[Owasp-board] LASCON Exception Meeting

Jason Li jason.li at owasp.org
Wed Feb 15 05:14:33 UTC 2012


I wanted to get some background information ahead of the meeting tomorrow.

I'm neither a Board member, nor a chapter/conference committee member.

However, I asked to sit in on this meeting as I hope that OWASP projects
will eventually get to the point where they too have large individual
budgets. Once that happens, I imagine that we will have to have similar
discussions to the ones currently occurring between conferences and
chapters. As a result, I'd like to follow the conversation so I have
context/input on the future.

I would like to summarize the current situation as I see it and ask some
questions to set the context.

My understanding is that there is currently a Board-approved policy
administered by the Conferences Committee that applies to any "event" that
either charges for admission **OR** requires $1,000 or more in Foundation
funds. Under this policy, profit sharing is based on a varying percentage
between 25-50% depending on the size of the event. This profit is further
capped somewhere between $3,000-$5,000 USD depending on the scale of the

There is also a separate Board-approved policy administered by the Chapter
Committee policy that applies to events that do NOT charge admission. For
events that do NOT charge admission, there are two variations: one where
the Foundation provides $1,000 or more in funding, and one where the
Foundation provides less than $1,000 in funding. In situations where the
Foundation provides $1,000 or more in funding, the policy enforces a 50/50
profit split for events requiring Foundation funds. If the event requires
less than $1,000 in funding and the event does NOT charge admission, then
there is no split and the chapter retains all profit. (I'm presuming that
such events are somehow obtaining a profit from event sponsorships or
training fees since they don't charge admission?)

The current request is to make an exception for the LASCON event with
regards to the "Admission Fee Event" profit sharing policy and instead have
the event fall under the "Non-Admission Fee event" profit sharing policy.
As LASCON is not planning to utilize more than $1,000 in Foundation funds,
the local chapter would retain 100% of the profits from the event.

I know the specific request at hand regards only LASCON, but I can see how
that decision easily sets off similar requests for future "Admission Fee"

The LASCON event is charging admission so I would like to understand what
is the rationale for the "Non-Admission Fee Event" policy applying instead
of the "Admission Fee Event" policy? I suspect that there is some
unacknowledged or unspoken inequity in this distinction that should be
discussed by the group.

I'd like to understand a few things historically to put that discussion in
context. My questions:
1) Historically, I know that the Foundation has supported loss-leading
events knowing that the event would not turn a profit. I also know that the
Foundation has obviously supported events where the event is projected turn
a profit.
    a) Has there ever been an instance where a proposed event projected to
turn a profit is denied the supporting funds?
    b) What percentage of events projected as losses are supported by
Foundation funds?

2) Has any chapter historically spent more than $5,000 in a given year for
costs *other than* hosting a revenue-generating event?

3) What percentage of Foundation funds are currently generated from
revenue-generating events?

4) Historically, I know that Foundation events have been heavily reliant on
local chapters on the "on-the-ground" logistics of Global AppSec events (e.g.
Mark for AppSec US 2009, John for AppSec EU 2009, Andrzej for AppSec EU
2008, Seba for AppSec EU 2007, etc). My understanding is in those events,
there was no profit sharing whatsoever in place aside from the membership
revenue from the spike in OWASP registrations at the event.
   a) What motivated such chapters to host a revenue-generating event in
the past?
   b) What *currently* motivates chapters to host a revenue-generating
event under the current profit-sharing rules?
    c) If a local chapter have the choice between hosting a
revenue-generating event where they keep the profits vs one where they do
not, is there any incentive to run an event where they do NOT keep the

5) Holding an event under the OWASP Foundation umbrella entails several
implicit "infrastructure" things (e.g. 501(c) status, liability insurance,
indemnity, etc)
    a) What legal considerations are implicitly part of "belonging" to the
OWASP Foundation?
    b) What are the associated costs for these protections/considerations?
    c) What are the implications for an event that runs without these

6) Historically, what is the membership revenue that a local chapter
receives from the spike in registrations at a revenue-generating event?

7) How do we currently recognize and reward chapters that put on
outstanding and/or profitable events?

First, let me state that I think everyone involved with OWASP believes in
the mission and wants to do what's right for OWASP.

I think the underlying question that no one is vocalizing is, "who decides
what's 'right' for OWASP and therefore where money should be spent"?

On the one hand, it only makes sense that chapters deserve a say in how to
drive the spending of funds they worked hard to help create. Hopefully we
have a model to reward/recognize such efforts. At the same time, the
Foundation clearly depends on chapters and the revenue-generating funds
they help create so OWASP clearly needs to careful about changing policies
that have indirect impacts on the revenue model.

My recollection is that the Foundation has either barely broke even or lost
money the previous couple of years. As stated previously, local chapters
provide substantial logistical support for all current OWASP events. If
there is a shift in policy that encourages local chapters to host their own
events to retain profit, then we need to account for the decrease in the
number of chapters willing to support larger events where they retain less

It's clearly a delicate balance issue - so in one sense, I'm glad I'm just
on the sidelines for this one :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120215/c1e46186/attachment-0001.html>

More information about the Owasp-board mailing list