[Owasp-board] Business Plan outline - project and consulting work
Jim Manico
jim.manico at owasp.org
Wed Apr 30 23:51:04 UTC 2014
Since we are officially not going to go with SWAMP, can you please CC me
in when you tell Kevin Green? I want to make sure he understands why
from the board level.
Thank you,
Jim
On 4/29/14, 8:35 PM, Samantha Groves wrote:
>
> Hello All,
>
>
> Sarah has asked me to review the business proposal in more detail, and
> I just wanted to share my thoughts on the situation and the proposed
> SWAMP integration agreement.
>
> As you know, Kevin and I have been working on this proposal for some
> time. Originally, this discussion started with SWAMP wanting to
> sponsor a project summit based on our tools projects, but it slowly
> evolved into more of a consulting type of engagement. I then shared my
> concerns with Sarah, and asked for her help as the scope of this
> agreement had changed into one where OWASP could potentially find
> itself liable.
>
> Now, after reading Sarah's business proposal, I have to say, that I am
> in total agreement with what she recommends. I do not believe we
> should move forward with this opportunity as it stands, or opening up
> a consultancy business for us under the foundation umbrella at this
> point in time. Here is why:
>
> 1). Infrastructure: We do not have the appropriate operational
> infrastructure set up to run a consultancy. It is a very different
> type of business, and it requires dedicated resources to build and run
> it.
>
> 2). Human Resources: We do not have the staff or the funds to hire the
> staff we would need to open this new line of business. You will need
> to hire your project, operations, and sales staff to start, as Sarah
> pointed out.
>
> Moreover, I HIGHLY recommend we not rely on volunteer efforts to
> complete contracted work. As I mentioned, consulting is a very
> different type of business with different risks and liabilities, and
> to rely on volunteers to complete your contractual obligations is not
> a very good business decision. You need dedicated resources that are
> directly accountable for delivery as the statements of work and
> project plans are rigid. There is very little flexibility, and from my
> experience, volunteers need flexibility when working on projects as
> this work is not their primary source of income.
>
> Now, I realize that we have won several grants for our projects that
> give them the funding they need to complete project milestones.
> However, I would like to clarify and stress that receiving grant
> funds, and entering into a business contract, are two very different
> endeavors. Grants are far more flexible, and they are a donation for a
> very particular purpose made to an organization. This is why having
> volunteers work on projects with grant funding is far more reasonable
> as the timeline, milestones, and deliverables are flexible. They are
> more inline with the innovation type of platform we currently have.
>
> 3). Legal Liabilities: Now, I am not legal council by any stretch of
> the imagination, but I have been trained in basic international
> business law and IP. Sarah outlines the legal risks to our business
> perfectly in section VII of her proposal. As I mentioned, getting into
> a contractual agreement with another organization, whether the
> products are open-source or not, still makes us liable for delivery of
> whatever is specified in the contract. I have read Jim's comment about
> OWASP providing no-warranty as the product is open source, and that is
> correct. The products are without warranty (open-source); however, our
> legal liability to produce what is in the contract, is not. They are
> two separate things.
>
> These are only three of quite a few other concerns I have about this
> new line of business, and entering into an agreement with the SWAMP
> team at this point in time. The way I see it, we have two questions:
>
> 1. Should we enter into the proposed agreement with SWAMP?
>
> 2. Should we start a new line of business: Consulting?
>
>
> *Answers*
>
> 1. I do not believe we should enter into the agreement with SWAMP as
> the contract makes us liable for the work produced, as it stands. Now,
> if Kevin and team are ok working with the project leaders directly,
> then I see no issue with that. However, I highly recommend that the
> foundation not enter into a contract with another organization (SWAMP)
> on a consultancy basis as we are fully aware we do not have the
> infrastructure to deliver what is promised in the Statement of Work.
> We are taking a big risk, and while I am very comfortable with risks
> and recommend them in business, we must make sure to take calculated
> risks. This, to me, is not a calculated risk. It is a reactive one
> based on an opportunity that we might not be able to make good on.
>
> 2. I do not recommend we do this at this time. I think it is an
> excellent idea to consider in a year's time, but we are not in a
> position where we can take this on right now. It requires quite a bit
> of investment, and as I see it, we are not even in a position to make
> appropriate business decisions when it comes to starting lines of
> business like this. The fact that we were even entertaining the idea
> that we should run this consultancy under the OWASP non-profit
> umbrella makes it clear to me that we are not ready to take this on.
> We cannot run it as a separate program. As Sarah suggested, we will
> need to start a new organization, such as a for-profit subsidiary of
> our non profit,so we can shift liability to that entity in case
> anything goes wrong. This way, if we are sued into bankruptcy, we
> still have the mother-ship intact.
>
>
> These are just my 2 cents after briefly reviewing the situation and
> scope. I hope it is helpful.
>
> Thank you, Sarah and Board.
>
>
> Samantha
>
>
>
> On Mon, Apr 28, 2014 at 6:03 PM, Sarah Baso <sarah.baso at owasp.org
> <mailto:sarah.baso at owasp.org>> wrote:
>
> All -
>
> Here is the (brief) business plan I put together on the project
> and consulting work such as that being requested by DHS Swamp.
> Admittedly, I stopped with with the details on what rolling out a
> plan would like this would look like after doing some initial
> research on the legal and tax repercussions for us. Additionally,
> I don't think this exact model is in alignment with the charity
> work we are trying to accomplish.
>
> This is not to say we shouldn't look for funding opportunities to
> develop our projects - but i don't think this model is the right
> one for us.
>
> https://docs.google.com/document/d/1S3J8Krkysqr0m5U9-NLefMCOGvmGFw30oJU-8IMH4zQ/edit?usp=sharing
>
> I look forward to hearing your thoughts.
>
> Sarah Baso
> --
> Executive Director
> OWASP Foundation
>
> sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
> +1.312.869.2779 <tel:%2B1.312.869.2779>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> --
>
> *Samantha Groves, MBA*
>
> /OWASP Projects Manager/
>
> /
> /
>
> The OWASP Foundation
>
> Phoenix, USA
>
> Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>
>
> Skype: samanthahz
>
>
> OWASP Global Projects
> <https://www.owasp.org/index.php/Category:OWASP_Project>
>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>
> New Project Application Form <http://www.tfaforms.com/263506>
>
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140430/d5733114/attachment-0001.html>
More information about the Owasp-board
mailing list