[Owasp-board] Profit Sharing Discussion

Dave Wichers dave.wichers at owasp.org
Mon Nov 26 14:33:08 UTC 2012

I am not available for today's board meeting.


From: owasp-board-bounces at lists.owasp.org
[mailto:owasp-board-bounces at lists.owasp.org] On Behalf Of Michael Coates
Sent: Sunday, November 25, 2012 8:08 PM
To: Jim Manico
Cc: OWASP Foundation Board List; Eoin Keary
Subject: Re: [Owasp-board] Profit Sharing Discussion


We need to nail this down as part of the 2013 finance planning. It will be
on the agenda for tomorrow.

At this point it's been well socialized and feedback has been received from
many sources. Everyone should be ready with final thoughts and ready for a


Michael Coates | OWASP | @_mwc

On Sun, Nov 25, 2012 at 1:59 PM, Jim Manico <jim.manico at owasp.org> wrote:

Are we voting on Monday, or on Dev 10th?


- Jim

Request for feedback sent to leaders list.
Please review the feedback and be ready to vote on this on Monday.
Michael Coates | OWASP | @_mwc
On Tue, Nov 20, 2012 at 12:37 AM, Eoin Keary  <mailto:eoinkeary at gmail.com>
<eoinkeary at gmail.com> wrote:

As mentioned a few weeks back, send to leaders for comment.
They are leaders and deserve input.
Eoin Keary
Owasp Global Board
+353 87 977 2988 <tel:%2B353%2087%20977%202988> 
On 20 Nov 2012, at 03:07, Tom Brennan  <mailto:tomb at owasp.org>
<tomb at owasp.org> wrote:
This needs to go for comment to 200+ chapters. Especially chapters that
would be leveraged for international locations around the world for AppSec
events. Since the recent announcement neutering committees the only active
volunteers are the chapters that need to have a clear understanding of this
As a chapter leader we will see this year how appsec2013 works out now
that we have a employee based primary team with local volunteer support.
The first call it upcoming
If anyone else wants to roll up sleeves the action/planning calls are
ongoing see; http://www.meetup.com/OWASP-NYC/events/86936002/
I prefer a flat % 75/25 after expenditures and no caps - chapters earning
should have simple split not complex that does not translate well or allow
the system to be gamed rather quickly.
As far as our chapter is concerned we need to generate 25k from appsecUSA
or its not worth the effort.
Tom Brennan
On Nov 19, 2012, at 9:45 PM, Michael Coates
<mailto:michael.coates at owasp.org> <michael.coates at owasp.org>
Any other thoughts on the proposed model?  The feedback is all positive
with a few wording clarifications.  The bigger picture issue that Sarah has
mentioned is also a good item to consider.
Regarding the profit sharing proposal, I don't see any major concerns
either.  This item will be up for vote during our next meeting. Please make
sure to familiarize yourself with the details.  I'd like to get any
concerns out for discussion now so we can dig into these ideas before the
next board meeting.
Sarah - thanks for the financial analysis and thoughts. Very helpful.
Michael Coates | OWASP | @_mwc
On Wed, Nov 14, 2012 at 10:09 AM, Sarah Baso  <mailto:sarah.baso at owasp.org>
<sarah.baso at owasp.org> wrote:

