[Owasp-board] Facts about OWASP Budgets & Funding

Paul Ritchie paul.ritchie at owasp.org
Mon Aug 17 22:06:13 UTC 2015

*To All those curious about OWASP Foundation Budgets and Funding:*

I'm rather surprised there is uncertainty about the OWASP Foundation

OWASP has a core mission statement of "transparency", especially in
financial report.

Please go to the Wiki, and you will find in a short 5-10 minute read just
about anything you need to know.   If you continue to have questions,
please send those questions to me, or our OWASP Treasurer (Fabio), or any
one of our Board members.  We are all happy to clear up any uncertainty
with published facts.

>From the GOVERNANCE TAB on the wiki homepage you can find

1.  Annual Budgets for the past 4 years
2.  Audited Financial statements for 2007, 2010 & 2013
3.  Nine years of Tax returns,  2005 - 2013
4.  Monthly P&L Reports including balance sheets that are shared "every
month" during our normal Board meetings, which are open to the public.

Plus, just last week, I sent the following email to all Chapter & Project
leaders reminding everyone about our monthly updates.
So, in summary.....if you have questions, please ask.
If you believe something is broken, then propose a solution, gather a
consensus from the community, and propose the change to our elected
leadership, the Board, who will evaluate & decide.

Paul Ritchie <paul.ritchie at owasp.org>
Aug 10 (7 days ago)
to owasp-leaders, OWASP, owasp-community
To Chapter & Project Leaders:

I've received a few more questions about 'where' can I find information
about my Chapter or project funding.   Personally, I now 'bookmark' this
information, and here it is again so everyone has it handy and at their

1.  Does my Chapter or Project have funding allocated to it?
Every month we update the budgets by Chapter or Project and post it on the
wiki here.

This is called the *'Donation Scorecard*' and it is found near the bottom
of the Chapter Wiki page.    https://www.owasp.org/index.php/OWASP_Chapter

2.  What are the monthly additions (donations) or subtractions (expenses)
charged to my Chapter?

Every month we post a summary of the transactions going into and out of
your Chapter  budget, and it is updated on the Chapter page of the wiki.
It is called *Chapter Transactions*, and it is listed for all Chapters,
again near the bottom of the Chapter wiki page.    Both reports were
updated as of July 27, 2015.

Finally, if you have additional or specific questions about your chapter or
project, don't hesitate to ask us directly.  We are happy to help keep
everyone "in the know".

