[Owasp-board] OWASP Funding Proposal

Tobias tobias.gondrom at owasp.org
Thu Oct 8 23:25:32 UTC 2015

>     *Proposal 3: **needs clarification*
>     **I think we need to spell out what we mean with an "active
>     chapter" as we are using the term as a criteria in proposal 3? Is
>     that a mailing-list with no traffic and no meetings, but two
>     leaders on the wiki page? Or would "active" mean they have some
>     meetings and maybe a handful of members? My proposal for the
>     definition of "active chapter" would be something like at least 3
>     emails on the mailing-list in the last year, at least one meeting
>     and at least 5 members. Is this enough to count as active? For
>     "active projects", I am less clear what is an active project? Just
>     a project page with no content and no communication or subscribers
>     on the mailing-list except for the two leaders? Would this already
>     be an active project? Any thoughts how we can describe this term
>     from proposal 3?
> The concept of an "active chapter" is defined in Section 2.2 of the 
> Chapter Leader Handbook 
> <https://owasp.org/index.php/Chapter_Handbook/Chapter_2:_Mandatory_Chapter_Rules#Hold_a_minimum_of_2_local_chapter_meetings_or_events_each_year>.  
> I do not intend to revise that definition as part of this effort.  If 
> you believe that the definition needs work, then I would recommend a 
> separate effort to identify and clarify in that document.  Likewise, I 
> believe that Johanna worked to define requirements around what it 
> means to be an "active project" and undertook an effort to clean out 
> inactives.  If we would like to add language along the lines of "as 
> defined in the Chapter and Project Leader Handbooks", then I am OK 
> with that, but I would prefer to leave the definition of "active" out 
> of the proposal itself as it's something that is likely to change over 
> time.

Agreed. You are right and it is defined in the handbooks already. That's 
fine. Thanks for pointing it out.
If you are ok, then I think it could still be useful to add the 
reference to the handbooks as you mentions, to help in the future if 
anything is unclear what was meant with the term. But it is not required.

Btw. I just checked again for projects. FYI from project handbook: 
"Projects without six months of project activity will be
automatically tagged as inactive."

>     Proposal 4: "Upon creation of a new project or chapter, as long as
>     they have at least two leaders they will be allocated a $500
>     budget to begin with."
>     *COMMENT: *I have been thinking a bit more on Michael's comment
>     last night to reward activity. And I think some reward mechanism
>     for chapter activity and project status would be right. IMO we
>     should be consistent and apply the same criteria for "active" as
>     we did in proposal 3.
> I disagree here.  The biggest struggle for new chapter and project 
> leaders is getting funding.  We need to eliminate that struggle.  
> Obviously, chapters and projects are still subject to requirements and 
> approval by our ops team, as they are today, and that should weed out 
> any issues. Also, think about the current value of being an OWASP 
> chapter or project leader.  If our goal is to attract more of these 
> types of people to OWASP, then $500 seems like a pretty small amount 
> in the grand scheme of things to incentivize them to do so.

Noted. I can see your point.
But, we may have a different perception on the requirements and approval 
process by the ops team to create a new chapter/project. In my 
understanding, today, the barrier to setting up a chapter or project is 
intentionally very very low. Close to zero. Basically anyone can do it 
with close to zero evidence. So, I am here a bit more on the side of 
caution. My concern is to manage the potential risk of abuse. Call it 
"fiduciary ...".  I trust our community, but independent of trust, we 
also are responsible (and legally obliged) to put sufficient controls in 
place before releasing charity funds. With an active chapter or project 
there are at least some community review controls in place. I am 
concerned that we would not fulfil our fiduciary duty of protecting 
foundation money against fraud risks if we assign money immediately 
without the need for the chapter/project to be active. That is the 
reason why I proposed this alternative.

Do you and others think I am overprotective?

It would be helpful for me to hear some further board members' opinion 
on that before moving to a vote.

(On a note: Thinking about it, another way to achieve a higher minimum 
control of expenses for new projects could be to add some extra review 
for a new chapter/project expense (e.g. by the ops team, or maybe an 
active neighbour chapter) before we sign-off on expenses.)

>     Proposal 5: Agreed
> Cool.
>     *Proposal 6: propose minor revision of wording to clarify*
>     **> Proposal 6: If a request for funding has been approved for one
>     chapter or project, then it can be considered an acceptable
>     > expense for all chapters or projects.  If they have an account
>     balance which covers that expense in full, then they should
>     > be considered pre-approved for spending.
>     I agree in spirit, but I think this needs clarification and am a
>     bit concerned about liberal interpretations of what is the same
>     expense type. Expenses tend to not be exactly identical and I like
>     to safe chapter and project leads from searching the public
>     expense lists for precedence. As one example if a flight ticket is
>     approved for a chapter leader to attend the AppSec chapter leader
>     workshop, that should not mean we also approve a flight ticket to
>     Bahamas for holiday for another chapter leader. Technically both
>     are flight expenses for chapter leaders. (I know I am splitting
>     hairs...)
>     *Suggested revision: *
>     **Proposal 6: If a request for funding has been approved for one
>     chapter or project, then it can be considered an acceptable
>     expense for all chapters or projects. Our operations team shall
>     periodically (at least once every 3 months) review the list of
>     published expenses and if new expense types come up add them to
>     the published list of acceptable expenses. If the chapters or
>     projects have an account balance which covers that expense in
>     full, then they should be considered pre-approved for spending.
> I think that we need to trust people to do the right thing. To my 
> knowledge, we have never had a person try to request reimbursement for 
> a trip to the Bahamas because someone got a flight paid for to 
> AppSec.  Also, keep in mind that this is a reimbursement process so 
> our Operations Team determines whether a request is legit.  To me, it 
> would seem like you're putting a lot of extra work on the Ops Team 
> with little added benefit since they are still going to have to find a 
> way to write it up so that it will not be misinterpreted.  I think we 
> have reasonable controls in place to prevent abuse and our liability 
> here is minimal.  I don't see a need to revise it in this manner.

Well, I don't think to maintain a list of good examples is unnecessarily 
heavy workload. And in the long run, searching through a long 
unstructured list of published expense claims will be more work load for 
both the staff and the community to check for good expense precedents. 
If we do this one time per quarter, the effort is clearly limited. If we 
(staff and leaders) have to review an unlimited year long list for 
precedent, this seems much more effort.

>     *New Proposal 11: *
>     **Building on Michael's and your comment about rewarding active
>     projects. I very much like that idea!
>     And I would have a friendly additional proposal.
>     Proposal 11:
>     Any project newly reaching lab status receives a one-time extra
>     USD500 into their project account.
>     Any project newly reaching flagship status receives a one-time
>     extra USD1000 into their project account.
>     This could add some nice gamification feature for projects that
>     are often underfunded and could make the maturity status of
>     projects more exciting. What do you think about that?
> I like it, though, keep in mind that this could end up being in 
> addition to $500 that they haven't spent yet.  Could we modify it to 
> instead say:
> _*Proposal 11:*_
> Any project newly reaching lab status with an account balance less 
> than $500 will be brought to $500 as long as there are at least two 
> active leaders at that time.  Any project newly reaching flagship 
> status with an account balance less than $1000 will be brought to 
> $1000 as long as there are at least two active leaders at that time.
> That prevents us from adding money to an account with an already large 
> amount of unspent funds, compounding the problem, and continues the 
> requirement of at least two active leaders.

Agreed. That amendment works for me.

Best, Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151009/c20930b8/attachment-0001.html>

More information about the Owasp-board mailing list