Board Members -
My thoughts on the new proposed policy and long term success of the
Foundation and Global AppSec "brand":
*Overall - I think the new policy is ok, as currently drafted*.
   - I would recommend a modification similar to what Josh and Dave
   discussed in their comments.  *"2.  All other events not classified
   as one of the Global AppSec Events will realize a 10/90 revenue split
   (Foundation/chapter) up to $5,000 USD.  Any profits above the $5K will
   recognize the standard 60/40 split. (Foundation/Chapter)." *
* * *For larger chapters that want to run a local or regional event on a
yearly basis, we should have an avenue for them to recognize a larger
profit. Also, they are doing all (or  *
* most of) the work then they should be able to get most of the profits.
I would say that a chapter can request up to an additional $5000 by
submitting both a chapter budget *
* and event budget to be approved by staff.*
* *
*Bigger picture issues:*
As we look at the need for the Global AppSecs to serve as major
fundraisers to support the other goals/initiatives of the foundation - I
think we need to consider the possibility of a different approach to the
model.  Many of the issues with the funding & conference planning model(s)
that have been used in the past and proposed for the future surround the
dichotomy that 1) we need a model that will raise money for the foundation
and support our GLOBAL initiatives (i.e. Money generated from AppSec USA
supports outreach in APAC, Latam, and Europe), 2) chapters/volunteers want
proper control, recognition and "funds" for their input and efforts in
creating and driving the conference.
A few  examples:
   - *Profit distribution:* What portion of the profits should a chapter
   get that raises almost $150,000 for the foundation and has MANY
   dedicating their nights and weekends for months to make a successful
    How should the profits differ for  another chapter that only has 2
   volunteers that contribute all of their time, but only raise $5000 for
   foundation?  What about a third scenario where there is virtually no help
   from the local chapter and the event raises $10,000 due to contributions
   a global volunteer base and OWASP Staff efforts?
   - *Content:* How do we build a professional call for papers or call
   for training system that gives local volunteers the control and input
   want but also accommodates regional needs (Standard conference vs.
   driven conference), building the OWASP Brand (promoting OWASP Projects),
   and maintains a professional selection process that is communicated to
   larger community and pool of applicants?
   - *Sponsorships: *While moving locations from year to year brings in
   a new crowd of attendees local to that area, this also comes with many
   "unknowns" for sponsors.  What will the vendor space look like, what will
   the sponsor's availability to attendees be, how will their sales team
   generate leads?  From the perspective of building relationships with the
   sponsors and giving them a consistent expectation from year to year - it
   would be best for us to be able to lay out specifications/guidelines for
   the global event planners (and clearly outline to the sponsors what they
   can expect for their money).  This sometimes runs in conflict with what
   local event planners think would be best for their individual event.
A suggestion for 2014 that Kate and I have discussed is to *move the the
Global AppSecs to a static location from year to year*. In this model,
the employees would work with a team of volunteers (not necessarily local)
to plan an implement the conference. The model would change from one that
is trying to make money for one chapter and control of the decisions for
that chapter to one that is more global.  I think creating an event
template with many re-usable parts (not to mention service providers -
venue, catering, AV, etc) would be much easier and allow us to focus on
things like content and the OWASP message rather than logistics.
Additionally, I think this type of model is more sustainable
and scale-able for long term growth for our brand and fundraising
A static location would also allow for more planning in advance.  Right
now we do the call for conferences a year out. The idea that these events
(especially as they grow in size) should start planning more than a year in
advance has come up a few different times on conference committee calls and
discussions.  The problem remains that the submissions/location proposals
are driven by local chapter leaders (ideally teams), and planning a global
app sec is a large investment in time an energy.  Many people would
probably argue "too large" which is one of the reasons we don't get more
proposals in our call for locations.  To ask conference planners to submit
even more in advance is often difficult as they don't know their schedule
or where there life will be that far in advance.  Once again, having static
locations and planning process that is more centralized will help overcome
these obstacles.
If others are in support of considering this new static location model,
there are certainly a lot of details to work out including: where will
these static locations be, how do we solicit and reward volunteers
(especially if we aren't allowing the chapter in the static location to
reap profits), etc.
I certainly don't think this is the ONLY option for us, but it is
something to consider as our events and organizational needs continue to
grow. I wasn't "sold" on this idea initially, but the more I think about
it, the more it seems like plausible option for us.  Consider that as we
are able to do more fundraising centrally, we also can empower
local/regional event planners to focus on outreach rather than income...
which also supports our community and the mission.
Looking forward to hearing thoughts and input on this new model.
Sarah Baso
On Wed, Nov 14, 2012 at 9:11 AM, Sarah Baso  <mailto:sarah.baso at owasp.org>
<sarah.baso at owasp.org> wrote:

Michael et al -
*First for reference, here is the current policy in place:*
Local host chapters will share in OWASP event profits under the
following schedule. In the case of multiple host chapters, the host
chapters will be responsible for determining the division before the event.
   - Global AppSec Conference - 25% of event profits with a $5,000 USD
   cap ($10,000 for multi-chapter events)
   - Regional/Theme Events - 30% of event profits with a $4,000 USD cap
   - Local Events - 50% of profits with a $3000 USD cap
 *Budgeting Implications*
Under the new plan, there is a opportunity for the local chapter to earn
much more than that listed below if they surpass the profit target, but
just using the profit target as a guideline... here are the numbers....
*Comments from Conferences Committee Call & Mailing List Thread*
>From July 18, 2012 Conference Committee Call:
   - Request for Comment: proposed policy for profit sharing and
   financial oversight of future OWASP events:


Owasp-board mailing list
Owasp-board at lists.owasp.org


Owasp-board mailing list
Owasp-board at lists.owasp.org



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20121126/be767960/attachment-0001.html>

More information about the Owasp-board mailing list