[Owasp-board] Fwd: Funding and Iran follow up
matt.tesauro at owasp.org
Wed Aug 24 16:04:38 UTC 2016
> ---------- Forwarded message ----------
> From: Ali Razmjoo <ali.razmjoo at owasp.org>
> Date: Wed, Aug 24, 2016 at 11:32 AM
> Subject: Re: [Owasp-board] Funding and Iran follow up
> To: Matt Tesauro <matt.tesauro at owasp.org>
> Cc: johanna curiel curiel <johanna.curiel at owasp.org>, OWASP Board List <
> owasp-board at lists.owasp.org>, Reza Espargham <reza.espargham at owasp.org>
> Hello All,
> @Johanna Thank you for this great subject,
> After Iran nuclear deal many of sanctions lifted, and BTW I personally
> didn't get any support from OWASP yet (Just once I used the google cloud
> service for a few minutes/hours), and just like you said, Projects are
> opensource and mostly hosted on github, there are more contributors from
> India and ..., So it's shouldn't be any trouble in here!
> Iranian members are just helping the application security so I don't think
> any big consequences comming for OWASP, Abbas also is living in Virgina and
> BTW he isn't present in Iran community anymore.
> Currently OWASP has two active projects which have Irani leaders (VBScan
> and ZSC) and both are growing very fast. I think OWASP Broad members should
> try to find a way to support these projects, in this case by supporting
> Iranian or projects or the projects who Iranian are working on, We can have
> an appsec confrance in Iran soon ...
> I understand that right now OWASP can't fund us directly but it could
> support and investing by other ways, Sanctions are not stable anymore and I
> hope they will be all lifted soon, and OWASP could be the first foreign
> community/org to be present here after Political deals.
> BTW I don't know what kind of risk you are talking about if there isn't
> any economic exchange ?!!
I don't know of the specific risk and that's the point - these are
_potential_ risks. I've not read the current statutes/laws on the US Iran
sanctions. Even if I had, I am not a lawyer nor is anyone on this list to
I do know that there are some sort of sanctions placed on Iran by the US
government and the OWASP Foundation is a charity under US law. I do know
that in some cases, the specific language of sanctions in the past have
included the phrases like "material support"  which is more then just
financial/funds exchange. I have no clue if that's part of the current
Since none of us know or have the specific legal background to make
reasonable recommendations, the Foundation is going to talk to those that
Based on the advice provided by those with legal backgrounds in US law
hired by the Foundation, I see one of two things happening:
(1) Nothing changes. What we have done in the past is acceptable under US
(2) Something changes so that the Foundation complies with the current US
laws around Iran sanctions.
So, please be patient while we gather the information the Board needs to
make one of those choices above.
 Here's a non-authoritative resource on what 'material support' means to
get an idea of what _may_ potentially be in scope:
-- Matt Tesauro
> Sincerely yours,
> Ali Razmjoo <https://twitter.com/Ali_Razmjo0>
> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
> OWASP ZSC Project Leader
> On Wed, Aug 24, 2016 at 7:43 PM, Matt Tesauro <matt.tesauro at owasp.org>
>> Answering inline for sake of efficiency...
>> TLDR: The Foundation noticed a potential problem, realized that
>> understanding the problem will require expertise it doesn't have and the
>> Foundation is getting the advice from those that do have expertise in that
>> On Wed, Aug 24, 2016 at 9:04 AM, johanna curiel curiel <
>> johanna.curiel at owasp.org> wrote:
>>> Board members,
>>> The following issues was mentioned during the board meeting yesterday:
>>> "Projects, Funding and Iran - Matt Tesauro & Claudia Casanovas
>>> We have several projects with leaders or co-leaders located in Iran.
>>> This makes funding those projects problematic due to the OWASP Foundation
>>> being a US charity and the economic sanctions imposed by the US. For
>>> background, see the US Dept of State Iran Sanction site
>>> <http://www.state.gov/e/eb/tfs/spi/iran/index.htm>. Details of the
>>> projects in question are in the Projects Report for this month, slide 5
>>> S*ince any funding of activities in Iran represents a risk to the
>>> Foundation, the staff is asking for the board to determine how the
>>> Foundation will interact with any community members or project leaders
>>> which are located in Iran*"
>>> Now that this issue has been raised after some many years having a
>>> Project Leader from Iran (Abbas Naderi) and even a project leader that was
>>> considered to be part of the board and was a board candidate, I'm
>>> requesting a clarification and solution, meaning that once you have raised
>>> this subject , the situation should be clarified asap.
