[Owasp-board] Profit Sharing Discussion
sarah.baso at owasp.org
Wed Nov 14 18:09:29 UTC 2012
Board Members -
My thoughts on the new proposed policy and long term success of the
Foundation and Global AppSec "brand":
*Overall - I think the new policy is ok, as currently drafted*.
- I would recommend a modification similar to what Josh and Dave
discussed in their comments. *"2. All other events not classified as
one of the Global AppSec Events will realize a 10/90 revenue split
(Foundation/chapter) up to $5,000 USD. Any profits above the $5K will
recognize the standard 60/40 split. (Foundation/Chapter)." *
* * *For larger chapters that want to run a local or regional event on a
yearly basis, we should have an avenue for them to recognize a larger
profit. Also, they are doing all (or *
* most of) the work then they should be able to get most of the profits. I
would say that a chapter can request up to an additional $5000 by
submitting both a chapter budget *
* and event budget to be approved by staff.*
*Bigger picture issues:*
As we look at the need for the Global AppSecs to serve as major fundraisers
to support the other goals/initiatives of the foundation - I think we need
to consider the possibility of a different approach to the model. Many of
the issues with the funding & conference planning model(s) that have been
used in the past and proposed for the future surround the dichotomy that 1)
we need a model that will raise money for the foundation and support our
GLOBAL initiatives (i.e. Money generated from AppSec USA supports outreach
in APAC, Latam, and Europe), 2) chapters/volunteers want proper control,
recognition and "funds" for their input and efforts in creating and driving
A few examples:
- *Profit distribution:* What portion of the profits should a chapter
get that raises almost $150,000 for the foundation and has MANY volunteers
dedicating their nights and weekends for months to make a successful event?
How should the profits differ for another chapter that only has 2
volunteers that contribute all of their time, but only raise $5000 for the
foundation? What about a third scenario where there is virtually no help
from the local chapter and the event raises $10,000 due to contributions of
a global volunteer base and OWASP Staff efforts?
- *Content:* How do we build a professional call for papers or call for
training system that gives local volunteers the control and input they want
but also accommodates regional needs (Standard conference vs. Research
driven conference), building the OWASP Brand (promoting OWASP Projects),
and maintains a professional selection process that is communicated to the
larger community and pool of applicants?
- *Sponsorships: *While moving locations from year to year brings in a
new crowd of attendees local to that area, this also comes with many
"unknowns" for sponsors. What will the vendor space look like, what will
the sponsor's availability to attendees be, how will their sales team
generate leads? From the perspective of building relationships with the
sponsors and giving them a consistent expectation from year to year - it
would be best for us to be able to lay out specifications/guidelines for
the global event planners (and clearly outline to the sponsors what they
can expect for their money). This sometimes runs in conflict with what the
local event planners think would be best for their individual event.
A suggestion for 2014 that Kate and I have discussed is to *move the the
Global AppSecs to a static location from year to year*. In this model, the
employees would work with a team of volunteers (not necessarily local) to
plan an implement the conference. The model would change from one that is
trying to make money for one chapter and control of the decisions for that
chapter to one that is more global. I think creating an event template
with many re-usable parts (not to mention service providers - venue,
catering, AV, etc) would be much easier and allow us to focus on things
like content and the OWASP message rather than logistics. Additionally, I
think this type of model is more sustainable and scale-able for long term
growth for our brand and fundraising objectives.
A static location would also allow for more planning in advance. Right now
we do the call for conferences a year out. The idea that these events
(especially as they grow in size) should start planning more than a year in
advance has come up a few different times on conference committee calls and
discussions. The problem remains that the submissions/location proposals
are driven by local chapter leaders (ideally teams), and planning a global
app sec is a large investment in time an energy. Many people would
probably argue "too large" which is one of the reasons we don't get more
proposals in our call for locations. To ask conference planners to submit
even more in advance is often difficult as they don't know their schedule
or where there life will be that far in advance. Once again, having static
locations and planning process that is more centralized will help overcome
If others are in support of considering this new static location model,
there are certainly a lot of details to work out including: where will
these static locations be, how do we solicit and reward volunteers
(especially if we aren't allowing the chapter in the static location to
reap profits), etc.
