[Owasp-board] Fwd: Funding and Iran follow up

johanna curiel curiel johanna.curiel at owasp.org
Thu Aug 25 16:23:04 UTC 2016

Hi Matt,

Thanks for the update, glad to see OWASP is taken hands on the matter.

My partner is a lawyer and has some strong background in international
matters and I asked his opinion about this case .

His first recommendation was to look for a lawyer that has experience with

Like I mentioned, technical speaking,the projects are not from Iran . These
are open source projects under the OWASP umbrella lead or co-lead by an
Iranian citizen and developed by different people around the world.

Any form of *material support* that OWASP could provide to these Iranian
leaders are the ones that should be defined and that is quite different
that not provide support to the 'project' because the 'project is not from
Iran, is open source, under OWASP umbrella and free to be lead or use by

Example, the OWASP PHPGoat project was being lead by Abbas Naderi who is
from Iran. The project went inactive and I took it over with Shivam Dixit
who were early contributors of this project. Does that make this project
from 'Iran'? Clearly not. The project was developed by multiple people
around the world and does not 'belong' to a country. Other thing is the
support that this leader can obtain directly get from OWASP foundation and
that , I think is the issue here.



On Wed, Aug 24, 2016 at 5:05 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

> Just wondering if anyone remembers - Didn't OWASP have a similar situation
> in one of the African chapters where there were limited sanctions? Didn't
> Paul have a lawyer review it? Are there any records available from that?
> Does anyone know who that lawyer was?
> On Wed, Aug 24, 2016 at 12:04 PM, Matt Tesauro <matt.tesauro at owasp.org>
> wrote:
>> ---------- Forwarded message ----------
>>> From: Ali Razmjoo <ali.razmjoo at owasp.org>
>>> Date: Wed, Aug 24, 2016 at 11:32 AM
>>> Subject: Re: [Owasp-board] Funding and Iran follow up
>>> To: Matt Tesauro <matt.tesauro at owasp.org>
>>> Cc: johanna curiel curiel <johanna.curiel at owasp.org>, OWASP Board List <
>>> owasp-board at lists.owasp.org>, Reza Espargham <reza.espargham at owasp.org>
>>> Hello All,
>>> @Johanna Thank you for this great subject,
>>> After Iran nuclear deal many of sanctions lifted, and BTW I personally
>>> didn't get any support from OWASP yet (Just once I used the google cloud
>>> service for a few minutes/hours), and just like you said, Projects are
>>> opensource and mostly hosted on github, there are more contributors from
>>> India and ..., So it's shouldn't be any trouble in here!
>>> Iranian members are just helping the application security so I don't
>>> think any big consequences comming for OWASP, Abbas also is living in
>>> Virgina and BTW he isn't present in Iran community anymore.
>>> Currently OWASP has two active projects which have Irani leaders (VBScan
>>> and ZSC) and both are growing very fast. I think OWASP Broad members should
>>> try to find a way to support these projects, in this case by supporting
>>> Iranian or projects or the projects who Iranian are working on, We can have
>>> an appsec confrance in Iran soon ...
>>> I understand that right now OWASP can't fund us directly but it could
>>> support and investing by other ways, Sanctions are not stable anymore and I
>>> hope they will be all lifted soon, and OWASP could be the first foreign
>>> community/org to be present here after Political deals.
>>> BTW I don't know what kind of risk you are talking about if there isn't
>>> any economic exchange ?!!
>> I don't know of the specific risk and that's the point - these are
>> _potential_ risks.  I've not read the current statutes/laws on the US Iran
>> sanctions.  Even if I had, I am not a lawyer nor is anyone on this list to
>> my knowledge.
>> I do know that there are some sort of sanctions placed on Iran by the US
>> government and the OWASP Foundation is a charity under US law.  I do know
>> that in some cases, the specific language of sanctions in the past have
>> included the phrases like "material support" [1] which is more then just
>> financial/funds exchange.  I have no clue if that's part of the current
