[Owasp-board] [Governance] Stepping down from Project Reviews

johanna curiel curiel johanna.curiel at owasp.org
Wed Sep 2 19:42:36 UTC 2015


2. Confusing reimbursement process.  Personally, I've always felt that the
instructions (https://www.owasp.org/index.php/Funding) were pretty easy to
follow and I've done it many times.  What about it needs to be clarified?
Is there a way to make this easier to follow?

The steps should be more 'baby steps'. And the information of "Application
Process" should be at the beginning and not the bottom

I highlighted some of the information that I see as confusing
Application Process

   1. *Upfront* the chapter leader, speaker, or person leading the
   initiative submits a community engagement request (event details, who to
   cover, etc...) *REQUEST FUNDING HERE <http://sl.owasp.org/contactus>* The
   request will be reviewed by the OWASP Staff. If the request is within the
   rules (see above) it will be rapidly approved.
   2. The speaker who made the travel/lodging expenses, or the chapter
   leader who paid for meeting space, food or supplies, submits a reimbursement
   request <http://sl.owasp.org/reimbursement-request>, including receipts,
   after the presentation is performed. Chapter leaders may also use this form
   to request direct payment to vendors (with prior approval) by supplying a
   copy of the invoice and payee details. Note: Travel can also be booked
   through the Foundation's travel management system.
   3. If the funds required to support the event exceed the documented
   threshold, then a request should be submitted for the entire anticipated
   amount.
   4. The Reimbursement is approved and processed.


Try to read as if you know nothing of OWASP. is this really clear?

My issues with the info for new people:

   - Upfront? What if I'm the person ,leading the initiative is me? Do I
   need to ask someone else?
   - What is community engagement request?
   - What is the "community fund"?
   - The speaker? What if I need funds for other things than speaking,
   meeting place but for resources as VM's or other things ?
   - "Reimbursement request" meaning I have to make the cost before I get
   paid?
   - What are the "documented threshold amounts"?
   - Again the word reimbursement, so must pre-finance the costs, uff no
   money for that in my wallet, forget about asking for help