I certainly don't think this is the ONLY option for us, but it is something
to consider as our events and organizational needs continue to grow. I
wasn't "sold" on this idea initially, but the more I think about it, the
more it seems like plausible option for us. Consider that as we are able
to do more fundraising centrally, we also can empower local/regional event
planners to focus on outreach rather than income... which also supports our
community and the mission.
Looking forward to hearing thoughts and input on this new model.
On Wed, Nov 14, 2012 at 9:11 AM, Sarah Baso <sarah.baso at owasp.org> wrote:
> Michael et al -
> *First for reference, here is the current policy in place:*
> Local host chapters will share in OWASP event profits under the following
> schedule. In the case of multiple host chapters, the host chapters will be
> responsible for determining the division before the event.
> - Global AppSec Conference - 25% of event profits with a $5,000 USD
> cap ($10,000 for multi-chapter events)
> - Regional/Theme Events - 30% of event profits with a $4,000 USD cap
> - Local Events - 50% of profits with a $3000 USD cap
> *Budgeting Implications*
> Under the new plan, there is a opportunity for the local chapter to earn
> much more than that listed below if they surpass the profit target, but
> just using the profit target as a guideline... here are the numbers....
> *[image: Inline image 1]
> *Comments from Conferences Committee Call & Mailing List Thread*
> From July 18, 2012 Conference Committee Call:
> - Request for Comment: proposed policy for profit sharing and
> financial oversight of future OWASP events:
> The Board intends to finalize this policy at their next meeting (scheduled
> for August 13, 2012), and have requested that you submit any comments,
> questions, or concerns for their consideration by that time.
> - “Any amount above the profit target will be allocated 60/40 to the
> local chapter.” Need to clarify that 60 is to Foundation and 40 is to
> local chapter.
> - Should we have different policies for different areas of the world
> to reflect the different culture/mindset in different areas (US, Europe,
> - No perspective on how we continuously evolve and better the Global
> AppSec Conference in that region next year. For instance, how can we use
> the profits from AppSec EU research this year to benefit AppSec EU (and the
> European region) next year.
> - Current policy is focused 2 things: on local chapter and foundation
> as a whole. However there are other considerations such as regional
> - Are we adjusting the policy to only accommodate needs in the US, but
> not the rest of the world?
> - This policy also doesn’t take into account any corporate
> supporters/membership dues that come in during a conference.
> - What are chapters doing with their conference proceeds? What is
> their motivation for keeping a “stock pile” in their chapter accounts?
> - Ralph - “The current proposed model is great!”
> Email Request to Conference Committee mailing list<http://lists.owasp.org/pipermail/global_conference_committee/2012-July/002659.html>
> - *Response from Josh Sokol*
> 1. The point about when the profit target is determined is unclear. Does
> this mean for the US event that we are determining the target after the
> event has taken place or is this for the next year's event? Why are we
> using the US event to determine the timing for other events. IMHO, we
> should be able to set the profit target for the following year's event
> within 60 days of the completion of the current year's event.
> 2. I am fine with the percentage splits here, but do not agree with the
> $5,000 value at which they happen. This is more than enough for a smaller
> chapter holding an event, but for a larger chapter, such as my Austin
> chapter, our event would have to profit $18,750 in order for us to raise
> our annual budget of roughly $10,000. In other words, this $5,000 number
> does not allow us to scale profit splits well as chapter sizes grow. My
> suggestion would be to make $5,000 the base number here UNLESS a chapter
> running an event has submitted a budget showing annual expenses greater
> than that amount, in which case they are allowed up to that amount at the
> 10/90 split. A subtle change, but one which I believe is necessary in
> order for this policy to scale appropriately.
> 3. I agree that the Chapters committee should be responsible for monitoring
> chapter accounts, budgets, and expenses as necessary.
> 4. I agree that the Chapters committee will need to establish new
> guidelines similar to those of the Conferences committee for local and
> regional events held by the chapters.
> - *Response from Mark Bristow*
> I agree with josh on #1. The profit targets should be set in outyear
> budget planning with it locked in at the beginning of each OWASP FY. The
> mechanics of this as proposed are a bit odd. My only point is that the
> targets should be set BEFORE the CFP goes out so applicants have clear
> expectations set.
