[Owasp-board] Getting it all out in the open

Dennis Groves dennis.groves at owasp.org
Fri Feb 14 18:04:23 UTC 2014

+1; Josh, you have shown OWASP a example of reasoning and fairness that
demonstrates a maturity often forgotten about when strong emotions are

I am hopeful that your example sets a precedent for not just the current
and future board, but for all of us to follow in future when dealing with



Sent from my phone, apologies for the brevity and spelling errors.
On Feb 14, 2014 8:57 AM, "Josh Sokol" <josh.sokol at owasp.org> wrote:

> There's been a lot of private messages floating around lately.  I
> understand that due to the sensitivity of certain topics, not everything
> that we do as a Board can be done entirely in the public light, but I do
> feel that it's extremely important to be as transparent as possible.  Thus,
> what follows is an attempt to summarize concerns and desires on behalf of
> everyone involved in Christian's request for reinstatement in a manner that
> does not reflect on any one individual.  I feel that I've dedicated enough
> time to this subject to be as much an expert as any and I feel confident
> that I know the thoughts, feelings, and rationales on both sides of the
> fence here.  Feel free to respond back as you see fit.
> *Christian:*
> Much of what you've said and done in both public and private is
> deplorable.  In the world of security, where your morals and ethics are the
> only thing that keeps you from passing as a BlackHat, time and time again
> you've proven to have at best poor judgement and at worst poor moral
> character.  You can try to rationalize it by saying that you have been
> wronged and deserve justice, but the fact is that these words and actions
> are yours and yours alone.  You may have been provoked, you may have been
> bullied, but what people see, what people hold onto, is how you handle
> yourself when that happens.  I've now spoken with numerous people who had
> close dealings with you and there is one recurring theme that *all* have
> mentioned.  No topic is off limits with you when it comes to insults and
> insinuations and you have no issue with burning bridges as you go.  With
> the global security community (and especially OWASP) being as small and
> close-knit as it is, it should be no surprise that your actions with one
> individual could have a ripple effect with others.  Reputations in this
> industry are built just as much on who you are as a person as on what
> you're technically capable of.  Even the best and brightest can be
> ostracized from a community if they continually serve on the side of
> negativity.  Thus, I implore you in public as I have already counseled you
> in private, to set aside this quest for justice as it continually leads you
> down the path of negativity.  While you may feel that you've hit rock
> bottom here, I feel that you will continue to stay there until you can
> reshape your attitude and approach to people.  You have the power to make
> your situation better, but that will be done with forgiveness and not
> vengeance.
> *Board:*
> While it's true that Christian has said and done some deplorable things,
> he is not a monster, he is a person with thoughts and feelings like any
> other.  He feels that an injustice has been done and that it has cost him
> his job and reputation.  If being married has taught me anything, it's that
> feelings aren't a "right" or a "wrong", but how something affects our
> mental or physical state.  Our choice now, just like in a marriage, is to
> determine whether it benefits the greater good more to ignore these
> feelings and dismiss the individual or to try to help them to feel
> different and hopefully better.  To be fair, I think that either approach
> is valid, but I think that the path you take here says a lot about your own
> character.  I'd also say that how you handle such a situation when it
> arises will likely determine your relationship with said individual going
> forward (ie. does your marriage end in divorce, losing half your stuff, and
> split custody of the kids).  So, I'd ask you to think about what you
> ultimately want out of this situation.  Do you want to pursue the path that
> might allow us to reconcile our differences and make things better for
> everyone or do you want to make the individual feel belittled and
> unimportant?  You have the power to show some compassion and help a person
> who is down to change their life for the better.
> *All:*
> In my opinion, there are clear "wrongs" on both sides here.  We all need
> to own up to our actions and be willing to forgive if we are ever to move
> forward here.  Christian, this means taking personal accountability for the
> things that you've said and done and making a best effort to to do better
> going forward.  Board, this means recognizing that Christian may have said
> and done some things out of desperation and despair and being willing to
> provide him with support and guidance so that he can adhere to our Code of
> Ethics moving forward.  Both sides need to consider this a "cease fire" and
> need to be willing to "wipe the slate clean" in order to move forward.
> *Conclusion:*
> The time has come for us to lay this issue to rest one way or another.  I
> don't want to deal with this same thing again in six months time and don't
> want another Board to have to deal with it six years from now either.  So,
> I have two proposals here:
> 1) If either the Board feels that Christian cannot be changed or Christian
> feels that he cannot change himself, then I propose we just go our separate
> ways indefinitely.  No more temporary revocations or requests for
> reinstatement.  They only serve as a continual reminder for all parties of
> the hassles and heartaches involved here.  From Christian's perspective, we
> can say that he walked away by his own accord and from OWASP's perspective
> we can provide private documentation for future Boards of this mutual
> arrangement to exist separately.  There should be no "bashing" by or
> against either side going forward.
> 2) If Christian feels that he can change his behavior and the Board would
> be willing to provide an opportunity for him to do so, then I propose that
> we provide Christian with the reinstatement that he seeks under the
> following terms.  First, Christian *must* acknowledge that he understands
> and will adhere to the terms set forth in the OWASP Code of Ethics.  This
> is an expectation for all OWASP members and is non-negotiable.  I will
> point out that this explicitly means dropping any activities that would
> intentionally injure or impugn the professional reputation of colleagues,
> clients, or employers.  Second, I will personally offer myself up as a
> Board representative to help guide Christian toward success.  I feel that
> we've developed a decent working relationship and I hope that he feels the
> same way about me.  Third, for a period of one year, we consider this a
> trial run and Christian refrains from seeking leadership roles within OWASP
> or from presenting as a representative of OWASP.  This is to minimize risk
> to the Foundation of potential ramifications if we are unsuccessful in this
> endeavor.  Fourth, with the exception of above, Christian is to be treated
> as any other OWASP member.  No announcements about his return attempts to
> seek approval from the community.  We don't do this with others and
> shouldn't make a big deal out of it for him either.  Fifth, since strict
> adherence to the OWASP Code of Ethics is our policy, any attempt to
> willfully violate this by Christian, at any point in the future, will
> result in his immediate expulsion from OWASP with a ban on reinstatement.
> While I would normally feel that this is excessive, I think that we've
> already wasted precious cycles on this issue and am not willing to spend
> any more on additional violations going forward.
> There you have it.  My summary of the situation and my conclusions on how
> to best move forward.  There's a path of dissolution and a path of
> cooperation.  I'd welcome additional, open, discussion on the topic, but
> would like to keep this focused on the future and not the past.  Cool?
> Thanks!
> ~josh
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140214/45353ca7/attachment-0001.html>

More information about the Owasp-board mailing list