[Owasp-board] Discussion on Proposal 4

Tobias tobias.gondrom at owasp.org
Fri Oct 9 20:49:22 UTC 2015

As our mailing-list got a bit swamped, this might have got lost in the 
hundred voting emails, do we have any further discussion elements on 
this one?
And if people like vote on this, can they please confirm that they have 
at least acknowledged this discussion when casting their vote?
Thanks, Tobias

On 09/10/15 14:29, Andrew van der Stock wrote:
> At the moment, and I would love to hear from the large project leaders 
> here too, is that prior to this initiative, it was too hard for 
> projects to spend money on anything really useful.
> I worked with Sam and applied for DHS grants expecting to be able to 
> take some time off to work on the Developer Guide. The brouhaha was so 
> much that I never felt I could use the granted DHS grant money granted 
> specifically for us to work on the Developer Guide to work on the 
> Developer Guide. In the end, I used some of the funds to go AppSec USA 
> 2013 to try and build some community, but was put into a really small 
> room, and I ended up speaking to 10 folks who already knew about the 
> Dev Guide. I got more out of the Project Summit than I did out of my talk.
> I don't want to get stuck into the past problems as we're trying to 
> solve a general problem here, but giving new projects $500 when it's 
> really hard for them to spend that money on anything useful is ... 
> another form of ring fencing.
> I am prepared to be proven wrong, but I would hate for $500 * 130 = 
> $65k to be so thinly spread that no one project can't do anything 
> useful with it, but all projects as a whole have $65k less than they 
> do today. This is the problem with the entire Community Engagement 
> Funding, which unless you knew it existed, also doesn't get spent. 
> You've already used CEF as an example of projects not spending money 
> in previous go arounds on this topic.
> My view right now is not to vote yes on this one until we have a 
> really good discussion about eliminating barriers for projects to 
> spend their funds. This might need to be done later with a second 
> proposal to work out a perpetual project summit budget, or alternative 
> ideas such as VPS credits with our labs solution.
> thanks
> Andrew
> On Fri, Oct 9, 2015 at 1:10 PM, Josh Sokol <josh.sokol at owasp.org 
> <mailto:josh.sokol at owasp.org>> wrote:
>     Here is the current text for proposal 4:
>     *Upon creation of a new project or chapter, as long as they have
>     at least two leaders they will be allocated a $500 budget to begin
>     with.*
>     _*Tobias:*_
>     COMMENT: I have been thinking a bit more on Michael's comment last
>     night to reward activity. And I think some reward mechanism for
>     chapter activity and project status would be right. IMO we should
>     be consistent and apply the same criteria for "active" as we did
>     in proposal 3.
>     _*Josh:*_
>     I disagree here.  The biggest struggle for new chapter and project
>     leaders is getting funding.  We need to eliminate that struggle. 
>     Obviously, chapters and projects are still subject to requirements
>     and approval by our ops team, as they are today, and that should
>     weed out any issues. Also, think about the current value of being
>     an OWASP chapter or project leader.  If our goal is to attract
>     more of these types of people to OWASP, then $500 seems like a
>     pretty small amount in the grand scheme of things to incentivize
>     them to do so.
>     _*Tobias:*_
>     Noted. I can see your point.
>     But, we may have a different perception on the requirements and
>     approval process by the ops team to create a new chapter/project.
>     In my understanding, today, the barrier to setting up a chapter or
>     project is intentionally very very low. Close to zero. Basically
>     anyone can do it with close to zero evidence. So, I am here a bit
>     more on the side of caution. My concern is to manage the potential
>     risk of abuse. Call it "fiduciary ...".  I trust our community,
>     but independent of trust, we also are responsible (and legally
>     obliged) to put sufficient controls in place before releasing
>     charity funds. With an active chapter or project there are at
>     least some community review controls in place. I am concerned that
>     we would not fulfil our fiduciary duty of protecting foundation
>     money against fraud risks if we assign money immediately without
>     the need for the chapter/project to be active. That is the reason
>     why I proposed this alternative.
>     Do you and others think I am overprotective?
>     It would be helpful for me to hear some further board members'
>     opinion on that before moving to a vote.
>     (On a note: Thinking about it, another way to achieve a higher
>     minimum control of expenses for new projects could be to add some
>     extra review for a new chapter/project expense (e.g. by the ops
>     team, or maybe an active neighbour chapter) before we sign-off on
>     expenses.)
>     _*Josh:*_
>     The barrier may be low, but it is definitely not zero. Noreen
>     provided a bit of insight into her process for vetting chapter
>     leaders at the Leader Sessions at AppSec.  She looks at resumes,
>     loosely looks for associated references, etc.  We also have
>     qualifications around the locations for new Chapters.  I'm not as
>     familiar as the process for Projects, but ultimately I don't think
>     any of that matters much.  Putting money in an account is no
>     different than what happens today. What matters are the controls
>     around how that money gets spent.  Personally, I think you are
>     being too overprotective here and we have controls in place to
>     address your concern, but I'm open to the opinions of others.
>     ~josh
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151009/4444f32e/attachment.html>

More information about the Owasp-board mailing list