On Wed, Sep 2, 2015 at 3:25 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Johanna,
>
> I understand that there wasn't any competition, but still, somebody
> thought enough of you to nominate you.  I've been involved in OWASP for
> over 8 years, served as OWASP Austin Chapter Leader for 2 years, Chaired
> the Global Chapters Committee, and am on the OWASP Board and I've never
> been nominated for one.  Recognition comes in many different forms.
> Sometimes it's very "out there" like in the case of a WASPY, but more often
> it's just an occasional person who says "Thanks for doing that."  In any
> case, if you've never heard it from me, I think that you have done
> wonderful things with the project reviews.  Volunteerism is often a
> thankless job, but personally, I understand that it's not easy and
> appreciate the efforts that you've made.
>
> In terms of policies, it seems that you've identified a few things that
> could use improvement.
>
> 1. Lack of answer on the form submission.  This one really surprises me as
> the whole purpose of the service ticket system is to be able to better
> track the requests that come in and making sure they are responded to.  Did
> this happen before this system was in place?  If not, how did you handle it
> when the request wasn't responded to in a reasonable period of time?
>
> 2. Confusing reimbursement process.  Personally, I've always felt that the
> instructions (https://www.owasp.org/index.php/Funding) were pretty easy
> to follow and I've done it many times.  What about it needs to be
> clarified?  Is there a way to make this easier to follow?
>
> 3. The whole reimbursement process.  I understand that not everyone has a
> credit card or can put significant funds on their card and agree that this
> should not be an expectation.  That said, OWASP has a credit card that the
> staff is able to use to pay things like this.  Maybe the process for
> requesting needs to make this an option?  That seems like a pretty
> reasonable request to me.  Matt Tesauro also mentioned that the Board in
> the past evaluated the idea of having some sort of limited spending card
> that we could give to project and chapter leaders.  That may be another
> solution for this particular issue.
>
> 4. Funding amounts.  You bring up an interesting idea.  Can we base an
> annual fund allocation for projects on their project level according to the
> review process?  I would think the answer would be yes and we could empower
> the more active and mature projects to spend more funds.  It's an idea
> certainly worth exploring further.
>
> ~josh
>
> On Wed, Sep 2, 2015 at 2:06 PM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>
>>  You did a fantastic job with those for a very long time and with little
>> recognition for it, though I do think you won a WASPY for it, didn't you?
>>
>> Yes for the 'Caribbean region' I had no competitor so that was easy😁😝
>>
>> *Josh,* from my experience it is a lack of answer when I did my
>> submissions through the form. And what I have follow up regarding this,
>> must of the time is 'no answer' the issue.
>>
>> The wiki page is maybe clear for some but for many others it can be very
>> confusing how to ask for funds. The information right now is based on a
>> reimbursement process and not financed and paid directly by OWASP.
>>
>> Not everyone has a credit card to charge , let alone charge the credit
>> card with a certain amount of money and wait until you get paid by the
>> foundation.
>>
>> These things can happen and do happen because of many recent changes I
>> think (new Executive director, new people, maybe to many request and no
>> capacity to handle?)
>>
>> There is an internal process that needs to be reviewed including the
>> information on the wiki page. I think we just need to make that info clear
>> and follow up with the staff regarding unanswered request.
>>
>> >What is a reasonable approach to making sure that limited funds are
>> spent on the things that matter most and in alignment with the OWASP
>> mission?
>>
>> This is where reviews for projects play a big role. If the project has a
>> healthy level of activity , and also we need to evaluate if that activity
>> serves directly the mission, the it shoudk get the funds. There you see
>> that a process must be in place to support this and I'm sure that for the
>> staff to do this alone is not simple because how can you differentiate
>> proposals?
>>
>> Let me create a proposal for this part and see how can we come with a
>> first step towards this issue. I think we should begin there.
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Sep 2, 2015 at 2:41 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>>> Johanna,
>>>
>>> You have both my attention and my support with this initiative and I
>>> agree that it's, at least at this point in time, a far better use of our
>>> time than in trying to wrangle with project reviews and whatnot.  You did a
>>> fantastic job with those for a very long time and with little recognition
>>> for it, though I do think you won a WASPY for it, didn't you?  At least
>>> that's something.  In any case, let's figure out how to build those stairs
>>> to reach those bananas.  If it requires changing some policies to make
>>> funds more accessible, then I can definitely help to push those changes.
>>> What policies currently stand in your way (ie. what is the rationale for
>>> being told "no")?  What new policies would be reasonable.  What is a
>>> reasonable approach to making sure that limited funds are spent on the
>>> things that matter most and in alignment with the OWASP mission?
>>>
>>> ~josh
>>>