Best Regards, Paul Ritchie
OWASP Executive Director
paul.ritchie at owasp.org

On Mon, Aug 17, 2015 at 2:31 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Johanna,
> The funds distribution in OWASP is broken. Has been broken for years. Some
> funds are legally allocated to chapters and projects and can not be moved.
> Other funds can be moved but the mix is unclear.
> The Owasp foundation should have reserved the right to allocate funds
> where required. I believe this has been done but unsure.
> I believe some of the funds in OWASP would be best used as banking test
> data as it will persist in banking systems forever :)
> This is my humble understanding of the issue.
> Eoin Keary
> OWASP Volunteer
> @eoinkeary
> On 17 Aug 2015, at 18:04, johanna curiel curiel <johanna.curiel at owasp.org>
> wrote:
>  >I don't think there is anything preventing a project from doing the
> same, but I haven't seen it done at this point.
> I think we need to create Project Summits in the form of events with the
> whole purpose to gather funds for projects .Open samm has done this and I
> think we can try that. Fo that we need the support of the staff Business
> liaison, Event manager, just as they put their work and efforts in Events
> and appsecs. Here cut share between OWASp staff time and projects can also
> be done.
>  >OWASP has a project funding bucket.
> Look, Denver chapter has around 50K in their bucket. The richest Project
> is ZAP with 10k... but thats is the exception. Even worse when you look at
> chapters outside US or EU, mine has only USD40 dollars. Most projects have
> Zero Dollars.
> And the limits right now are a support but do not help to get important
> things moving like OWASP Academy portal, Leaders like Azzedine assist and
> show case his chapter or project or other more complex initiatives. Or
> major improvements or promotions to their projects.
>   >Remember that the Board is just a handful of leaders who were elected
> to set the compass.
>   Yes but how do they know where to go, that's why the survey. The survey
> is the compass. And the leaders are elected to listed to the community.
> And About committees...
> The only existing active committee right now is the Project Review (which
> I still call myself a taskforce). I haven't see much initiatives or
> participation from other committees. So the committee concept in theory
> seemed like a great idea but in practice is not working because in my eyes,
> creating a committee is creating a mini board inside OWASP. We do not want
> to create oligarchies in the end.
>   I thik we should cut off that comitee idea and be more practical. More
> like this
>   Example:
>    - John Lita wants to create an academy portal but developing it costs
>    money and resources that volunteers alone cannot be easy pull off(owaspa
>    project was the same and died, just like many educational initiatives)
>    - John must create a proposal with defined goals and how to reach
>    them. He joins other volunteers in this effort. No need to be a commitee.
>    -  John & Claudia create a survey and seek support of the community
>    -   If the idea has major feedback and volunteers, then John has the
>    support from the staff to execute including looking for sponsors using
>    crowdsource funding portals
>    - Staff monitors development and results of the actions taken
>    - Staff reports results to the community back
> This is in my eyes how I have been working in the end, because , as
> volunteers, available time mostly depends on one or 2 passionate
> individuals like John-Lita, which are more dedicated and the rest follows...
> Now if we want to change things, don't tell me to set a committee, because
> Josh , this has not work so far.
>  Allow me  and let the staff know that they should support me and any
> other volunteers seeking for implementing their ideas ;-).
> Lets cut the red tape with committees and let people know that if they
> want to do something,
>    - Contact the staff.
>    - Set a survey and gather support
>    - Need more money? Set a crowd funding project @
>    https://www.kickstarter.com under OWASP
>    - Volunteers implement idea or project with the support of owasp staff
>    and other volunteers
> How do we get this idea to action?
> Shall we create a survey?
> Do you need to discuss this on a board meeting?
> How do I get empowered and let the staff know that as a volunteer I have
> your support for this?(if I do?
> You see...how dependable I'm from the board to be able to execute?
> Off course I can always do this on my own but them I better do it without
> OWASP...
> Regards
> Johanna
> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Johanna,
>> Thank you for putting your thoughts out there for everyone.  Silence is
>> not good for anyone and OWASP will be far more successful if we know what
>> our leaders are struggling with and make a conscious effort to improve it.
>> I think that many of your points are very valid and strongly support the
>> idea of polls to gauge community support for actions being taken.  I also
>> support the idea that the Board should be making as few of these decisions
>> as possible and putting the power back in the hands of the community with
>> support from the staff.  The Board should be the "compass" making sure that
>> we are moving in the right direction with the community and staff being the
>> ones actually pushing us forward.  That's not to say that members of the
>> Board won't have their own projects or initiatives, but they do so as part
>> of the community, not because of their roles on the Board.  The Committees
>> 2.0 framework was a first step in driving this level of empowerment back to
>> the community while maintaining accountability and providing appropriately
>> scoped actions.  My impression was that the Projects Committee was rolling
>> forward quite well under this guidance, but it sounds like maybe I was
>> wrong.  Are there specific actions that you have tried to take on the
>> committee that got blocked by the Board or hung up in "red tape"?  Are
>> there needs for funding that haven't been met?
>> Regarding the project vs chapter funding schemas, I'm not sure that there
>> is a good answer.  Projects are typically made up of a pocket of
>> individuals.  Typically one leader with sometimes one or two others
>> assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
>> provide members with the ability to allocate their funds to either, but
>> most associate themselves with a chapter rather than a project because
>> that's where they participate.  We also have chapters putting on
>> conferences with the goal of raising funds.  I don't think there is
>> anything preventing a project from doing the same, but I haven't seen it
>> done at this point.  Those are the two main ways that I see chapters
>> raising money.  Yes, there is certainly a difference in schemas and
>> projects will have a more difficult time, but that's also why OWASP has a
>> project funding bucket.  Money from these local events as well as funds
