[Owasp-board] Fwd: Funding and Iran follow up
johanna curiel curiel
johanna.curiel at owasp.org
Wed Aug 24 15:42:52 UTC 2016
---------- Forwarded message ----------
From: Ali Razmjoo <ali.razmjoo at owasp.org>
Date: Wed, Aug 24, 2016 at 11:32 AM
Subject: Re: [Owasp-board] Funding and Iran follow up
To: Matt Tesauro <matt.tesauro at owasp.org>
Cc: johanna curiel curiel <johanna.curiel at owasp.org>, OWASP Board List <
owasp-board at lists.owasp.org>, Reza Espargham <reza.espargham at owasp.org>
@Johanna Thank you for this great subject,
After Iran nuclear deal many of sanctions lifted, and BTW I personally
didn't get any support from OWASP yet (Just once I used the google cloud
service for a few minutes/hours), and just like you said, Projects are
opensource and mostly hosted on github, there are more contributors from
India and ..., So it's shouldn't be any trouble in here!
Iranian members are just helping the application security so I don't think
any big consequences comming for OWASP, Abbas also is living in Virgina and
BTW he isn't present in Iran community anymore.
Currently OWASP has two active projects which have Irani leaders (VBScan
and ZSC) and both are growing very fast. I think OWASP Broad members should
try to find a way to support these projects, in this case by supporting
Iranian or projects or the projects who Iranian are working on, We can have
an appsec confrance in Iran soon ...
I understand that right now OWASP can't fund us directly but it could
support and investing by other ways, Sanctions are not stable anymore and I
hope they will be all lifted soon, and OWASP could be the first foreign
community/org to be present here after Political deals.
BTW I don't know what kind of risk you are talking about if there isn't
any economic exchange ?!!
Ali Razmjoo <https://twitter.com/Ali_Razmjo0>
Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
OWASP ZSC Project Leader
On Wed, Aug 24, 2016 at 7:43 PM, Matt Tesauro <matt.tesauro at owasp.org>
> Answering inline for sake of efficiency...
> TLDR: The Foundation noticed a potential problem, realized that
> understanding the problem will require expertise it doesn't have and the
> Foundation is getting the advice from those that do have expertise in that
> On Wed, Aug 24, 2016 at 9:04 AM, johanna curiel curiel <
> johanna.curiel at owasp.org> wrote:
>> Board members,
>> The following issues was mentioned during the board meeting yesterday:
>> "Projects, Funding and Iran - Matt Tesauro & Claudia Casanovas
>> We have several projects with leaders or co-leaders located in Iran. This
>> makes funding those projects problematic due to the OWASP Foundation being
>> a US charity and the economic sanctions imposed by the US. For background,
>> see the US Dept of State Iran Sanction site
>> <http://www.state.gov/e/eb/tfs/spi/iran/index.htm>. Details of the
>> projects in question are in the Projects Report for this month, slide 5
>> S*ince any funding of activities in Iran represents a risk to the
>> Foundation, the staff is asking for the board to determine how the
>> Foundation will interact with any community members or project leaders
>> which are located in Iran*"
>> Now that this issue has been raised after some many years having a
>> Project Leader from Iran (Abbas Naderi) and even a project leader that was
>> considered to be part of the board and was a board candidate, I'm
>> requesting a clarification and solution, meaning that once you have raised
>> this subject , the situation should be clarified asap.
> The existence of a risk and the knowledge of that risk being a factor for
> an entity are two separate things. Let me use an analogy to make this
> If I drive on a road at 45 miles per hour (mph) without knowing the posted
> / legal speed limit and that limit is 35 mph, I am at risk of getting a
> speeding ticket. I could drive for an arbitrary amount of time not
> realizing the speed limit of that road and therefore not realizing the risk
> I was taking. If a passenger in the car suggested to me that the speed
> limit may be lower then 45 mph, I would then be aware of a potential risk
> and, should I not want a speeding ticket, I would do the work to determine
> what the speed limit is on that road - am maybe even drive a bit slower
> until i knew for sure.
> That is the essence of what has happened here. Timing or the parties
> involved had nothing to do with the realization that there _may_ be legal
> problems when the Foundation interacts with parties in Iran. You were on
> the email thread where this issue was raised - I don't recall who raised
> the issue but that is, to be honest, irrelevant.
>> I did consult a lawyer but he mentioned that in this case, being OWASP a
>> US non-profit foundation, to consult a lawyer knowledgeable in these
>> matters, not just any lawyer.
> I am not sure who the 'he' is in the above sentence but the Board, as a
> whole, took the action to have Kate engage with the law firm the Foundation
> has retained to look into this matter and determine both what the current
> laws of the US say about interaction with Iran and what, if any, exposure
> to legal risk/sanction the Foundation. I agree with the Board's decision
> that, since none of us in the Board meeting had any expertise in these
> matter, utilizing the services of the Foundation's law firm was a valid
> method to determine our risk and make a informed decision on how best to
> interact with the OWASP community in Iran.
> I find it very regrettable that because of actions of various government
> bodies, we need to take this extra step with the OWASP community in Iran
> but as much as the Internet has removed boarders for communication and
> information sharing, we all live in one or another country and are subject
> to that country's laws.
> I'd also like to note that the fact that the Foundation wants to
> understand any legal risks that may exist in this case DOES NOT lessen the
> value the OWASP community places on the contributions from the those
> community members in Iran.
>> So far, none of the Iranian leaders have received any goods or financial
>> support from OWASP. There is no commercial exchange between Iranian leaders
>> and OWASP, however, the restrictions go so far including exchange of
>> services or goods, or any kind of financial support, such as , sponsoring.
>> In this case, many of the support/services provided by OWASP, could be seen
>> as an exchange of services.
>> I'm not a lawyer and since we are talking about a very specific
>> situation, OWASP needs to define this situation asap because the
>> consequences for OWASP can be quite big.
> Nor was anyone on the Board call yesterday, hence the action to reach out
> to the Foundation retained law firm. I do not know if US law is only
> covers funding or 'material support', nor is speculating particularly
> useful; hence the use of a lawyer.
>> *One of the project that I co-lead, is technically nor can be considered
>> a 'Iranian' project, so please let's not call it that way. The Projects are
>> not from Iran, the projects are open source, anyone can reach them and they
>> are co-lead/lead by some one from Iran.So please, correct this naming that
>> bring confusion and the wrong tone to this issue.*
> I appreciate that, in your opinion the project you co-lead isn't subject
> to the Iran sanctions, but I'd much prefer to get an opinion from a legal
> expert - which is what the Foundation is doing.
>> Given this situation, it is clear that OWASP requires the advice of a
>> knowledgeable lawyer specialised in these cases, considering also that some
>> of the sanctions have been lifted and what that means for OWASP if provides
>> support of goods or services.
> Yup. That's exactly what the Board said it was going to do on the call
> you attended yesterday. The call was recorded and should be posted in the
> next day or two.
>> Please let us know asap, the next steps. I hope there is some actions
>> after this issue has been raised, so Ali and Reza , including me know what
>> to expect.
> Once the Foundation has received advice from their legal firm and
> understands what, if any, changes need to happen with community members in
> Iran, we'll not only let those involved know but will document it
> publicly. O is for Open after all.
> -- Matt Tesauro
>> Johanna Curiel
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board