>>> On Wed, Sep 2, 2015 at 12:05 PM, johanna curiel curiel <
>>> johanna.curiel at owasp.org> wrote:
>>>
>>>> >I certainly cannot speak for all Projects, but every time I tried to
>>>> get the things I needed for a project, I got either a deny or a big
>>>> silence. so the first thing needed is, if there is money available, more
>>>> communication and an easy way to get to it[....] In summary, my
>>>> experience in getting money or support for OWASP projects is bad. IMHO,
>>>> this is why so many projects die.
>>>> [...]And lastly, I did not compare Chapters and Projects. I did
>>>> compare the treatment that they get from OWASP.
>>>>
>>>> You are not the only one with the same issues. I have the same
>>>> experience too and as also many others.
>>>>
>>>> Let's accept that we have a problem and no, I don't blame the Board for
>>>> that, but I'm asking your attention and we have to admit that we need to
>>>> work on this. And the person asking your attention is a volunteer who has
>>>> dedicated her time the last 3 years trying to improve a system and
>>>> contributing in multiple activities, I think I deserve a small
>>>> acknowledgement for that.
>>>>
>>>> This is part of the evolution OWASP is having from small to bigger
>>>> organisation. A natural process. From US to Global.
>>>>
>>>> What I mean with a good platform in place is more than money in the
>>>> community fund.
>>>>
>>>> That money  feels like a banana hanging too high to reach and no stairs
>>>> to reach it for project leaders.
>>>>
>>>> Platform means communication, managing resources , support and much
>>>> more. And money helps but a good plan is necessary.
>>>>
>>>> It means having the stair (the platform) to make available those funds,
>>>> so they become available.
>>>>
>>>> And I know that the problem is we have not work on creating the
>>>> 'stair'.
>>>>
>>>> This is where I want to dedicate my efforts so I will submit to form a
>>>> committee to create the stair for better development of OWASP projects. I
>>>> care about them, I use them I want to see fair opportunities for everyone.
>>>>
>>>>
>>>> On Wed, Sep 2, 2015 at 11:42 AM, Lucas Ferreira <
>>>> lucas.ferreira at owasp.org> wrote:
>>>>
>>>>> Josh,
>>>>>
>>>>> I certainly cannot speak for all Projects, but every time I tried to
>>>>> get the things I needed for a project, I got either a deny or a big
>>>>> silence. so the first thing needed is, if there is money available, more
>>>>> communication and an easy way to get to it.
>>>>>
>>>>> I will put here my experience. Others can say if they face similar
>>>>> issues or not.
>>>>>
>>>>> First, as part of the
>>>>> https://www.owasp.org/index.php/OWASP_Brasil_Manifesto, I tried to
>>>>> get money to pay for a professional public relations person/company to help
>>>>> us promote the manifesto to the Brazilian congress. I learnt the hard way
>>>>> (from organizing AppSec conferences) that a good PR person can make a real
>>>>> difference. At the time, I asked for USD 2600 to pay the PR but could not
>>>>> get the money.
>>>>>
>>>>> Second, as part of
>>>>> https://www.owasp.org/index.php/OWASP_File_Hash_Repository, I needed
>>>>> a server to use to deploy the initial code and help collecting data. I also
>>>>> needed a DNS entry. I ended up paying for the VM myself and used my own
>>>>> private domain for the DNS because I could not get it from OWASP.
>>>>>
>>>>> Lastly, as part of
>>>>> https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project, we
>>>>> tried to get money to hire translators and professional writers to work
>>>>> with the more tech oriented volunteers with no luck.
>>>>>
>>>>> In summary, my experience in getting money or support for OWASP
>>>>> projects is bad. IMHO, this is why so many projects die.
>>>>>
>>>>> And just to be sure, unlike Johanna, I think money is a big issue as
>>>>> it could be used to remove some of the load from volunteers. An example is
>>>>> the translation projects: we could leverage the knowledge of our network of
>>>>> volunteers, without requiring them to do all the work, by relying on
>>>>> professional services. So, the issue is to have money to buy the services
>>>>> needed by the projects, from VMs to professional services.
>>>>>
>>>>> And lastly, I did not compare Chapters and Projects. I did compare the
>>>>> treatment that they get from OWASP.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Lucas
>>>>>
>>>>>
>>>>> On Wed, Sep 2, 2015 at 5:06 PM Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> I believe Johanna said "It's not about money".  Every time I hear
>>>>>> someone say that it is, I cringe a little because I know that we allocated
>>>>>> $50,000 in Community Engagement Funding this year to projects alone and
>>>>>> have $15,650 of that remaining (
>>>>>> https://owasp.org/index.php/Community_Engagement_-_Payments).  I
>>>>>> also know that if there's a need that goes beyond what is budgeted, we have
>>>>>> ways to make that happen outside of this channel.  For example, when Dinis
>>>>>> asked for $100,000 for a Project Summit, we said "Give us a plan and we'll
>>>>>> discuss."
>>>>>>
>>>>>> I also cringe when I hear people compare the Projects to the Chapters
>>>>>> or vice versa.  They are both unique and important to OWASP.  Both have
>>>>>> needs that we need to satisfy.  Chapters have historically been more
>>>>>> successful in fundraising because of the large volume of people involved
>>>>>> with them, but that doesn't make them better or worse.  Just different.
>>>>>> Let's be honest, the Chapter model of fundraising doesn't really work for
>>>>>> Projects.  That's ok...we just need to find other ways.
>>>>>>