> Otherwise I'm personally fine with this as written. I'm not in favor of
> Josh's proposed changes in #2. As written this provides an avenue for
> chapters to raise significant funds from events while ensuring that the
> foundation also recovers it's capital investments/costs in a "chapters
> first" model. IMO this is a good balance of the priorities.
> - *Response from Dave Wichers*
> The target is done in advance, not after the event. We use the U.S. event as
> the date after which we figure out next year's targets because it is the
> biggest single revenue source for OWASP, so it affects the entire next
> year's budget in a significant way.
> However, I could see that we could come with an estimate for each event
> right after the previous event, and then potentially adjust it right after
> OWASP AppSec USA, with the goal that it NOT be adjusted if possible. That
> way conference planning generally know almost a year in advance the revenue
> target primarily based on the revenue generated the previous year.
> Regarding the $5K threshold, I think some potential for adjustment above $5K
> is reasonable to consider for the larger chapters. I might not agree to have
> the 10/90 go up to their entire target budget, because chapters raise
> revenue in other ways too, like encouraging memberships, etc. And if they
> go way over their target, then the chapter could be significantly overfunded
> because they get 40% of the overage too. And we should also consider the
> amount of $ the chapter already has in their account as well. I.e., if you
> plan to spend $10K but have $5K already there, then maybe $5K is a more
> appropriate target.
> The good news, from your reply is that you seem to be OK with the entire
> policy except for this one specific point, which I think is BIG progress.
> Hopefully others feel similar so we are approaching closure on this.
> Thanks for reviewing this.
> - *Again from Josh Sokol*
> Sure there are other ways to raise revenue, but that's not really the
> point. The point is that a chapter should be able to raise the operational
> funds it needs via whichever method it desires. Membership revenue is
> limited and will in all likelihood not make up that gap. And not every
> chapter is fortunate to be able to land a big company to sponsor them.
> Also, chapters having a little bit more money than they need is not
> necessarily a bad thing and is a reward for running a successful event.
> Having some extra funds available also breeds innovation. As an example,
> it's having extra funds that got the Austin Chapter to start doing these
> monthly webinars as part of our meetings and that translates directly to a
> wider reach for the OWASP organization. Perhaps the compromise here is to
> take the chapters annual budget minus the money currently in the chapters
> - *From Tin Zaw*
> First of all, thank you for all who worked on this draft proposal. I
> think we are getting somewhere with this.
> Secondly, thank you Sarah for kindly attaching the document for those
> of us who cannot access Google Docs (at work).
> 1. I understand Dave's explanation. I would suggest we make it clear
> that such number is communicated well in above so that event planners
> (the host chapter) know what they need to deliver, preferably before
> submitting a proposal.
> 2. I am OK with $5000 limit before 60/40 split kicks in, assuming that
> $5000 is the profit that goes to the chapter under 10/90. I would like
> to see it states explicitly that $5000 is the profit portion for the
> chapter, not overall profit or income.
> The rest, I agree.
> Great job guys!
> *My comments/input... coming up next in a separate email.*
> *Sarah Baso*
> On Mon, Nov 12, 2012 at 1:19 PM, Michael Coates <michael.coates at owasp.org>wrote:
>> As a reminder from our public board meeting today (
>> https://www.owasp.org/index.php/Nov_12,_2012), we're going to continue
>> discussing the profit sharing proposal in this thread.
>> I want to be sure we thoroughly consider edge cases (what about
>> training?), overall messaging, the impacts of this policy (e.g. what kind
>> of organization is this encouraging?) and simplicity (straightforward is
>> In addition we need to ensure we've properly considered the following:
>> 2013 Budgeting Impacts
>> Sarah's Anaylsis (being closely integrated with conferences)
>> Other Feedback from conference & chapters committees - I believe this was
>> already solicited, just need to copy in the feedback.
>> Link to proposal:
>> Michael Coates | OWASP | @_mwc
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> OWASP Foundation
> sarah.baso at owasp.org
sarah.baso at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 33518 bytes
Desc: not available
More information about the Owasp-board