[Owasp-board] Discussion on Proposal 4

Josh Sokol josh.sokol at owasp.org
Fri Oct 9 02:10:33 UTC 2015

Here is the current text for proposal 4:

*Upon creation of a new project or chapter, as long as they have at least
two leaders they will be allocated a $500 budget to begin with.*

COMMENT: I have been thinking a bit more on Michael's comment last night to
reward activity. And I think some reward mechanism for chapter activity and
project status would be right. IMO we should be consistent and apply the
same criteria for "active" as we did in proposal 3.

I disagree here.  The biggest struggle for new chapter and project leaders
is getting funding.  We need to eliminate that struggle.  Obviously,
chapters and projects are still subject to requirements and approval by our
ops team, as they are today, and that should weed out any issues.  Also,
think about the current value of being an OWASP chapter or project leader.
If our goal is to attract more of these types of people to OWASP, then $500
seems like a pretty small amount in the grand scheme of things to
incentivize them to do so.

Noted. I can see your point.
But, we may have a different perception on the requirements and approval
process by the ops team to create a new chapter/project. In my
understanding, today, the barrier to setting up a chapter or project is
intentionally very very low. Close to zero. Basically anyone can do it with
close to zero evidence. So, I am here a bit more on the side of caution. My
concern is to manage the potential risk of abuse. Call it "fiduciary ...".
I trust our community, but independent of trust, we also are responsible
(and legally obliged) to put sufficient controls in place before releasing
charity funds. With an active chapter or project there are at least some
community review controls in place. I am concerned that we would not fulfil
our fiduciary duty of protecting foundation money against fraud risks if we
assign money immediately without the need for the chapter/project to be
active. That is the reason why I proposed this alternative.

Do you and others think I am overprotective?

It would be helpful for me to hear some further board members' opinion on
that before moving to a vote.

(On a note: Thinking about it, another way to achieve a higher minimum
control of expenses for new projects could be to add some extra review for
a new chapter/project expense (e.g. by the ops team, or maybe an active
neighbour chapter) before we sign-off on expenses.)

The barrier may be low, but it is definitely not zero.  Noreen provided a
bit of insight into her process for vetting chapter leaders at the Leader
Sessions at AppSec.  She looks at resumes, loosely looks for associated
references, etc.  We also have qualifications around the locations for new
Chapters.  I'm not as familiar as the process for Projects, but ultimately
I don't think any of that matters much.  Putting money in an account is no
different than what happens today.  What matters are the controls around
how that money gets spent.  Personally, I think you are being too
overprotective here and we have controls in place to address your concern,
but I'm open to the opinions of others.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151008/878c9d80/attachment.html>

More information about the Owasp-board mailing list