[Owasp-board] [Governance] On ring-fencing finances, communicating with OWASP and more

Alison Shrader alison.mcnamee at owasp.org
Fri Aug 21 14:18:02 UTC 2015

The 2014 990 will be completed shortly.  As always, we filed an extension
so it is not due until mid November….but the 2014 books are just about
closed out.  We expect to have the 990 completed by early October.

Best regards,

Alison Shrader

OWASP Accounting

1200C Agora Dr, #232

Bel Air, MD 21014



*From:* owasp-board-bounces at lists.owasp.org [mailto:
owasp-board-bounces at lists.owasp.org] *On Behalf Of *Tom Brennan
*Sent:* Friday, August 21, 2015 9:48 AM
*To:* Noreen Whysel; Fabio Cerullo
*Cc:* projects-task-force at owasp.org; governance at lists.owasp.org; OWASP
Board List; owasp-leaders at lists.owasp.org
*Subject:* Re: [Owasp-board] [Governance] On ring-fencing finances,
communicating with OWASP and more

Fabio as Treasurer of OWASP when will you post the 2014 990 information?

Sent from my iPhone

On Aug 21, 2015, at 8:30 AM, Noreen Whysel <noreen.whysel at owasp.org> wrote:

I believe 2014 figures get published after the Annual Report is released,
which should be very soon.

Noreen Whysel
Community Manager

OWASP Foundation

On Aug 20, 2015, at 11:05 PM, tomb at owasp.org wrote:


The report from the last board meeting are very useful (see reports)

https://www.owasp.org/index.php/August_12,_2015#Reports_2 (see July numbers)

And tax filings including;

997k to 1.6M is big growth (2014 is missing from the website)



And the budgets


The spend is light from "HQ" on programs to market, promote, provide
resources to the community.


The 499k (earmarked to active chapters
https://www.owasp.org/index.php/Donation_Scoreboard) is a small amount in
the big picture

Sent from my iPhone

On Aug 20, 2015, at 8:17 PM, Andrew van der Stock <vanderaj at owasp.org>

Remember, Dinis, Josh and I had a podcast on this a little while ago, and
Dinis noted that it was an experiment to try and get chapters to be more
involved and spend more of their money.

As chapters are collecting more and more money which is not being spent, we
as a board need to work out the best way forward. I agree with Josh that we
need to get chapters to spend their money, but I also feel that as there's
no hard and fast bylaw on splits, we need to work out a new model that is
based upon desired outcomes. Money sitting in the bank doing nothing in a
non-profit is not meeting our mission. We are not a banker to chapters.

This time, we really need to do proper modelling to understand the effect
of various splits before we commit to them. Otherwise, we'll be back here
in less than 2 years with chapters with a million in the bank, and the
Foundation and projects still scrapping for tidbits. We need to have
balance. I'm happy to discuss that balance.



On Tue, Aug 18, 2015 at 8:52 AM, <tomb at proactiverisk.com> wrote:

FYI there is some detail recorded in a few places for clarity.

Archive 2013 60/40 split


And here

90/10 Split 2014


The first effort was a (1) year experiment to provide a split to chapters
to get them energized.  It was voted on year two and passed as well. (2009
time frame) might've in Kate's notes or wiki mins she was the scribe and
took them back in those days they do exist.

Moving to a global model and empowering a local model will solve this
rich/poor chapters debate.  Investment in projects will also solve the
current issue. For every $1.00 the foundation brings in $.50 should support
projects, .25 outreach marketing and .25 administrative staff. Will discuss
my thoughts on it during my upcoming board interview in more detail. Take a
look at the annual report this will help put things in context.

Sent from my iPhone

On Aug 17, 2015, at 6:12 PM, Jim Manico <jim.manico at owasp.org> wrote:

The OWASP foundation made a promise to chapters - years ago - that we would
isolate earned funds from each chapter for that chapter only. We then set
up a regional conference profit sharing program for chapters and gave
chapters a percentage of membership funds for members that flagged their
chapter. This was all set up years ago before the election of any current
board member.

I do not think the foundation should break that promise (if not verbal
contract) to chapters around the world and reverse current chapter

But we can certainly change that policy moving forward if needed, which is
actively being discussed by the board, staff and others.

I look at this as many things in computer science - as a tradeoff, not a
battle between good and evil.