>>>>>> So, let's assume that money is not an issue.  What are the needs that
>>>>>> our Projects have that OWASP is not currently fulfilling.  I don't claim to
>>>>>> be an expert on Projects.  I don't routinely work with them and the one
>>>>>> project that I tried to start at OWASP died a very quick death.  It was an
>>>>>> issue with time and volunteerism, though, and had nothing to do with the
>>>>>> OWASP platform.  I understand and agree that it's not about things you can
>>>>>> get for free like GitHub or wiki pages.  So, what is it?  What do you
>>>>>> need?  We have an in-house graphic designer.  We have companies that we
>>>>>> work with for publishing.  We hired a full-time person to help with
>>>>>> projects.  If there are needs that aren't being met here, then what are
>>>>>> they?  What can OWASP do to make Projects more successful?
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Wed, Sep 2, 2015 at 9:39 AM, Lucas Ferreira <
>>>>>> lucas.ferreira at owasp.org> wrote:
>>>>>>
>>>>>>> Dear Johanna,
>>>>>>>
>>>>>>> it is very sad that you are stepping down, but you nailed it when
>>>>>>> you said:
>>>>>>>
>>>>>>> "I hope that in the future there is a clear perspective how to help
>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>> account, these things are already free without OWASP support."
>>>>>>>
>>>>>>> For a long time already, I have the same feeling that OWASP is
>>>>>>> always discussing about chapters and their bank accounts and never about
>>>>>>> projects. I just hope one day OWASP will be able to see that projects are
>>>>>>> what makes OWASP known and respected.
>>>>>>>
>>>>>>> I have talked to a few leaders of open-source projects about
>>>>>>> bringing their projects to OWASP and, in the end, the feeling is that all
>>>>>>> they would get is the ability to benefit from the OWASP "brand". We should
>>>>>>> offer project leaders more than the opportunity to beg chapters for money.
>>>>>>>
>>>>>>> Regards and good luck,
>>>>>>>
>>>>>>> Lucas
>>>>>>>
>>>>>>> On Wed, Sep 2, 2015 at 4:19 PM johanna curiel curiel <
>>>>>>> johanna.curiel at owasp.org> wrote:
>>>>>>>
>>>>>>>> Members of the board ,
>>>>>>>>
>>>>>>>> I have decided to step down from the project reviews activities.
>>>>>>>>
>>>>>>>> I have been doing continues reviews the last 2 years, especially
>>>>>>>> the last year I was quite involved in a major clean up in the project
>>>>>>>> inventory, together with other members that participated in and on/off
>>>>>>>> basis.
>>>>>>>>
>>>>>>>> That does not mean I'll step down from every activity I have been
>>>>>>>> working on the last years at OWASP. Indeed, now I'll focus my attention in
>>>>>>>> those activities that I feel have provided me with higher level of reward
>>>>>>>> and a grateful feeling.
>>>>>>>>
>>>>>>>> Unfortunately,  I cannot say the same for reviewing projects. The
>>>>>>>> greatest reward I had from that activity is what I learned from many
>>>>>>>> project for the last 2 years, not just looking, but download , testing and
>>>>>>>> using them and volunteering on their activities.
>>>>>>>>
>>>>>>>>  It is a ticklish activity that have provided me very little
>>>>>>>> satisfaction but disappointment. Never seems to be enough even when people
>>>>>>>> have little idea how much time is needed to use an open source project ,
>>>>>>>> let alone understand it. I'm a volunteer , not an OWASP employee. Lets
>>>>>>>> clarify that for people that might read this.
>>>>>>>>
>>>>>>>> I think Claudia  , as her predecessor, Kait-Disney did, can surely
>>>>>>>> help maintain inactive/active projects monitoring. Another ticklish
>>>>>>>> activity that we hear many complains regarding inactive projects wanted to
>>>>>>>> keep alive. Political driven necessities to have wiki pages of empty
>>>>>>>> projects, thats what we finished and hope you can continue for the sake of
>>>>>>>> users.
>>>>>>>>
>>>>>>>> The actual situation is that Project leaders are definitely on
>>>>>>>> their own, and they should understand that: when it comes to having a
>>>>>>>> platform at OWASP for developing projects, they have very little support on
>>>>>>>> this.
>>>>>>>>
>>>>>>>> It's not about money, is about a platform, a process and a way to
>>>>>>>> be able to make a project a reality no matter if you are in India,
>>>>>>>> Pakistan, or Africa. The inequality between these worlds is very obvious
>>>>>>>> when we look at  projects in US or EU compare to 'developing countries'.
>>>>>>>> Big security companies are not behind these leaders  to support them with
>>>>>>>> time or resources.
>>>>>>>>
>>>>>>>> I hope that in the future there is a clear perspective how to help
>>>>>>>> projects develop better. So far I have not seen major initiatives directed
>>>>>>>> on improving a platform. A platform is not a wiki page, not a github
>>>>>>>> account, these things are already free without OWASP support.
>>>>>>>>
>>>>>>>> I think people hoping to secure their web applications using OWASP
>>>>>>>> tools, can have better ways for doing it if more energy is directed towards
>>>>>>>> supporting a better structure for developing OWASP projects.
>>>>>>>>
>>>>>>>> This is where my energy will be from now on. Hopefully with the
>>>>>>>> right support.
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> Johanna
>>>>>>>> _______________________________________________
>>>>>>>> Governance mailing list
>>>>>>>> Governance at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Governance mailing list
>>>>>>> Governance at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150902/85c493ad/attachment-0001.html>


More information about the Owasp-board mailing list