>> The existence of a risk and the knowledge of that risk being a factor for
>> an entity are two separate things. Let me use an analogy to make this
>> If I drive on a road at 45 miles per hour (mph) without knowing the
>> posted / legal speed limit and that limit is 35 mph, I am at risk of
>> getting a speeding ticket. I could drive for an arbitrary amount of time
>> not realizing the speed limit of that road and therefore not realizing the
>> risk I was taking. If a passenger in the car suggested to me that the
>> speed limit may be lower then 45 mph, I would then be aware of a potential
>> risk and, should I not want a speeding ticket, I would do the work to
>> determine what the speed limit is on that road - am maybe even drive a bit
>> slower until i knew for sure.
>> That is the essence of what has happened here. Timing or the parties
>> involved had nothing to do with the realization that there _may_ be legal
>> problems when the Foundation interacts with parties in Iran. You were on
>> the email thread where this issue was raised - I don't recall who raised
>> the issue but that is, to be honest, irrelevant.
>>> I did consult a lawyer but he mentioned that in this case, being OWASP a
>>> US non-profit foundation, to consult a lawyer knowledgeable in these
>>> matters, not just any lawyer.
>> I am not sure who the 'he' is in the above sentence but the Board, as a
>> whole, took the action to have Kate engage with the law firm the Foundation
>> has retained to look into this matter and determine both what the current
>> laws of the US say about interaction with Iran and what, if any, exposure
>> to legal risk/sanction the Foundation. I agree with the Board's decision
>> that, since none of us in the Board meeting had any expertise in these
>> matter, utilizing the services of the Foundation's law firm was a valid
>> method to determine our risk and make a informed decision on how best to
>> interact with the OWASP community in Iran.
>> I find it very regrettable that because of actions of various government
>> bodies, we need to take this extra step with the OWASP community in Iran
>> but as much as the Internet has removed boarders for communication and
>> information sharing, we all live in one or another country and are subject
>> to that country's laws.
>> I'd also like to note that the fact that the Foundation wants to
>> understand any legal risks that may exist in this case DOES NOT lessen the
>> value the OWASP community places on the contributions from the those
>> community members in Iran.
>>> So far, none of the Iranian leaders have received any goods or financial
>>> support from OWASP. There is no commercial exchange between Iranian leaders
>>> and OWASP, however, the restrictions go so far including exchange of
>>> services or goods, or any kind of financial support, such as , sponsoring.
>>> In this case, many of the support/services provided by OWASP, could be seen
>>> as an exchange of services.
>>> I'm not a lawyer and since we are talking about a very specific
>>> situation, OWASP needs to define this situation asap because the
>>> consequences for OWASP can be quite big.
>> Nor was anyone on the Board call yesterday, hence the action to reach out
>> to the Foundation retained law firm. I do not know if US law is only
>> covers funding or 'material support', nor is speculating particularly
>> useful; hence the use of a lawyer.
>>> *One of the project that I co-lead, is technically nor can be considered
>>> a 'Iranian' project, so please let's not call it that way. The Projects are
>>> not from Iran, the projects are open source, anyone can reach them and they
>>> are co-lead/lead by some one from Iran.So please, correct this naming that
>>> bring confusion and the wrong tone to this issue.*
>> I appreciate that, in your opinion the project you co-lead isn't subject
>> to the Iran sanctions, but I'd much prefer to get an opinion from a legal
>> expert - which is what the Foundation is doing.
>>> Given this situation, it is clear that OWASP requires the advice of a
>>> knowledgeable lawyer specialised in these cases, considering also that some
>>> of the sanctions have been lifted and what that means for OWASP if provides
>>> support of goods or services.
>> Yup. That's exactly what the Board said it was going to do on the call
>> you attended yesterday. The call was recorded and should be posted in the
>> next day or two.
>>> Please let us know asap, the next steps. I hope there is some actions
>>> after this issue has been raised, so Ali and Reza , including me know what
>>> to expect.
>> Once the Foundation has received advice from their legal firm and
>> understands what, if any, changes need to happen with community members in
>> Iran, we'll not only let those involved know but will document it
>> publicly. O is for Open after all.
>> -- Matt Tesauro
>>> Johanna Curiel
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
> Johanna Curiel
> OWASP Volunteer
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board