Again, my hope is that we work together as adults to collaborate on a
better policy if one is needed. *There is no way we are going to make
everyone happy*. If you mess with chapter ringfencing, you are going to
upset a lot of very hard working and active chapters. If we leave the
ringfencing, it's going to limit major investment capability of the

This is not a cut and dry issue in my opinion. I can see the benefits
either way. I am most concerned about what the community thinks is best and
what is best for the foundation and serving our mission.

Also, the whole board voting process slows things down. That "slowing"
factor, like adaptive key generation algorithms, is by design. It takes a
voting quorum of board members to significantly change policy or embark on
major investments. So for those of you who are frustrated by what you
perceive as "bureaucracy" then when what is the alternative? Do you want
one "king" to just make all decisions? Do you want any member to just
dictate new policy? I think for sure governance can be very inefficient -
but no governance is even more inefficient.

So please, if you want to see something changed - there are positive
avenues to do so. *Propose an bylaw change to the board or just ask
questions on the board list,* *talk with members of staff,* *participate on
the governance email list and trigger good debate* - while emailing the
leaders list is a good way to get community involvement in your cause -
please consider following  through with action that works with the
foundation to actually make change beyond leaders list email.

*Communication Resources:*

   1. Contact the Staff w/ Tracking: https://www.tfaforms.com/308703
   2. OWASP Board List: https://lists.owasp.org/listinfo/owasp-board
   3. OWASP Governance List:



Jim Manico

Global Board Member

OWASP Foundation


Join me at AppSecUSA 2015!

PS: When the OWASP foundation did not use tracking forms, we received a
large number of complains that support issues fell through the cracks. Now
that we have a contact form with a tracking ID, we get complaints of
bureaucracy. I think it's more important to NOT let issues fall through the

On 8/17/15 11:31 AM, Eoin Keary wrote:


The funds distribution in OWASP is broken. Has been broken for years. Some
funds are legally allocated to chapters and projects and can not be moved.
Other funds can be moved but the mix is unclear.

The Owasp foundation should have reserved the right to allocate funds where
required. I believe this has been done but unsure.

I believe some of the funds in OWASP would be best used as banking test
data as it will persist in banking systems forever :)

This is my humble understanding of the issue.

Eoin Keary

OWASP Volunteer


On 17 Aug 2015, at 18:04, johanna curiel curiel <johanna.curiel at owasp.org>

 >I don't think there is anything preventing a project from doing the same,
but I haven't seen it done at this point.

I think we need to create Project Summits in the form of events with the
whole purpose to gather funds for projects .Open samm has done this and I
think we can try that. Fo that we need the support of the staff Business
liaison, Event manager, just as they put their work and efforts in Events
and appsecs. Here cut share between OWASp staff time and projects can also
be done.

 >OWASP has a project funding bucket.

Look, Denver chapter has around 50K in their bucket. The richest Project is
ZAP with 10k... but thats is the exception. Even worse when you look at
chapters outside US or EU, mine has only USD40 dollars. Most projects have
Zero Dollars.

And the limits right now are a support but do not help to get important
things moving like OWASP Academy portal, Leaders like Azzedine assist and
show case his chapter or project or other more complex initiatives. Or
major improvements or promotions to their projects.

  >Remember that the Board is just a handful of leaders who were elected to
set the compass.

  Yes but how do they know where to go, that's why the survey. The survey
is the compass. And the leaders are elected to listed to the community.

And About committees...

The only existing active committee right now is the Project Review (which I
still call myself a taskforce). I haven't see much initiatives or
participation from other committees. So the committee concept in theory
seemed like a great idea but in practice is not working because in my eyes,
creating a committee is creating a mini board inside OWASP. We do not want
to create oligarchies in the end.

  I thik we should cut off that comitee idea and be more practical. More
like this


   - John Lita wants to create an academy portal but developing it costs
   money and resources that volunteers alone cannot be easy pull off(owaspa
   project was the same and died, just like many educational initiatives)
   - John must create a proposal with defined goals and how to reach them.
   He joins other volunteers in this effort. No need to be a commitee.
   -  John & Claudia create a survey and seek support of the community
   -   If the idea has major feedback and volunteers, then John has the
   support from the staff to execute including looking for sponsors using
   crowdsource funding portals
   - Staff monitors development and results of the actions taken
   - Staff reports results to the community back

This is in my eyes how I have been working in the end, because , as
volunteers, available time mostly depends on one or 2 passionate
individuals like John-Lita, which are more dedicated and the rest follows...

