<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Yes, Josh is correct. <br>
      <br>
      As documented in our board votes: <br>
      <a href="https://www.owasp.org/index.php/OWASP_Board_Votes">https://www.owasp.org/index.php/OWASP_Board_Votes</a><br>
      <br>
      <table class="prettytable">
        <tbody>
          <tr>
            <td>December 16, 2013
            </td>
            <td>Compliance Officer per <a rel="nofollow"
                class="external text"
                href="https://www.owasp.org/index.php/Governance/Whistleblower_Policy">Whistleblower
                Policy</a> for 2014 - Martin Knobloch, <a
                rel="nofollow" class="external text"
href="http://lists.owasp.org/pipermail/owasp-board/2013-December/012790.html">vote
                on mailing list</a>
            </td>
            <td>Tom, Seba, Dave, Michael, Jim, Eoin
            </td>
            <td>
              <br>
            </td>
            <td> Pass (Unanimous)
            </td>
            <td>December 29, 2013
            </td>
          </tr>
        </tbody>
      </table>
      <br>
      And confirmed during email exchanges, including Eoin's own email:
      <br>
      <a
href="http://lists.owasp.org/pipermail/owasp-board/2013-December/012797.html">http://lists.owasp.org/pipermail/owasp-board/2013-December/012797.html</a><br>
      <br>
      Best wishes, Tobias<br>
      <br>
      <br>
      Tobias Gondrom<br>
      Owasp Global Board<br>
      Secretary of the Board<br>
      <br>
      <br>
      <br>
      On 27/02/14 20:37, Josh Sokol wrote:<br>
    </div>
    <blockquote
cite="mid:CAFwvDez2yCsCxUzeYZxMA9egHEqeg6ebhGJqd1uLHW1s5tho=g@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>Ummmm....to my understanding there is no "Whistleblower"
          role.  Only the "Compliance Officer" who supports our
          Whistleblower Policy.  This is what we voted on to my
          recollection.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Thu, Feb 27, 2014 at 1:38 PM, Eoin
          Keary <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="auto">
              <div>Hi Josh, no we appointed him as whistleblower. I
                suggested him for the role. This role is different. 
                <div class="">
                  <br>
                  <br>
                  Eoin Keary
                  <div>Owasp Global Board</div>
                  <div><a moz-do-not-send="true"
                      href="tel:%2B353%2087%20977%202988"
                      value="+353879772988" target="_blank">+353 87 977
                      2988</a></div>
                  <div><br>
                  </div>
                </div>
              </div>
              <div>
                <div class="h5">
                  <div><br>
                    On 27 Feb 2014, at 18:23, Josh Sokol <<a
                      moz-do-not-send="true"
                      href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>>
                    wrote:<br>
                    <br>
                  </div>
                  <blockquote type="cite">
                    <div>
                      <div dir="ltr">
                        <div>
                          <div>It sounds like you and I agree on the
                            intent of the document as well as the
                            general process.  I think that we should
                            work on clarifying the language so that it
                            explicitly says what we intend it to say and
                            present that clarification to the Governance
                            list.  Tom provided a link with some
                            excellent examples of policies that are far
                            more thorough and better worded than what
                            exists today.  I suggest that we use them as
                            a starting point to overhaul this document.<br>
                            <br>
                          </div>
                          Eoin, we unanimously appointed Martin into the
                          role of Compliance Officer for 2014.  I'm not
                          sure what your question/statement is.<br>
                          <br>
                        </div>
                        ~josh<br>
                      </div>
                      <div class="gmail_extra"><br>
                        <br>
                        <div class="gmail_quote">
                          On Thu, Feb 27, 2014 at 12:06 PM, Tobias <span
                            dir="ltr"><<a moz-do-not-send="true"
                              href="mailto:tobias.gondrom@owasp.org"
                              target="_blank">tobias.gondrom@owasp.org</a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            <div bgcolor="#FFFFFF" text="#000000">
                              <div>Josh, <br>
                                <br>
                                I agree. simply the aspect that we have
                                two differing interpretations of the
                                same document is an indicator that the
                                document is probably ambiguous and we
                                need to fix the document. <br>
                                <br>
                                Regarding using a form and/or email: I
                                have no strong opinion on that. Whatever
                                works best. <br>
                                I like structure, too. <br>
                                <br>
                                Regarding your point #2, I added a
                                comment inline below. <br>
                                <br>
                                Best, Tobias<br>
                                <br>
                                <br>
                                Ps.: btw. if we reword this document,
                                this email discussion should probably be
                                forwarded to the governance list.  <br>
                                <div> <br>
                                  <br>
                                  <br>
                                  On 27/02/14 17:39, Josh Sokol wrote:<br>
                                </div>
                              </div>
                              <div>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>
                                      <div>
                                        <div>
                                          <div>
                                            <div>
                                              <div>Tobias,<br>
                                                <br>
                                              </div>
                                              1) What the form would add
                                              is enforcement of
                                              structure and process.  It
                                              makes it very clear what
                                              information is required in
                                              order to "blow the
                                              whistle".  If the
                                              information is missing,
                                              then the request is
                                              invalid.  Black and
                                              white.  This suggestion
                                              came from Martin, not from
                                              me.  I was restating and I
                                              am supportive of this as
                                              it allows him to apply a
                                              binary operation to
                                              determining which requests
                                              have enough information in
                                              order to investigate
                                              further.<br>
                                              <br>
                                            </div>
                                            As for the purpose of
                                            blowing the whistle without
                                            exposing oneself, this can
                                            still easily be handled
                                            through the process.  Rather
                                            than providing a name, this
                                            can be made optional.  If no
                                            name is provided, and no
                                            further contact is
                                            initiated, then the request
                                            would be evaluated for
                                            completeness and entertained
                                            based on the data provided. 
