[Owasp-board] Discussion on Proposal 6

Matt Konda matt.konda at owasp.org
Tue Oct 13 02:26:30 UTC 2015

I'm still considering #6 as are all but Josh and Jim based on this
discussion thread.

I am supportive of the idea behind it and would vote yes if it came to a

Honestly, I don't think it is risky but I don't think I grasp the
motivation - perhaps Josh and/or Paul could elaborate on how this might
help the Foundation.


On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Andrew,
> I definitely hear you, but we have rules in place to even prevent that.
> For example Section 4.10 of the Chapter Leader Handbook
> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
> says that "Chapter leaders are not authorized to sign contracts or enter
> into any legal agreements on behalf of the OWASP Foundation".  You will not
> have any sort of a $50k venue guarantee for services without a signed
> contract.  This is the control that prevents abuse in that specific
> situation.  There are many others.
> Also, keep in mind that they are authorized only so long as "*they have
> an account balance which covers that expense in full*".  So, if a Chapter
> or Project has $50k in their account, and wants to spend it on a venue for
> a conference, why should we stand in their way or require additional
> approvals if others have done the exact same thing in the past?  The
> limiting factor here is their account balance and we need to empower them
> to spend it how they desire as long as it is in adherence with the OWASP
> mission.
> Tobias: This has not been motioned or seconded yet.  I put it out there
> for discussion first, since there was not a general consensus on it.
> ~josh
> On Fri, Oct 9, 2015 at 3:49 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>> As our mailing-list got a bit swamped, this might have got lost in the
>> hundred voting emails, do we have any further discussion elements on this
>> one?
>> And if people like vote on this, can they please confirm that they have
>> at least acknowledged this discussion when casting their vote?
>> Thanks, Tobias
>> On 09/10/15 14:17, Andrew van der Stock wrote:
>> I am really keen to reduce the amount of bureaucracy involved in expense
>> management, but this is a really well trodden path in every single SME to
>> major enterprise.
>> My main concern is no upper bounds on pre-approved expenses. This means
>> that a local chapter that managed to get an approval for a $50k conference
>> centre fee, say AppSec AU in 2011, would mean that all chapters would be
>> automatically allowed to claim that expense too. I want to enable that,
>> whilst not allowing us to be hit with hundreds of large conferences being
>> organised throughout the year. We simply don't have the staff bandwidth nor
>> the funds to do that today.
>> Typical financial governance is pre-approval for expenses under a certain
>> dollar value, and a single sign off within the Foundation approval for
>> expenses between say the cut off and say a $10k limit, and senior
>> management approval above $10k. In my view, we can hit the home run we all
>> are looking for, whilst still maintaining good financial governance over
>> major expenses whilst not ruling out ANY type of expense that a chapter
>> might be able to come up with.
>> My view is that we go through all the paid out expenses over the last two
>> years, and work out some limits. We can tummy tussle over the exact limits,
>> but I feel the following would be a good start:
>> $0 - $1500 should cover nearly all expenses paid to date along with the
>> above proposal's list of pre-approved expenses
>> $1500 to $10k should be an approval level granted to a project
>> coordinator or chapters coordinator. All expenses are subject to sign off
>> prior to incurring the expense
>> $10k ... $100k is within the signing range of the Executive Director, and
>> would require pre-approval before incurring the expense
>> Above $100k would require Exec Dir + Board approval.
>> That way, local area conference bills of $50k don't hit us without
>> forewarning, and yet we have the flexibility of allowing LAScon and AppSec
>> Cali to work without a special rule or budgetary process. The majority of
>> projectors, catering, room fees, and so on would never be huge amounts of
>> work for Foundation staff.
>> I think it hits what you're trying to achieve without opening us up to
>> some serious financial problems down the track.
>> thanks,
>> Andrew
>> On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Here is the current text for proposal 6:
>>> *If a request for funding has been approved for one chapter or project,
>>> then it can be considered an acceptable expense for all chapters or
>>> projects.  If they have an account balance which covers that expense in
>>> full, then they should be considered pre-approved for spending.*
>>> *Tobias:*
>>> I agree in spirit, but I think this needs clarification and am a bit
>>> concerned about liberal interpretations of what is the same expense type.
>>> Expenses tend to not be exactly identical and I like to safe chapter and
>>> project leads from searching the public expense lists for precedence. As
>>> one example if a flight ticket is approved for a chapter leader to attend
>>> the AppSec chapter leader workshop, that should not mean we also approve a
>>> flight ticket to Bahamas for holiday for another chapter leader.
>>> Technically both are flight expenses for chapter leaders. (I know I am
>>> splitting hairs...)
>>> Suggested revision:
>>> Proposal 6: If a request for funding has been approved for one chapter
>>> or project, then it can be considered an acceptable expense for all
>>> chapters or projects. Our operations team shall periodically (at least once
>>> every 3 months) review the list of published expenses and if new expense
>>> types come up add them to the published list of acceptable expenses. If the
>>> chapters or projects have an account balance which covers that expense in
>>> full, then they should be considered pre-approved for spending.
>>> *Josh:*
>>> I think that we need to trust people to do the right thing.  To my
>>> knowledge, we have never had a person try to request reimbursement for a
>>> trip to the Bahamas because someone got a flight paid for to AppSec.  Also,
>>> keep in mind that this is a reimbursement process so our Operations Team
>>> determines whether a request is legit.  To me, it would seem like you're
>>> putting a lot of extra work on the Ops Team with little added benefit since
>>> they are still going to have to find a way to write it up so that it will
>>> not be misinterpreted.  I think we have reasonable controls in place to
>>> prevent abuse and our liability here is minimal.  I don't see a need to
>>> revise it in this manner.
>>> *Tobias:*
>>> Well, I don't think to maintain a list of good examples is unnecessarily
>>> heavy workload. And in the long run, searching through a long unstructured
>>> list of published expense claims will be more work load for both the staff
>>> and the community to check for good expense precedents. If we do this one
>>> time per quarter, the effort is clearly limited. If we (staff and leaders)
>>> have to review an unlimited year long list for precedent, this seems much
>>> more effort.
>>> *Josh:*
>>> In theory we are supposed to be maintaining a list of good examples
>>> already.  Some of them are listed in the Chapter and Project Leader
>>> Handbooks.  That said, they aren't anywhere close to all of the possible
>>> things one would want to spend their money on.  The idea here was simply to
>>> maintain the running list of all expenses that are approved or denied
>>> (proposal 5) and use that to drive spending.  Again, I think this comes
>>> down to a matter of trust.  We need to trust our Leaders to do the right
>>> thing.  We need to trust the staff to ensure that the reimbursement is
>>> legitimate before sending them a check.  With so many complaints about
>>> difficulties withe the reimbursement process (as much as I've never seen
>>> them), we should be looking for ways to strip away the red tape, not add
>>> more of it.
>>> ~josh
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151012/aeac9ed9/attachment.html>

More information about the Owasp-board mailing list