Now if we want to change things, don't tell me to set a committee, because
Josh , this has not work so far.

 Allow me  and let the staff know that they should support me and any other
volunteers seeking for implementing their ideas ;-).

Lets cut the red tape with committees and let people know that if they want
to do something,

   - Contact the staff.
   - Set a survey and gather support
   - Need more money? Set a crowd funding project @
   https://www.kickstarter.com under OWASP
   - Volunteers implement idea or project with the support of owasp staff
   and other volunteers

How do we get this idea to action?

Shall we create a survey?

Do you need to discuss this on a board meeting?

How do I get empowered and let the staff know that as a volunteer I have
your support for this?(if I do?

You see...how dependable I'm from the board to be able to execute?

Off course I can always do this on my own but them I better do it without



On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol <josh.sokol at owasp.org> wrote:


Thank you for putting your thoughts out there for everyone.  Silence is not
good for anyone and OWASP will be far more successful if we know what our
leaders are struggling with and make a conscious effort to improve it.  I
think that many of your points are very valid and strongly support the idea
of polls to gauge community support for actions being taken.  I also
support the idea that the Board should be making as few of these decisions
as possible and putting the power back in the hands of the community with
support from the staff.  The Board should be the "compass" making sure that
we are moving in the right direction with the community and staff being the
ones actually pushing us forward.  That's not to say that members of the
Board won't have their own projects or initiatives, but they do so as part
of the community, not because of their roles on the Board.  The Committees
2.0 framework was a first step in driving this level of empowerment back to
the community while maintaining accountability and providing appropriately
scoped actions.  My impression was that the Projects Committee was rolling
forward quite well under this guidance, but it sounds like maybe I was
wrong.  Are there specific actions that you have tried to take on the
committee that got blocked by the Board or hung up in "red tape"?  Are
there needs for funding that haven't been met?

Regarding the project vs chapter funding schemas, I'm not sure that there
is a good answer.  Projects are typically made up of a pocket of
individuals.  Typically one leader with sometimes one or two others
assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
provide members with the ability to allocate their funds to either, but
most associate themselves with a chapter rather than a project because
that's where they participate.  We also have chapters putting on
conferences with the goal of raising funds.  I don't think there is
anything preventing a project from doing the same, but I haven't seen it
done at this point.  Those are the two main ways that I see chapters
raising money.  Yes, there is certainly a difference in schemas and
projects will have a more difficult time, but that's also why OWASP has a
project funding bucket.  Money from these local events as well as funds
raised by our AppSec conferences gets budgeted specifically for this
purpose.  To my knowledge, no reasonable request for funds by projects has
been denied.  Just because there isn't money sitting "ring fenced" in an
account for the projects, doesn't mean that there isn't money that can be
spent.  It just means that it needs to be requested from the pool.  Yes,
it's a different model of funding, but the end result is the same.  There
are funds available at OWASP for everyone who needs them.

There are obviously many things that need to be improved at OWASP and,
unfortunately, the Board has been tied up in rules, events, bylaws, etc for
a while now.  It's definitely not the "fun" part of the job and it is very
time consuming.  That said, I would argue that these are the things that
need to be changed in order for everyone else (staff, community, etc) to be
able to be better served.  We've made several changes to the Bylaws and are
working on more.  We've hired an Executive Director (Paul), an Event
Manager (Laura), a Community Manager (Noreen), and a Project Coordinator
(Claudia) just in the almost two years that I've been on the Board.  The
needle on the compass is set and, while it takes some time to right the
ship, we are getting there by giving our community the support it requires
to be successful.  So, here's my general thought:

1) If it's within the scope of a defined Committee, JUST DO IT!

2) If there's no Committee defined for it, CREATE ONE, then JUST DO IT!

3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!

4) If asking the staff isn't working or we need to change a policy to make
it happen, LET THE BOARD KNOW!

