, if that day ever comes).
>>> 
>>> Second,  please everyone keep it civil.  I read this thread mostly from my phone and really didn't notice who said what (and am intentionally doing that while writing this section).  I did see some personal attacks, innuendo, and what I consider to not be appropriate for civil discourse.  Just try to keep it above board.
>>> 
>>> I'll re-read this thread and follow up in a minute, but I needed to take some "moderator" action in this case.
>>> 
>>> -Mark
>>> 
>>> On Tue, May 10, 2011 at 6:40 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Lucas,
>>> 
>>> Wow.  I don't even know what to say to that as this is the very basis for Mark's communication that generated my original response.  "Earn up to $5000 for your chapter by hosting an OWASP Event!"  Am I missing something here?  "This new policy rewards chapters who volunteer to take on the challenge of hosting an OWASP event"  If you disagree with what I said, then you should be jumping up and down screaming about this message intended for the leaders list.  The communication says nothing about supporting OWASP's mission, doing it for fun, educating the masses.  Only money for chapters.  Houston, I think we have a problem here.
>>> 
>>> Frankly, this isn't about a mentality that you want to encourage and to some extent we need to look beyond selfish motivations and analyze the impacts of our decisions on the chapters and the foundation.  Regardless of the motivations, we need to ask ourselves "Does this encourage more conferences, and thus, support the OWASP mission?"  Everything else is really secondary.  This earn money for your chapter exemplifies that.
>>> 
>>> Yeah, I've heard Mark say several times that before the policy there was no policy.  For some reason the assumption is that this means that chapters doing their own conferences were just going to hand over 100% of their profits to the OWASP Foundation.  I'll call shenanigans on that one.  I can only speak for our conference, but that was never our intention and I can pretty much guarantee that I wouldn't even be considering LASCON 2011 an OWASP conference if that were the case.  The very fact that the GCC thinks they should be dictating these conditions to conferences without any say from the people actually running the conferences really bugs me.
>>> 
>>> Your last statement I agree with completely and was the rationale behind me taking back my objection to the policy.  My only real thought here is that prior to LASCON, our chapter felt like we hadn't contributed anything to OWASP, and therefore, we shouldn't be asking for anything from the organization.  Giving chapters their own funds is just a way to recognize the chapters that are really giving back to the organization.  Do we need our own money?  Absolutely not.  So why have chapter bank accounts at all if we never intend to put any money in them?
>>> 
>>> ~josh
>>> 
>>> 
>>> On Tue, May 10, 2011 at 4:56 PM, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
>>> Josh,
>>> 
>>> I don't think that "getting money for my chapter" should be a driver for a conference planner. This is not the kind of mentality I want to encourage.
>>> 
>>> Also, before this policy, there was no policy at all. So this new policy now allows chapters to get some money, which did not happen before. Are you saying that getting no money was better than getting some money?
>>> 
>>> Another doubt: which activities do you have in your chapter that could not be funded by the "mothership" OWASP money? Why do you need YOUR money?
>>> 
>>> Regards,
>>> 
>>> Lucas
>>> 
>>> 
>>> On Tue, May 10, 2011 at 18:30, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Lucas,
>>> 
>>> I agree wholeheartedly.  We should not be looking to use conference to make money, we should be looking to use conferences to carry out the OWASP mission.  That said, throwing conferences is one of very few ways for a chapter to raise funds.  The only other that I am aware of is finding a corporate sponsor which is quite difficult.  So if my best option to get money in my chapters bank account to improve my chapter and carry out the OWASP mission is to hold a conference, why would you do things to discourage that?  Keep in mind that even if the money is in a chapters bank account, it still needs to be used to support the OWASP mission.  Are you implying that my drive to raise funds to improve my local chapter means that I'm not passionate about OWASP?  The very fact that I'm throwing an OWASP conference with a dedicated OWASP track says quite the opposite.  Can the same be said for the policy which has the net effect of disincentivizing more chapters from doing what we have?  All for what?  A bigger amount of money into the general OWASP account.  So now tell me who's passionate and who's about the money?
>>> 
>>> ~josh
>>> 
>>> 
>>> On Tue, May 10, 2011 at 4:13 PM, Lucas Ferreira <lucas.ferreira at owasp.org> wrote:
>>> Josh,
>>> 
>>> if the conference planners' main incentive is getting money, they are not aligned with what I believe should be the reasons for participating in OWASP. We need to find people that can make a great conference because they are passionate about OWASP as a whole, not about money.
>>> 
>>> Regards,
>>> 
>>> Lucas
>>> 
>>> 
>>> On Tue, May 10, 2011 at 17:34, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> The reasoning behind the caps in the FAQ is fundamentally flawed.  Because the revenue split is percentage based, as profit grows so does the OWASP Foundation's take.  The cap has the effect of creating a bump in profits for the OWASP Foundation once a certain dollar value is reached.  This actually discourages the conference planners from creating additional profit beyond that cap value, and thus, could result in less money for the foundation.  
