[Owasp-board] Update on Google Hacking Inquiry and Request for Reinstatement

Josh Sokol josh.sokol at owasp.org
Mon Feb 3 23:28:25 UTC 2014

OWASP Board,

I feel, at this point, like I am ready to make a recommendation on the
Google Hacking Inquiry, but am currently waiting to hear back from
Christian regarding his ability to move forward if his membership were to
be reinstated.

*Google Hacking Inquiry*
Regarding the Google Hacking inquiry, I have had a couple of phone calls
now with Christian as well as one with Chris Gates (both recorded and
you've been provided with links separately).  I've also been in contact
with Jeff Williams, Dinis Cruz, Brad Causey, and Jason Li to talk about
circumstances around the Google Hacking Inquiry.  There have been a few
others whose names have come up that it may be pertinent to speak to (Chris
Spencer and Andrew Vanderstock), but I'm confident that it won't change my
advice here.  While I cannot go so far as to say that a great injustice has
been done, I do think that I've found plenty of evidence to make me doubt
the circumstances of the inquiry and it's benefit (or lack thereof) to

Unfortunately, back then, there does not appear to have been much control
over the projects.  There did not exist the new levels, but if I had to
qualify it, I'd say that the Google Hacking Project fits squarely into the
"Incubator" level of our new project classification.  The interesting thing
about this level is that source code is NOT required.  To the contrary,
this level is basically, "I have an idea, let's see if I can turn it into
something real."  One of the deliverables for moving on to the next level
is a working POC, but from the looks of it, one could remain in the
"Incubator" bucket for up to a year without ever providing the source
code.  And, assuming you did that, the consequence is to be de-listed from
the "Incubator" bucket until you have a POC.  This makes 100% sense to me
as it helps to foster ideas and provide support while still maintaining
quality control over our projects.  Christian's claim is that he had his
source code in an open repository, but never published a link because his
project was never reviewed.  He provided at least one potential reviewer
who was rejected at the time because they were not an OWASP member.  His
attempts to find a reviewer who was an OWASP member were unsuccessful.  His
presentations at the time did include a slide soliciting reviewers.  So, my
conclusion here is that Christian did what would be expected of an
"Incubator" level project.  Publishing source code probably shouldn't have
been an expectation (at least not right off the bat) and the resulting
"punishment" from the Inquiry was certainly harsher than today's standard.

On top of the above, it is clear that Christian feels that the Inquiry has
affected his ability to work as well as his general state of well being.
If this is true, then it is in direct contradiction to the OWASP Code of
Ethics where we state that OWASP members should not intentionally injure or
impugn the professional reputation of our colleagues.  I don't think that
it is rational for us to question whether this is or is not true, and
therefore feel like our best course of action is to assume that it is and
work to correct the situation.  My proposal is to remove the Google Hacking
Inquiry document and any reference documentation as well that is on the
OWASP public website.  In it's stead, I would like to place the following

Recently, information has been brought to our attention which allows the
> current OWASP Board to revisit OWASP's position on the Google Hacking
> Inquiry that was undertaken in July of 2010.  The OWASP Code of Ethics<https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics>states that we should not intentionally injure or impugn the professional
> reputation of colleagues and, upon consideration, we feel that perpetuating
> the inquiry results would do just that.  As such, we feel that it is in the
> best interests of the OWASP Foundation and all concerned parties to wipe
> the slate clean by removing the details of the inquiry from our public
> records at this time.  We feel sincerely sorry for any damages that this
> inquiry may have caused to any of the parties involved.

Let me be absolutely clear that this is not what Christian requested, but
rather, what I feel is the right thing to do given the circumstances.
Christian's first question to me was "What good did the inquiry do for
OWASP?" and my answer, unfortunately, is that I'm really not finding any.
It chastised an active project leader for doing what it appears that
several others were also doing at the time, potentially furthered personal
biases, created negative feelings between Christian and OWASP, and just
generally seems unfair to me.  I'm actually a bit ashamed that this inquiry
has been allowed to linger for so long as it just perpetuates the things
that we've done wrong, rather than all of the things that we've done
right.  Regardless of how Christian or others feel about it, I believe that
it's time to wipe the slate clean here and put an end to the negativity
surrounding the inquiry.

I'd like to propose a vote that we strike any reference to the Google
Hacking Inquiry on owasp.org and our public documentation and replace it
with the text above.

*Request for Reinstatement*
Unfortunately, our last call was cut short again with Christian dropping
off the line.  I sent an e-mail to him attempting to reconcile our next
steps, but I'm not sure that we are on the same page currently.  His desire
is for OWASP to pursue another inquiry, similar to his own, charging Chris
Gatford with being the individual behind the initial requests for inquiry
and treating him as though he were an OWASP member as he was a chapter
leader during that time.  I told him that I feel like the inquiry should
not have been undertaken in the first place and that performing another
inquiry and getting involved in a dispute between the two of them would
serve no value to OWASP.  I have politely declined my support for such an
initiative, but told him I would offer it to the other Board members if any
of you are so inclined to pursue it further.

Since I am unable to support his current request, and since he has stated
that he is unable to move beyond this until this other inquiry has been
performed, I am at a loss as far as next steps go.  My proposal would have
been to do a 90 day probational membership reinstatement for Christian.
Provided that there were no issues during this time period, I think that we
could consider whatever level of activity he maintains a relative success
and we should grant full membership.  However, if there were to be issues,
the request for reinstatement should be denied with a permanent ban so that
no future Board members need to brief themselves on the past in order to
make a decision about the future.  My rationale for this rationale for this
is based squarely upon the assumption that all negative behaviors were due
to the Google Hacking Inquiry and it's personal affect on Christian.  A 90
day probation should serve as a decent test to determine if he is willing
to move beyond that and put the negativity behind us.  I am not requesting
a vote at this time here as I feel no decision can be made without
Christian's support for the path we take.  I will continue to work with him
to hopefully come to a peaceful resolution.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140203/8be2db13/attachment.html>

More information about the Owasp-board mailing list