The Board should be the last resort, in my opinion, not the first.  We
should be the enabler, not the bottleneck.  I think that our leaders make
too many assumptions (probably based on past Board actions) about what
needs to go to the Board and we need to get away from that.  Remember that
the Board is just a handful of leaders who were elected to set the
compass.  We have a finite number of things that we can handle and our
Board meetings are typically overflowing with topics.  So, if something is
bothering you, I would encourage you to change it.  That's why, with the
David Rook situation, I encouraged creation of a new Committee to determine
a reasonable solution.  If it requires a policy change by the Board, then
we can vote on that, but asking the Board to take action just perpetuates
the oligarchy that you mention in your e-mail.  Instead of pushing these
issues up to the Board for action, let's have the community DECIDE what
they want and have the Board change the compass needle via bylaws,
policies, and staff discussions, accordingly.  At least, that's my vision
for OWASP.  Is that something that you can get on board with?


On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

Members of the board,

With the recent issue regarding David Rook, and my latest experience with
red-tape, I'm proposing the following.

My goals is to call your attention to these issues which I have been
observing for a years and not as a critique to your work, but I think if
you do not pay attention to these issues and DO something about them, OWASP
will loose valuable community participation.

   - When an initiative is proposed or launched by a member of the board,
   this should be followed up by a survey where the community can vote.Wether
   is a rule or money, these decisions should be taken based on collected data
   and proper substantiation to avoid oligarchy
   - When an initiative is launched by a member of the community,
   especially when this initiative cost more than 10k, it should be
   substantiated with data how this initiative will benefit the community.
   Also should be followed by a survey
   - Staff should help creating the survey and analyse the votes
   - *In other words: do more survey to find out what the community needs
   and wants.*

My observations and where I think you need to give more attention:

   - Board/Executive director should work closer with the staff for
   guidance and empowering their role. I have the feeling that the staff is
   paralysed waiting for instructions or following strict rules. The staff
   should be motivated to take initiative and implement projects on their own
   that can help the community. They should not be too dependent on an
   Executive director or member of the board for this part

As I see it ,OWASP is known for his Projects & Chapter leaders which as
volunteers have contributed the most to set OWASP on the spotlight.

   - You should determine and implement better ways  to provide better
   funding schemas for projects . This is something a volunteer cannot do. And
   *nothing* has been done to help  solve this issue
   - There is an unfair inequality in the way chapters can generate funds
   vs Projects.
   - Money is locked down in the chapters budget
   - Chapters outside US & EU have more struggles to find support. You
   should consider a way to support better these ones since their countries
   are not developed in the area of security as countries in EU and US.
   - Follow up: when issues like David Rook or a volunteer rants(like me or
   others ) out of frustation, take action. Put it in the agenda and try to
   solve and discuss the issues to improve the actual problems. So far I have
   seen very little follow up on major issues and discussions raised in the
   mailing lists
   - Way to much attention to rules, *events* and bylaws etc. Time to take
   action and take decisions and propose plans for improvements of the actual
   situation above mentioned

Being that said, and with all due respect to you, I hope that you can take
actions and *execute* improvements that have been an issue since I joined
OWASP 3 years ago.



Governance mailing list
Governance at lists.owasp.org

You received this message because you are subscribed to the Google Groups
"OWASP Projects Task Force" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to projects-task-force+unsubscribe at owasp.org.
To post to this group, send email to projects-task-force at owasp.org.
To view this discussion on the web visit

You received this message because you are subscribed to the Google Groups
"OWASP Projects Task Force" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to projects-task-force+unsubscribe at owasp.org.
To post to this group, send email to projects-task-force at owasp.org.
To view this discussion on the web visit

Owasp-board mailing list
Owasp-board at lists.owasp.org

WARNING: E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does
not accept liability for any errors or omissions in the contents of this
message, which arise as a result of e-mail transmission. No employee or
agent is authorized to conclude any binding agreement on behalf of
ProactiveRISK with another party by email.

Owasp-board mailing list
Owasp-board at lists.owasp.org

Owasp-board mailing list
Owasp-board at lists.owasp.org

Governance mailing list
Governance at lists.owasp.org

WARNING: E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore does
not accept liability for any errors or omissions in the contents of this
message, which arise as a result of e-mail transmission. No employee or
agent is authorized to conclude any binding agreement on behalf of
ProactiveRISK with another party by email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150821/a1f56934/attachment-0001.html>

More information about the Owasp-board mailing list