>>> 
>>> If the intent of this policy is to make sure that the OWASP Foundation makes a pre-determined amount of revenue off of each conference, then you should probably use a minimum profit value for the percentage split to kick in.  This would ensure funding for the foundation while providing incentive for the conference planners to do activities which will make more money for both parties.
>>> 
>>> Sincerely,
>>> 
>>> Josh Sokol
>>> 
>>> On Tue, May 10, 2011 at 2:21 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>>> OWASP Board,
>>> 
>>> As previously directed, the OWASP GCC has developed some draft language to announce the profit sharing policy for events for your review and consideration.  If the Board approves, I will post this to the leaders list.
>>> 
>>> Regards,
>>> -Mark
>>> 
>>> To: Leaders List
>>> Subject: OWASP event profit sharing for local chapters!
>>> 
>>> Leaders,
>>>  
>>> Earn up to $5000 for your chapter by hosting an OWASP Event!  Local chapters who would like to host an OWASP Local, Regional or Global AppSec event can now receive a portion of the event profits earmarked for your chapter.  This new policy rewards chapters who volunteer to take on the challenge of hosting an OWASP event with the following schedule:
>>> Global AppSec Conference - 25% of event profits with a $5,000 USD maximum ($10,000 for multi-chapter events)
>>> Regional/Theme Events - 30% of event profits with a $4,000 USD maximum
>>> Local Events - 50% of profits with a $3000 USD maximum
>>> All you need to do is coordinate your event with the Global Conferences Committee using the OWASP Conference Management System (https://ocms.owasp.org), answer a few basic questions and get your event approved.  If your event makes a profit you can earn some extra money for your local chapter’s budget!  The Conferences Committee is excited about this new program and can’t wait to work with you to host your OWASP event!
>>> 
>>> About the policy:
>>> In addition to the Membership Committee's 60/40 membership income sharing model, the GCC felt it was appropriate to provide a mechanism for local chapters who volunteer significant time and effort to host OWASP events to reap some financial benefit from that effort for their local chapter budgets.  The committee considered the needs of the OWASP Foundation, local chapter entrepreneurship, and a potential disparity between "have and have not" chapters when debating the decision.  For more information on this policy you can reference the GCC discussion, GCC vote and OWASP Board Vote on the subject.
>>> 
>>> Regards,
>>> The Global Conferences Committee, Mark Bristow, Chair
>>> 
>>> 
>>> 
>>> ================= FAQ (not for release with announcement) ================================
>>> Q: But I thought that conference revenue was split 60/40!?!?
>>> A: The 60/40 split only apples to membership income and is set by the Membership Committee.  Previously, there was no provision to provide profit sharing from events with local chapters.  This new policy provides chapters with additional ways to obtain resources that did not exist before.
>>> 
>>> Q: Why are there caps?
>>> A: OWASP events are a critical component to the revenue that OWASP earns annually to cover it's operational expenses, making up about half of annual revenue.  It is critical to the continuation of the OWASP Foundation that this revenue stream not be significantly interrupted or we could run out of funding for many of the OWASP activities we, and the community, have come to rely on.  Many OWASP events can be quite profitable (Global AppSec events can make in excess of $100,000 USD) and the Committee decided it was important to put overall profit sharing caps in place  to ensure the conference revenue was available throughout foundation for operating costs.  Additionally, Individual chapter budgets are not the only way that chapters can fund activities.  Chapters can reach out, via the Chapters Committee, for support for various activities from the Foundation, (which in turn is heavily funded by Conference revenue).  The caps ensure that we don't encounter a situation where one or two chapters have a disproportionate allocation of OWASP funds leaving the majority of chapters to fight over a relatively small amount of funds via the Chapters committee.
>>> 
>>> _______________________________________________
>>> Global_conference_committee mailing list
>>> Global_conference_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Global_conference_committee mailing list
>>> Global_conference_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Homo sapiens non urinat in ventum.
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Homo sapiens non urinat in ventum.
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Mark Bristow
>>> (703) 596-5175
>>> mark.bristow at owasp.org
>>> 
>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>> AppSec DC Organizer - https://www.appsecdc.org
>>> 
>>> 
>>> 
>>> 
>>> -- 
>>> Mark Bristow
>>> (703) 596-5175
>>> mark.bristow at owasp.org
>>> 
>>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>>> AppSec DC Organizer - https://www.appsecdc.org
>>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20110511/07cb3ab7/attachment-0002.html>


More information about the Owasp-board mailing list