[Owasp-board] Business Plan outline - project and consulting work

Jim Manico jim.manico at owasp.org
Wed Apr 30 23:51:04 UTC 2014

Since we are officially not going to go with SWAMP, can you please CC me 
in when you tell Kevin Green? I want to make sure he understands why 
from the board level.

Thank you,

On 4/29/14, 8:35 PM, Samantha Groves wrote:
> Hello All,
> Sarah has asked me to review the business proposal in more detail, and 
> I just wanted to share my thoughts on the situation and the proposed 
> SWAMP integration agreement.
> As you know, Kevin and I have been working on this proposal for some 
> time. Originally, this discussion started with SWAMP wanting to 
> sponsor a project summit based on our tools projects, but it slowly 
> evolved into more of a consulting type of engagement. I then shared my 
> concerns with Sarah, and asked for her help as the scope of this 
> agreement had changed into one where OWASP could potentially find 
> itself liable.
> Now, after reading Sarah's business proposal, I have to say, that I am 
> in total agreement with what she recommends. I do not believe we 
> should move forward with this opportunity as it stands, or opening up 
> a consultancy business for us under the foundation umbrella at this 
> point in time. Here is why:
> 1). Infrastructure: We do not have the appropriate operational 
> infrastructure set up to run a consultancy. It is a very different 
> type of business, and it requires dedicated resources to build and run 
> it.
> 2). Human Resources: We do not have the staff or the funds to hire the 
> staff we would need to open this new line of business. You will need 
> to hire your project, operations, and sales staff to start, as Sarah 
> pointed out.
> Moreover, I HIGHLY recommend we not rely on volunteer efforts to 
> complete contracted work. As I mentioned, consulting is a very 
> different type of business with different risks and liabilities, and 
> to rely on volunteers to complete your contractual obligations is not 
> a very good business decision. You need dedicated resources that are 
> directly accountable for delivery as the statements of work and 
> project plans are rigid. There is very little flexibility, and from my 
> experience, volunteers need flexibility when working on projects as 
> this work is not their primary source of income.
> Now, I realize that we have won several grants for our projects that 
> give them the funding they need to complete project milestones. 
> However, I would like to clarify and stress that receiving grant 
> funds, and entering into a business contract, are two very different 
> endeavors. Grants are far more flexible, and they are a donation for a 
> very particular purpose made to an organization. This is why having 
> volunteers work on projects with grant funding is far more reasonable 
> as the timeline, milestones, and deliverables are flexible. They are 
> more inline with the innovation type of platform we currently have.
> 3). Legal Liabilities: Now, I am not legal council by any stretch of 
> the imagination, but I have been trained in basic international 
> business law and IP. Sarah outlines the legal risks to our business 
> perfectly in section VII of her proposal. As I mentioned, getting into 
> a contractual agreement with another organization, whether the 
> products are open-source or not, still makes us liable for delivery of 
> whatever is specified in the contract. I have read Jim's comment about 
> OWASP providing no-warranty as the product is open source, and that is 
> correct. The products are without warranty (open-source); however, our 
> legal liability to produce what is in the contract, is not. They are 
> two separate things.
> These are only three of quite a few other concerns I have about this 
> new line of business, and entering into an agreement with the SWAMP 
> team at this point in time. The way I see it, we have two questions:
> 1. Should we enter into the proposed agreement with SWAMP?
> 2. Should we start a new line of business: Consulting?
> *Answers*
> 1. I do not believe we should enter into the agreement with SWAMP as 
> the contract makes us liable for the work produced, as it stands. Now, 
> if Kevin and team are ok working with the project leaders directly, 
> then I see no issue with that. However, I highly recommend that the 
> foundation not enter into a contract with another organization (SWAMP) 
> on a consultancy basis as we are fully aware we do not have the 
> infrastructure to deliver what is promised in the Statement of Work. 
> We are taking a big risk, and while I am very comfortable with risks 
> and recommend them in business, we must make sure to take calculated 
> risks. This, to me, is not a calculated risk. It is a reactive one 
> based on an opportunity that we might not be able to make good on.
> 2. I do not recommend we do this at this time. I think it is an 
> excellent idea to consider in a year's time, but we are not in a 
> position where we can take this on right now. It requires quite a bit 
> of investment, and as I see it, we are not even in a position to make 
> appropriate business decisions when it comes to starting lines of 
> business like this. The fact that we were even entertaining the idea 
> that we should run this consultancy under the OWASP non-profit 
> umbrella makes it clear to me that we are not ready to take this on. 
> We cannot run it as a separate program. As Sarah suggested, we will 
> need to start a new organization, such as a for-profit subsidiary of 
> our non profit,so we can shift liability to that entity in case 
> anything goes wrong. This way, if we are sued into bankruptcy, we 
> still have the mother-ship intact.
> These are just my 2 cents after briefly reviewing the situation and 
> scope. I hope it is helpful.
> Thank you, Sarah and Board.
> Samantha
> On Mon, Apr 28, 2014 at 6:03 PM, Sarah Baso <sarah.baso at owasp.org 
> <mailto:sarah.baso at owasp.org>> wrote:
>     All -
>     Here is the (brief) business plan I put together on the project
>     and consulting work such as that being requested by DHS Swamp.
>      Admittedly, I stopped with with the details on what rolling out a
>     plan would like this would look like after doing some initial
>     research on the legal and tax repercussions for us.  Additionally,
>     I don't think this exact model is in alignment with the charity
>     work we are trying to accomplish.
>     This is not to say we shouldn't look for funding opportunities to
>     develop our projects - but i don't think this model is the right
>     one for us.
>     https://docs.google.com/document/d/1S3J8Krkysqr0m5U9-NLefMCOGvmGFw30oJU-8IMH4zQ/edit?usp=sharing
>     I look forward to hearing your thoughts.
>     Sarah Baso
>     -- 
>     Executive Director
>     OWASP Foundation
>     sarah.baso at owasp.org <mailto:sarah.baso at owasp.org>
>     +1.312.869.2779 <tel:%2B1.312.869.2779>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> -- 
> *Samantha Groves, MBA*
> /OWASP Projects Manager/
> /
> /
> The OWASP Foundation
> Phoenix, USA
> Email: samantha.groves at owasp.org <mailto:samantha.groves at owasp.org>
> Skype: samanthahz
> OWASP Global Projects 
> <https://www.owasp.org/index.php/Category:OWASP_Project>
> Book a Meeting with Me <http://goo.gl/mZXdZ>
> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
> New Project Application Form <http://www.tfaforms.com/263506>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140430/d5733114/attachment-0001.html>

More information about the Owasp-board mailing list