[Owasp-board] [Owasp-leaders] Public Comment

Josh Sokol josh.sokol at owasp.org
Mon Dec 15 18:05:05 UTC 2014


Ultimately, yes, the Board has the ability to modify the bylaws and other
rules of the organization which govern how the Projects Committee and the
Compliance Officer perform their duties.  That said, the goal of the
Committees 2.0 model (
http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was to allow
members to pre-define the scope of a committee and be empowered to take
action within that scope.  So, in the case of the Project Committee, as an
example, the Board has effectively delegated our authority within the
stated scope of the committee.

The Compliance Officer is a slightly different story since the goal there
is to create a neutral mechanism to perform investigations and make
recommendations to the Board.  The Compliance Officer's responsibilities
are limited to the investigation and report based on the Whistleblower
Policy (https://www.owasp.org/index.php/Governance/Whistleblower_Policy).
If the Compliance Offier were to not be following those guidelines, then
the Board would need to take action.

~josh

On Fri, Dec 12, 2014 at 2:07 PM, Bev Corwin <bev.corwin at owasp.org> wrote:
>
> PS: Legally, also, the board has "oversight" of the Oversight Committee
> and Ombudsman's Office, as well, correcct?
>
> On Fri, Dec 12, 2014 at 3:04 PM, Bev Corwin <bev.corwin at owasp.org> wrote:
>>
>> Thanks Jim,
>>
>> Who handles organizational strategy?
>>
>> Best wishes,
>> Bev
>>
>>
>> On Fri, Dec 12, 2014 at 2:01 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>  Bev,
>>>
>>> The board does indeed set the vision for the organization. But project
>>> oversight responsibility has been passed to the project committee, and
>>> overall compliance issues are lead by our ombudsman (compliance officer)
>>> Martin Knoblock.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>> On 12/11/14 10:28 AM, Bev Corwin wrote:
>>>
>>> Thanks Josh, Doesn't the board have "oversight" and "compliance"
>>> responsibilities to the OWASP Community? Best wishes, Bev
>>>
>>> On Thu, Dec 11, 2014 at 12:57 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>>  It's a good point and I've definitely seen examples in the past of
>>>> where a project has made significant decisions in a relative bubble before
>>>> publishing it as an "open" document.  Honestly, I think to some extent that
>>>> boils down to the project leadership/management and how they choose to run
>>>> things.  Not that it makes it right or wrong.  I do agree with Simon in
>>>> that this is not a Board decision though.  If for some reason people felt
>>>> like project leaders are incapable of doing this, or that rules need to be
>>>> put in place to enforce it, then that's something I would look to the
>>>> Project Committee to establish.
>>>>
>>>>  ~josh
>>>>
>>>>  On Thu, Dec 11, 2014 at 11:51 AM, Bev Corwin <bev.corwin at owasp.org>
>>>> wrote:
>>>>
>>>>>  PS: Your reference was for "free" not "open". Do you have something
>>>>> that would be a good reference for "open"? How about free and open? Thank
>>>>> you!
>>>>>
>>>>> On Thu, Dec 11, 2014 at 12:50 PM, Bev Corwin <bev.corwin at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Dear Simon,
>>>>>>
>>>>>>  Thank you. Good info, very much appreciate it. Where are you
>>>>>> pulling your assumptions from? Is there a definition of "open" somewhere
>>>>>> that could be referenced? So many organizations claim to be "open",
>>>>>> however, very few actually "manifest" it well. Would be nice to see some
>>>>>> kind of guidelines somewhere. That would be a board policy issue to
>>>>>> recommend such things, wouldn't it?
>>>>>>
>>>>>>  Best wishes,
>>>>>> Bev
>>>>>>
>>>>>>
>>>>>> On Thu, Dec 11, 2014 at 12:36 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>
>>>>>>>   I'm not sure this is a board matter, although board members
>>>>>>> should definitely speak up if they disagree :)
>>>>>>>  I think this is more a matter of 'good open source
>>>>>>> leadership/management' as it applies to all open source projects and not
>>>>>>> just OWASP ones.
>>>>>>>  But its something we can all learn from each other and so I think
>>>>>>> this list is a good place to discuss it.
>>>>>>>
>>>>>>>  Can you explain in a bit more detail which project(s) you are
>>>>>>> referring to, what stage they are at and what you hope to get out of such
>>>>>>> consultations?
>>>>>>>  I think the approaches for well established projects are likely to
>>>>>>> be very different from ones that are just starting out.
>>>>>>>
>>>>>>> There are online resources like this which might help you:
>>>>>>> http://producingoss.com/
>>>>>>>
>>>>>>>  Any others people can recommend?
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> Simon
>>>>>>>
>>>>>>> On Thu, Dec 11, 2014 at 5:26 PM, Bev Corwin <bev.corwin at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Thanks Simon, Yes, that is what I thought as well. Has the board
>>>>>>>> made official recommendations about these things? Are they documented
>>>>>>>> somewhere? As a practice, are there any guidelines for how to best do this
>>>>>>>> in the community? Do we have a mailing list of interested public
>>>>>>>> contributors that we can submit requests for comments to, etc.? Best
>>>>>>>> wishes, Bev
>>>>>>>>
>>>>>>>> On Thu, Dec 11, 2014 at 12:20 PM, psiinon <psiinon at gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>    Hi Bev,
>>>>>>>>>
>>>>>>>>>  I'm confused :/
>>>>>>>>>  All OWASP projects are open source and should therefore be open
>>>>>>>>> for public comment at all times.
>>>>>>>>>  All projects must have public lists that are clearly discoverable
>>>>>>>>> via the project page.
>>>>>>>>>  You can ask for specific feedback from other leaders / your users
>>>>>>>>> / the general public at specific times as well of course.
>>>>>>>>>
>>>>>>>>>  Cheers,
>>>>>>>>>
>>>>>>>>> Simon
>>>>>>>>>
>>>>>>>>>  On Thu, Dec 11, 2014 at 5:05 PM, Bev Corwin <bev.corwin at owasp.org
>>>>>>>>> > wrote:
>>>>>>>>>
>>>>>>>>>>  Dear OWASP Board and Leaders,
>>>>>>>>>>
>>>>>>>>>>  Is it possible for OWASP projects and initiatives to open up
>>>>>>>>>> for public comment at various stages in our projects and initiatives
>>>>>>>>>> development processes? Do we have any board or leader level
>>>>>>>>>> recommendations, policies / best practices for this kind of thing?
>>>>>>>>>>
>>>>>>>>>>  Best wishes,
>>>>>>>>>> Bev
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>  _______________________________________________
>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>  _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141215/1b3f4e76/attachment-0001.html>


More information about the Owasp-board mailing list