>> raised by our AppSec conferences gets budgeted specifically for this
>> purpose.  To my knowledge, no reasonable request for funds by projects has
>> been denied.  Just because there isn't money sitting "ring fenced" in an
>> account for the projects, doesn't mean that there isn't money that can be
>> spent.  It just means that it needs to be requested from the pool.  Yes,
>> it's a different model of funding, but the end result is the same.  There
>> are funds available at OWASP for everyone who needs them.
>> There are obviously many things that need to be improved at OWASP and,
>> unfortunately, the Board has been tied up in rules, events, bylaws, etc for
>> a while now.  It's definitely not the "fun" part of the job and it is very
>> time consuming.  That said, I would argue that these are the things that
>> need to be changed in order for everyone else (staff, community, etc) to be
>> able to be better served.  We've made several changes to the Bylaws and are
>> working on more.  We've hired an Executive Director (Paul), an Event
>> Manager (Laura), a Community Manager (Noreen), and a Project Coordinator
>> (Claudia) just in the almost two years that I've been on the Board.  The
>> needle on the compass is set and, while it takes some time to right the
>> ship, we are getting there by giving our community the support it requires
>> to be successful.  So, here's my general thought:
>> 1) If it's within the scope of a defined Committee, JUST DO IT!
>> 2) If there's no Committee defined for it, CREATE ONE, then JUST DO IT!
>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>> 4) If asking the staff isn't working or we need to change a policy to
>> make it happen, LET THE BOARD KNOW!
>> The Board should be the last resort, in my opinion, not the first.  We
>> should be the enabler, not the bottleneck.  I think that our leaders make
>> too many assumptions (probably based on past Board actions) about what
>> needs to go to the Board and we need to get away from that.  Remember that
>> the Board is just a handful of leaders who were elected to set the
>> compass.  We have a finite number of things that we can handle and our
>> Board meetings are typically overflowing with topics.  So, if something is
>> bothering you, I would encourage you to change it.  That's why, with the
>> David Rook situation, I encouraged creation of a new Committee to determine
>> a reasonable solution.  If it requires a policy change by the Board, then
>> we can vote on that, but asking the Board to take action just perpetuates
>> the oligarchy that you mention in your e-mail.  Instead of pushing these
>> issues up to the Board for action, let's have the community DECIDE what
>> they want and have the Board change the compass needle via bylaws,
>> policies, and staff discussions, accordingly.  At least, that's my vision
>> for OWASP.  Is that something that you can get on board with?
>> ~josh
>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> Members of the board,
>>> With the recent issue regarding David Rook, and my latest experience
>>> with red-tape, I'm proposing the following.
>>> My goals is to call your attention to these issues which I have been
>>> observing for a years and not as a critique to your work, but I think if
>>> you do not pay attention to these issues and DO something about them, OWASP
>>> will loose valuable community participation.
>>>    - When an initiative is proposed or launched by a member of the
>>>    board, this should be followed up by a survey where the community can
>>>    vote.Wether is a rule or money, these decisions should be taken based on
>>>    collected data and proper substantiation to avoid oligarchy
>>>    - When an initiative is launched by a member of the community,
>>>    especially when this initiative cost more than 10k, it should be
>>>    substantiated with data how this initiative will benefit the community.
>>>    Also should be followed by a survey
>>>    - Staff should help creating the survey and analyse the votes
>>>    - *In other words: do more survey to find out what the community
>>>    needs and wants.*
>>> My observations and where I think you need to give more attention:
>>>    - Board/Executive director should work closer with the staff for
>>>    guidance and empowering their role. I have the feeling that the staff is
>>>    paralysed waiting for instructions or following strict rules. The staff
>>>    should be motivated to take initiative and implement projects on their own
>>>    that can help the community. They should not be too dependent on an
>>>    Executive director or member of the board for this part
>>> As I see it ,OWASP is known for his Projects & Chapter leaders which as
>>> volunteers have contributed the most to set OWASP on the spotlight.
>>> Therefore:
>>>    - You should determine and implement better ways  to provide better
>>>    funding schemas for projects . This is something a volunteer cannot do. And
>>>    *nothing* has been done to help  solve this issue
>>>    - There is an unfair inequality in the way chapters can generate
>>>    funds vs Projects.
>>>    - Money is locked down in the chapters budget
>>>    - Chapters outside US & EU have more struggles to find support. You
>>>    should consider a way to support better these ones since their countries
>>>    are not developed in the area of security as countries in EU and US.
>>>    - Follow up: when issues like David Rook or a volunteer rants(like
>>>    me or others ) out of frustation, take action. Put it in the agenda and try
>>>    to solve and discuss the issues to improve the actual problems. So far I
>>>    have seen very little follow up on major issues and discussions raised in
>>>    the mailing lists
>>>    - Way to much attention to rules, *events* and bylaws etc. Time to
>>>    take action and take decisions and propose plans for improvements of the
>>>    actual situation above mentioned
>>> Being that said, and with all due respect to you, I hope that you can
>>> take actions and *execute* improvements that have been an issue since I
>>> joined OWASP 3 years ago.
>>> Regards
>>> Johanna
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to projects-task-force+unsubscribe at owasp.org.
> To post to this group, send email to projects-task-force at owasp.org.
> To view this discussion on the web visit
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> --
> You received this message because you are subscribed to the Google Groups
> "OWASP Projects Task Force" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to projects-task-force+unsubscribe at owasp.org.
> To post to this group, send email to projects-task-force at owasp.org.
> To view this discussion on the web visit
> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org
> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org?utm_medium=email&utm_source=footer>
> .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150817/0776d544/attachment-0001.html>

More information about the Owasp-board mailing list