[Owasp-board] Fwd: [Owasp-leaders] [balint:6264] Project Sponshorship, Support, and Finance

Josh Sokol josh.sokol at owasp.org
Mon Dec 11 03:08:55 UTC 2017

This is the first time I've heard anything about this and I'd imagine the
same for the rest of the Board.  Karen, can you please speak with Steve and
the staff to find out what is going on?  Thanks!


---------- Forwarded message ----------
From: Timur 'x' Khrotko [owasp] <timur at owasp.org>
Date: Sun, Dec 10, 2017 at 1:45 PM
Subject: Re: [Owasp-leaders] [balint:6264] Project Sponshorship, Support,
and Finance
To: Steve Springett <steve.springett at owasp.org>
Cc: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>

Steve, I'm just a naive spectator of your story.

First of all my impression is that it's better to postpone your negative
decisions. Let your email be the first note, which gives a chance to OWASP
to explain the situation or apologize for it, and probably start a change
in its procedures. I personally would regret if you pulled your projects
out of the OWASP umbrella.

Second, again naively my understanding is that money given to OWASP but
addressed to your project are to be managed by your project like from the
next day it lands at OWASP. The money of the mature and "blessed" projects
should be under their disposal w/o any bureaucratic overhead. The project
should be given a sheet of exact rules how to use the money properly. The
proper handling of the money should be assisted by OWASP but not managed,
and the proper handling should be audited in details ex post. May you steal
the money discuss it with a policeman then. May you break the rules, your
blessed status can be suspended. Otherwise it's your little enterprise
under the OWASP umbrella, diy. The technical means for such distributed
money management are present, even Revolut can be a solution for quick
setup of an account and a card.

There was so many talking regarding the huge OWASP budgets that just sit on
the account not being addressed. So let's make the use of the well
addressed money straight forward if not yet so.

Thank you for the projects, best wishes,

On Sun, Dec 10, 2017 at 7:18 PM Steve Springett <steve.springett at owasp.org>

> One of the primary reasons why I choose to participate in OWASP projects
> as well as start my own is the support that the OWASP organization provides
> including the wiki, appsec activities, and project sponsorship.
> The decision to have donated multiple open source projects to OWASP has
> been tested over the past month without acceptable results.
> As many of you know, I have been heavily involved in Dependency-Check
> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
> released in Q1 2018) will be the result of an entire year of work which has
> resulted in the creation of several supporting and smaller projects and
> many enhancements to Dependency-Check along the way.
> One of those smaller supporting projects is actually a big deal to a
> specific vulnerability intelligence vendor. I am working to incorporate the
> service the vendor provides as an optional feature into both
> Dependency-Check and Dependency-Track in an effort to bring additional
> capabilities to these projects on par with their commercial counterparts.
> The vendor in turn, chose to sponsor Dependency-Track, an act that I
> thought was very kind and very much appreciated that would actually benefit
> both the Dependency-Check and Dependency-Track projects as a result.
> The vendor informed me on November 3rd they made the donation and I
> immediately reached out to OWASP accounting and a few other individuals
> throughout the course of November including communications on November 4th,
> November 8th, November 10th, and November 28th. My purpose for this email
> is NOT to point fingers at individuals. Relying on a single person in an
> organization instead of an agreed upon process supported by leadership
> makes OWASP no better than a recent CEO pointing fingers at a single person
> for not applying a patch. It’s absurd and laughable. If relying on a single
> person is strategic, that strategy is flawed and needs to be fixed.
> Five weeks after the vendor made the contribution to sponsor the project
> and I still have not heard any details from OWASP about the nature of the
> contribution - even though the vendor shared those details with me.
> Five weeks after the vendor made the contribution and I still am not able
> to publicly thank them for their contribution.
> Five weeks after the vendor made the contribution and I’m still not able
> to follow the guidelines outlined in https://www.owasp.org/index.
> php/Project_Sponsorship_Operational_Guidelines.
> Providing details on the contribution is required if OWASP expects to have
> project sponsorship. Even an answer that the contribution was made in error
> and was a general contribution instead would be an acceptable answer. No
> answer at all is not acceptable and I question OWASP’s ability to provide
> project sponsorship in the first place.
> The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses. I question if that project, or any other project
> using this method have received the support they deserve.
> If the donor didn’t inform me of their contribution, I would likely never
> know about this situation. This is not the type of organization I want to
> continue to be associated with.
> I am asking for a thorough review, not only on the Dependency-Track
> project, but on all projects that use this method of donation.
> I have not decided whether or not to continue donating my projects to
> OWASP or not. At risk for being pulled from OWASP are:
> Dependency-Check Jenkins plugin
> Dependency-Check SonarQube plugin
> Dependency-Track
> In all cases however, I will be removing the OWASP name from the above
> projects.
>> *Steve Springett*
> About:   https://about.me/stevespringett
> GitHub:   https://github.com/stevespringett
> Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
> This message may contain confidential information - you should handle it
> accordingly.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

secmachine․net #wepowersecdev

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20171210/40814b27/attachment.html>

More information about the Owasp-board mailing list