[Owasp-board] OWASP Funding Proposal

Jim Manico jim.manico at owasp.org
Fri Oct 9 02:09:31 UTC 2015


One of the great things from Johanna and the project review team was the review of all projects and reclassifying many as "inactive". Processes are already in place to keep this going. The number of incoming new projects in modest and they require basics like a code repository so that empty shell projects are avoided. So again I think the current definition and process around "active project" is reasonable.

--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me at AppSecUSA 2015!

> On Oct 9, 2015, at 1:25 AM, Tobias <tobias.gondrom at owasp.org> wrote:
> 
> 
>> 
>>> Proposal 3: needs clarification
>>> I think we need to spell out what we mean with an "active chapter" as we are using the term as a criteria in proposal 3? Is that a mailing-list with no traffic and no meetings, but two leaders on the wiki page? Or would "active" mean they have some meetings and maybe a handful of members? My proposal for the definition of "active chapter" would be something like at least 3 emails on the mailing-list in the last year, at least one meeting and at least 5 members. Is this enough to count as active? For "active projects", I am less clear what is an active project? Just a project page with no content and no communication or subscribers on the mailing-list except for the two leaders? Would this already be an active project? Any thoughts how we can describe this term from proposal 3?
>> 
>> The concept of an "active chapter" is defined in Section 2.2 of the Chapter Leader Handbook.  I do not intend to revise that definition as part of this effort.  If you believe that the definition needs work, then I would recommend a separate effort to identify and clarify in that document.  Likewise, I believe that Johanna worked to define requirements around what it means to be an "active project" and undertook an effort to clean out inactives.  If we would like to add language along the lines of "as defined in the Chapter and Project Leader Handbooks", then I am OK with that, but I would prefer to leave the definition of "active" out of the proposal itself as it's something that is likely to change over time.
> 
> Agreed. You are right and it is defined in the handbooks already. That's fine. Thanks for pointing it out. 
> If you are ok, then I think it could still be useful to add the reference to the handbooks as you mentions, to help in the future if anything is unclear what was meant with the term. But it is not required. 
> 
> Btw. I just checked again for projects. FYI from project handbook: "Projects without six months of project activity will be
> automatically tagged as inactive."
> 
> 
>> 
>>> Proposal 4: "Upon creation of a new project or chapter, as long as they have at least two leaders they will be allocated a $500 budget to begin with."
>>> COMMENT: I have been thinking a bit more on Michael's comment last night to reward activity. And I think some reward mechanism for chapter activity and project status would be right. IMO we should be consistent and apply the same criteria for "active" as we did in proposal 3.
>> 
>> I disagree here.  The biggest struggle for new chapter and project leaders is getting funding.  We need to eliminate that struggle.  Obviously, chapters and projects are still subject to requirements and approval by our ops team, as they are today, and that should weed out any issues.  Also, think about the current value of being an OWASP chapter or project leader.  If our goal is to attract more of these types of people to OWASP, then $500 seems like a pretty small amount in the grand scheme of things to incentivize them to do so.
> 
> Noted. I can see your point. 
> But, we may have a different perception on the requirements and approval process by the ops team to create a new chapter/project. In my understanding, today, the barrier to setting up a chapter or project is intentionally very very low. Close to zero. Basically anyone can do it with close to zero evidence. So, I am here a bit more on the side of caution. My concern is to manage the potential risk of abuse. Call it "fiduciary ...".  I trust our community, but independent of trust, we also are responsible (and legally obliged) to put sufficient controls in place before releasing charity funds. With an active chapter or project there are at least some community review controls in place. I am concerned that we would not fulfil our fiduciary duty of protecting foundation money against fraud risks if we assign money immediately without the need for the     chapter/project to be active. That is the reason why I proposed this alternative. 
> 
> Do you and others think I am overprotective? 
> 
> It would be helpful for me to hear some further board members' opinion on that before moving to a vote. 
> 
> (On a note: Thinking about it, another way to achieve a higher minimum control of expenses for new projects could be to add some extra review for a new chapter/project expense (e.g. by the ops team, or maybe an active neighbour chapter) before we sign-off on expenses.)
> 
> 
> 
>> 
>>> Proposal 5: Agreed
>> 
>> Cool.
>> 
>>> Proposal 6: propose minor revision of wording to clarify
>>> > Proposal 6: If a request for funding has been approved for one chapter or project, then it can be considered an acceptable 
>>> > expense for all chapters or projects.  If they have an account balance which covers that expense in full, then they should 
>>> > be considered pre-approved for spending.
>>> 
>>> I agree in spirit, but I think this needs clarification and am a bit concerned about liberal interpretations of what is the same expense type. Expenses tend to not be exactly identical and I like to safe chapter and project leads from searching the public expense lists for precedence. As one example if a flight ticket is approved for a chapter leader to attend the AppSec chapter leader workshop, that should not mean we also approve a flight ticket to Bahamas for holiday for another chapter leader. Technically both are flight expenses for chapter leaders. (I know I am splitting hairs...) 
>>> 
>>> Suggested revision: 
>>> Proposal 6: If a request for funding has been approved for one chapter or project, then it can be considered an acceptable expense for all chapters or projects. Our operations team shall periodically (at least once every 3 months) review the list of published expenses and if new expense types come up add them to the published list of acceptable expenses. If the chapters or projects have an account balance which covers that expense in full, then they should be considered pre-approved for spending.
>> 
>> I think that we need to trust people to do the right thing.  To my knowledge, we have never had a person try to request reimbursement for a trip to the Bahamas because someone got a flight paid for to AppSec.  Also, keep in mind that this is a reimbursement process so our Operations Team determines whether a request is legit.  To me, it would seem like you're putting a lot of extra work on the Ops Team with little added benefit since they are still going to have to find a way to write it up so that it will not be misinterpreted.  I think we have reasonable controls in place to prevent abuse and our liability here is minimal.  I don't see a need to revise it in this manner.
> 
> Well, I don't think to maintain a list of good examples is unnecessarily heavy workload. And in the long run, searching through a long unstructured list of published expense claims will be more work load for both the staff and the community to check for good expense precedents. If we do this one time per quarter, the effort is clearly limited. If we (staff and leaders) have to review an unlimited year long list for precedent, this seems much more effort. 
> 
>> 
>>> New Proposal 11: 
>>> Building on Michael's and your comment about rewarding active projects. I very much like that idea! 
>>> And I would have a friendly additional proposal. 
>>> Proposal 11: 
>>> Any project newly reaching lab status receives a one-time extra USD500 into their project account. 
>>> Any project newly reaching flagship status receives a one-time extra USD1000 into their project account. 
>>> 
>>> This could add some nice gamification feature for projects that are often underfunded and could make the maturity status of projects more exciting. What do you think about that?
>> 
>> I like it, though, keep in mind that this could                     end up being in addition to $500 that they haven't spent yet.  Could we modify it to instead say:
>> 
>> Proposal 11:
>> Any project newly reaching lab status with an account balance less than $500 will be brought to $500 as long as there are at least two active leaders at that time.  Any project newly reaching flagship status with an account balance less than $1000 will be brought to $1000 as long as there are at least two active leaders at that time.
>> 
>> That prevents us from adding money to an account with an already large amount of unspent funds, compounding the problem, and continues the requirement of at least two active leaders.
> 
> Agreed. That amendment works for me. 
> 
> Best, Tobias
> 
> 
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151009/95252c83/attachment.html>


More information about the Owasp-board mailing list