>> Iran sanctions.
>> Since none of us know or have the specific legal background to make
>> reasonable recommendations, the Foundation is going to talk to those that
>> do.
>> Based on the advice provided by those with legal backgrounds in US law
>> hired by the Foundation, I see one of two things happening:
>> (1) Nothing changes. What we have done in the past is acceptable under US
>> law.
>> (2) Something changes so that the Foundation complies with the current US
>> laws around Iran sanctions.
>> So, please be patient while we gather the information the Board needs to
>> make one of those choices above.
>> [1] Here's a non-authoritative resource on what 'material support' means
>> to get an idea of what _may_ potentially be in scope:
>> https://en.wiktionary.org/wiki/material_support
>> Cheers!
>> -- Matt Tesauro
>>> Sincerely yours,
>>> Ali Razmjoo <https://twitter.com/Ali_Razmjo0>
>>> Iran Chapter Leader <https://www.owasp.org/index.php/Iran>
>>> OWASP ZSC Project Leader
>>> <https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project>
>>> On Wed, Aug 24, 2016 at 7:43 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>> wrote:
>>>> Answering inline for sake of efficiency...
>>>> TLDR:  The Foundation noticed a potential problem, realized that
>>>> understanding the problem will require expertise it doesn't have and the
>>>> Foundation is getting the advice from those that do have expertise in that
>>>> area.
>>>> On Wed, Aug 24, 2016 at 9:04 AM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>> Board members,
>>>>> The following issues was mentioned during the board meeting yesterday:
>>>>> "Projects, Funding and Iran - Matt Tesauro & Claudia Casanovas
>>>>> We have several projects with leaders or co-leaders located in Iran.
>>>>> This makes funding those projects problematic due to the OWASP Foundation
>>>>> being a US charity and the economic sanctions imposed by the US. For
>>>>> background, see the US Dept of State Iran Sanction site
>>>>> <http://www.state.gov/e/eb/tfs/spi/iran/index.htm>. Details of the
>>>>> projects in question are in the Projects Report for this month, slide
>>>>> 5
>>>>> <https://docs.google.com/presentation/d/16III5sOo06KLyjdG2HEa7cA8hOSf9SKsuWbzbgD467s/edit?ts=57bc81b8#slide=id.g112855a4f6_0_14>.
>>>>> S*ince any funding of activities in Iran represents a risk to the
>>>>> Foundation, the staff is asking for the board to determine how the
>>>>> Foundation will interact with any community members or project leaders
>>>>> which are located in Iran*"
>>>>> https://www.owasp.org/index.php/August_23,_2016
>>>>> Now that this issue has been raised after some many years having a
>>>>> Project Leader from Iran (Abbas Naderi) and even a project leader that was
>>>>> considered to be part of the board and was a board candidate, I'm
>>>>> requesting a clarification and solution, meaning that once you have raised
>>>>> this subject , the situation should be clarified asap.
>>>> The existence of a risk and the knowledge of that risk being a factor
>>>> for an entity are two separate things.  Let me use an analogy to make this
>>>> clear:
>>>> If I drive on a road at 45 miles per hour (mph) without knowing the
>>>> posted / legal speed limit and that limit is 35 mph, I am at risk of
>>>> getting a speeding ticket.  I could drive for an arbitrary amount of time
>>>> not realizing the speed limit of that road and therefore not realizing the
>>>> risk I was taking.  If a passenger in the car suggested to me that the
>>>> speed limit may be lower then 45 mph, I would then be aware of a potential
>>>> risk and, should I not want a speeding ticket, I would do the work to
>>>> determine what the speed limit is on that road - am maybe even drive a bit
>>>> slower until i knew for sure.
>>>> That is the essence of what has happened here.  Timing or the parties
>>>> involved had nothing to do with the realization that there _may_ be legal
>>>> problems when the Foundation interacts with parties in Iran.  You were on
>>>> the email thread where this issue was raised - I don't recall who raised
>>>> the issue but that is, to be honest, irrelevant.
