[Owasp-board] [Owasp-leaders] In Samantha's words: "Why I resigned my role at OWASP"

Eoin Keary eoin.keary at owasp.org
Tue Jun 17 00:01:51 UTC 2014


Leaders, 

My apologies for the following email. As John Steven said, this is a shite state of affairs but one needs to defend ones self from lies and attempted character assassination. 

I seem to have been accused of funds mismanagement and racism.


The allegation of funds mismanagement, if true, was against me not acting in the best interests of OWASP or the allocation of reboot funds.

Let me first let you know I have never had access to OWASP reboot funds.

Reboot funds in this case were allocated to projects which were voted for by a number of volunteers in a public way.

Staff has access to funds. Not the board or project leads directly.

Without my "mismanaging" the CISO guide would of not of been funded as Samantha refused (I have the email)
to fund the project. The code review project donated $2.5k for the CISO project because it was over funded by Samantha in error.

We won $25k funding for the owasp guides at the same time as being granted $30k from foundation budget.

Samantha double funded the 3 guides (code/dev/test) with both DHS ($8.3k) and OWASP funds ($5k), whilst refusing to fund other projects. In effect over funding some and making other projects suffer.

I've also been accused of racism and anti-woman sentiment by Samantha Groves:

Racism:
1 business partner I have is Indian
1 business partner I have is female
A family member is Nigerian also..

Sexist:

Last year I got my OWASP chapter (Dublin) to donate to the women in appsec fund to send women to the USA. -Helen Gao and confirm this.

I also supported our previous chapter leader Fiona for the role as chapt leader.

Thanks for your time if you have read this far. :)
I don't want my silence (thus far) to be perceived as I have something to hide.

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 16 Jun 2014, at 23:55, johanna curiel curiel <johanna.curiel at owasp.org> wrote:

> >Remember that while OWASP is a volunteer driven, global organization, it is still a US based non-profit company, with all of the obligations that entails. 
> This is the problem; you might not be interested in the details, but the pursuit of such a high degree of transparency into what is essentially a legal matter is unseemly.  There have been several tweets and comments on social media sites about this, and people are already stunned by the level of unprofessional behaviour being exhibited by all parties. 
> 
> When accusations such as sexual harassment are made, this goes beyond that just a "simple" legal case.
> 
> Timur, in the american law system this is a very serious issue that can have very profound implications to the affected parties such as a high fine and serious reputational damages that include to be put to probation.Especially because this is an infringement to constitutional rights.
> 
> >Maybe if the parties involved in the current incident make a generous move by stopping the legal processing of the situation, and sign a short public statement that it would be improper to settle their conflict on level of such simplification as Samantha vs the Board, that would help the OWASP as community to identify with the resolution.
> 
>  unfortunately we as volunteers won't solve this by discussing this in an email list. This is a legal issue between and employer and employee and is out of our scopes as volunteers.
> 
> I advice to people that do not have any idea how the labor law within the USA works to stop making comments without knowing the legal consequences or implications of the accusations. Samantha was an OWASP employee, not a volunteer so her position in this conflict is quite different. She worked under the USA law and any conflicts affecting employer and employee must be handle unders the labor law defined in the USA.
> 
> 
> 
> 
> 
> 
> 
> 
> On Mon, Jun 16, 2014 at 6:11 PM, Yvan Boily <yvanboily at gmail.com> wrote:
>> 
>> 
>> 
>> On Mon, Jun 16, 2014 at 2:18 PM, Timur 'x' Khrotko (owasp) <timur at owasp.org> wrote:
>>> Yvan, your imperative message is right in the context of the legal and compliance domain, and if one accepted the Samantha's case as a matter in that domain. I look at the case from a different angle.
>>> 
>>> If the case is left on the legal path, lawyers will reconstruct the story in their terms, one will take it as the professional judgement of the case and the final resolution of the incident.
>> 
>> Yep.  I hope that OWASP agrees that this pretty much need to go this route since several of the parties involved have lawyered up already (either they actually have, or they have stated they intend to).
>>  
>> Remember that while OWASP is a volunteer driven, global organization, it is still a US based non-profit company, with all of the obligations that entails.  None of the statements about the role the community should play or the desire for radical transparency count for very much when the organization is caught up in what is fundamentally a human rights issue that is well within scope of the courts.
>> 
>> Unless you have a compelling argument that removes these specific legal liabilities I don't think that looking at if from another angle is at all helpful.  That said, I am not a lawyer, and would appreciate someone with more legal acumen to either back me up, or tell me to go back to the bleachers. 
>> 
>>> 
>>> But there is an other aspect of it which will not be processed and cured by professional 3rd parties invoked now. There will be no organizational researchers making interviews with the participants of the case -- no professionals who can answer us the question why was this case mismanaged (probably) and miscommunicated (seemingly). Dinis tries to look at OWASP from that angle too (beyond his sympathy to Samantha). 
>>> 
>>> I feel sympathy to Josh as well. And I can imagine the case where both Josh and Samantha play their roles in a setting which brings them, other participants of the incident and us discoursing here to this unwanted situation. So probably the case is product of a system which needs reparation.
>>> 
>>> Me and Dinis we may project something non-existent to the case. But if certain systemic problems of OWASP management exist, then the leaders mailing list is the right place to talk -- or lets hire OD specialists. I mean systemic problems due to which the conflict of ideas and interests failed to convert to cooperative resolution, and some new targets and mode of better operation -- the outcomes that most of us demand.
>> 
>> To be 100% clear on this - if a case of discrimination occurred, then it is not a matter of "the leaders needing to discuss this" since it is a legal matter.
>> 
>> if it happened, OWASP as an employer needs to take steps to ensure that it doesn't happen again, and make the appropriate reparations.  This is a legal obligation of being an employer in the United States; I say this with certainty because I have been through sexual harassment training as a part of being in a leadership role in two separate American companies.  You would have to consult a lawyer on the specifics.
>> 
>> If it is determined that discrimination has not in fact occurred, then the individuals who made or promoted those claims could be subject various legal remedies (IANAL, talk to one for specifics).
>> 
>> This is not a point of discussion, there isn't much room for interpretation.  There is no shortage of examples of how these things have played out with other communities, businesses, and industries.  This is not a community issue.  Even once this is resolved, how discrimination and accusations are handled within OWASP is not a community issue; there are specific behaviors and activities that are required by companies to keep them accountable and to reduce liability.  It doesn't matter if the community objects, those are requirements of being a legal entity.
>> 
>>> 
>>> Maybe if the parties involved in the current incident make a generous move by stopping the legal processing of the situation, and sign a short public statement that it would be improper to settle their conflict on level of such simplification as Samantha vs the Board, that would help the OWASP as community to identify with the resolution.
>> 
>> Flat out no.  Several allegations were made.  Individuals were named.  Those individuals deserve the opportunity to defend themselves.  Samantha and any other injured parties deserve the opportunity to defend their allegations.  Simplifying it down to Samantha vs. the Board conflates the issue.  If there are bad actors on the board, we as a community deserve to know about it as a part of the outcome of an investigation.  If there was none, that same investigation, conducted in a professional fashion needs to indicate so.
>> 
>> Anything less will create a pall over the organization that will undoubtedly result in OWASP being miscast[1] as a misogynist organization.  This needs to be handled properly or the damage to the OWASP brand will be quite significant, and OWASP will lose members, contributors, and the influence that gives OWASP a platform to push for change.
>>  
>>> I guess if the whole conflict is then deconstructed to smaller interpersonal cases, Samantha vs Jim, etc, it would make possible to settle those case by case, as misunderstanding, as an incident regretted retrospectively, etc -- and I personally am not interested is that details. I mean small interpersonal cases mediated privately with a professional mediator, probably payed by OWASP.
>> 
>> This is the problem; you might not be interested in the details, but the pursuit of such a high degree of transparency into what is essentially a legal matter is unseemly.  There have been several tweets and comments on social media sites about this, and people are already stunned by the level of unprofessional behaviour being exhibited by all parties.
>> 
>> Jim and Eoin's initial responses (which can be summarized as "I disagree, and will seek legal remedy") were the only responses needed.  Does this organization exist to further the technical aspects of application security, or to titillate the infosec drama crew who love to watch things blow up?
>> 
>> If we want to clear this up and move OWASP forward the best thing to do is to engage a legal team to conduct a proper review of the alleged incidents, and abide by their findings.  That is up to the board to coordinate.  If we, as volunteers, want to contribute to moving OWASP forward we need to pivot out of infosec drama and back into measurable progress to making our chapters, projects, and voices stronger while we trust the board we elected to get to the bottom of this, and come back to the community with the results and a course of action.
>> 
>> Regards,
>> Yvan Boily
>> 
>> [1] This is not me claiming that I agree with or refute any allegations.  So far no evidence has been presented, only PoV attestations.  A third party is needed to investigate and resolve this issue.  That said, unless this is resolved properly I will happily bet that OWASP will be lambasted heavily for not handling this as the serious matter that it is.
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140617/b783fec6/attachment-0001.html>


More information about the Owasp-board mailing list