>>>>> I did consult a lawyer but he mentioned that in this case, being OWASP
>>>>> a US non-profit foundation, to consult a lawyer knowledgeable in these
>>>>> matters, not just any lawyer.
>>>> I am not sure who the 'he' is in the above sentence but the Board, as a
>>>> whole, took the action to have Kate engage with the law firm the Foundation
>>>> has retained to look into this matter and determine both what the current
>>>> laws of the US say about interaction with Iran and what, if any, exposure
>>>> to legal risk/sanction the Foundation.  I agree with the Board's decision
>>>> that, since none of us in the Board meeting had any expertise in these
>>>> matter, utilizing the services of the Foundation's law firm was a valid
>>>> method to determine our risk and make a informed decision on how best to
>>>> interact with the OWASP community in Iran.
>>>> I find it very regrettable that because of actions of various
>>>> government bodies, we need to take this extra step with the OWASP community
>>>> in Iran but as much as the Internet has removed boarders for communication
>>>> and information sharing, we all live in one or another country and are
>>>> subject to that country's laws.
>>>> I'd also like to note that the fact that the Foundation wants to
>>>> understand any legal risks that may exist in this case DOES NOT lessen the
>>>> value the OWASP community places on the contributions from the those
>>>> community members in Iran.
>>>>> So far, none of the Iranian leaders have received any goods or
>>>>> financial support from OWASP. There is no commercial exchange between
>>>>> Iranian leaders and OWASP, however, the restrictions go so far including
>>>>> exchange of services or goods, or any kind of financial support, such as ,
>>>>> sponsoring. In this case, many of the support/services provided by OWASP,
>>>>> could be seen as an exchange of services.
>>>>> I'm not a lawyer and since we are talking about a very specific
>>>>> situation, OWASP needs to define this situation asap because the
>>>>> consequences for OWASP can be quite big.
>>>> Nor was anyone on the Board call yesterday, hence the action to reach
>>>> out to the Foundation retained law firm.  I do not know if US law is only
>>>> covers funding or 'material support', nor is speculating particularly
>>>> useful; hence the use of a lawyer.
>>>>> *One of the project that I co-lead, is technically nor can be
>>>>> considered a 'Iranian' project, so please let's not call it that way. The
>>>>> Projects are not from Iran, the projects are open source, anyone can reach
>>>>> them and they are co-lead/lead by some one from Iran.So please, correct
>>>>> this naming that bring confusion and the wrong tone to this issue.*
>>>> I appreciate that, in your opinion the project you co-lead isn't
>>>> subject to the Iran sanctions, but I'd much prefer to get an opinion from a
>>>> legal expert - which is what the Foundation is doing.
>>>>> Given this situation, it is clear that OWASP requires the advice of a
>>>>> knowledgeable lawyer specialised in these cases, considering also that some
>>>>> of the sanctions have been lifted and what that means for OWASP if provides
>>>>> support of goods or services.
>>>> Yup.  That's exactly what the Board said it was going to do on the call
>>>> you attended yesterday.  The call was recorded and should be posted in the
>>>> next day or two.
>>>>> Please let us know asap, the next steps. I hope there is some actions
>>>>> after this issue has been raised, so Ali and Reza , including me know what
>>>>> to expect.
>>>> Once the Foundation has received advice from their legal firm and
>>>> understands what, if any, changes need to happen with community members in
>>>> Iran, we'll not only let those involved know but will document it
>>>> publicly.  O is for Open after all.
>>>> Cheers!
>>>> -- Matt Tesauro
>>>>> Regards
>>>>> --
>>>>> Johanna Curiel
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>> --
>>> Johanna Curiel
>>> OWASP Volunteer
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board

Johanna Curiel
OWASP Volunteer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160825/46a9cf9e/attachment-0001.html>

More information about the Owasp-board mailing list