                                            If no name is provided, but
                                            contact is initiated in
                                            private with Martin, then
                                            the source code remain
                                            anonymous, but the
                                            allegation would be
                                            disclosed.  It is Martin's
                                            role to ensure that "whistle
                                            blowing" activities do not
                                            result in retaliation<br>
                                            <br>
                                          </div>
                                          2) I don't think we have the
                                          same interpretation of the
                                          written document which leads
                                          me to believe that it is
                                          unclear and requires
                                          modification for clarification
                                          of intent.  When I read it, I
                                          see "The OWASP Foundation’s
                                          Compliance Officer will notify
                                          the person who submitted a
                                          complaint and acknowledge
                                          receipt of the reported
                                          violation or suspected
                                          violation. All reports will be
                                          promptly investigated and
                                          appropriate corrective action
                                          will be taken if warranted by
                                          the investigation."  To me,
                                          this says that the Compliance
                                          Officer will investigate and
                                          provide corrective action as
                                          well if warranted. 
                                          Investigation = Judge,
                                          Determination = Jury,
                                          Corrective Action =
                                          Executioner.  I agree that a
                                          report will be provided to the
                                          Board, but this policy
                                          specifies far more than just
                                          that.<br>
                                        </div>
                                      </div>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                              Please keep in mind, that the "OWASP
                              Whistleblower & Anti-Retaliation
                              Policy" is not only about describing the
                              role of the compliance officer but about
                              how OWASP as an organisation handles such
                              cases overall, with the Compliance officer
                              being one part / mechanism of it. <br>
                              So actually with that overall scope, if
                              you look at the two sentences in detail,
                              this reads: <br>
                              First sentence: "... the compliance
                              officer will notify the person... "
                              (action done by the officer)<br>
                              Second sentence: "All reports will be
                              promptly investigated and appropriate
                              corrective action will be taken if
                              warranted by the investigation." Note
                              passive voice. This is not only about the
                              compliance officer. The org including the
                              officer shall investigate promptly. And it
                              does not mean corrective actions are taken
                              by the compliance officer, but by the
                              organisation, i.e. whoever is empowered
                              from the organisation to take such
                              actions. For operational questions, that
                              might be the ED, for general issues this
                              would be the board. <br>
                              <div> <br>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div>
                                      <div>
                                        <div> <br>
                                        </div>
                                        3) I agree that this should be
                                        the end result.  I think that
                                        the current policy implies that
                                        not only does the Compliance
                                        Officer make this report, but
                                        also takes some action including
                                        determination and punishment. 
                                        Sounds like we agree that this
                                        should not be the case?<br>
                                        <br>
                                      </div>
                                      I believe I understand the intent
                                      of the policy and am 100% behind
                                      that.  I think that we need to
                                      clearly define the process here so
                                      that Martin, or any future
                                      Compliance Officer, is aware of
                                      how it should work from start to
                                      end, what our expectations are of
                                      for him, and how those
                                      expectations affect the
                                      investigation which he is
                                      conducting.<br>
                                    </div>
                                  </div>
                                </blockquote>
                                <br>
                              </div>
                              I agree. <br>
                              <div>
                                <div> <br>
                                  <blockquote type="cite">
                                    <div dir="ltr">
                                      <div> <br>
                                      </div>
                                      ~josh<br>
                                    </div>
                                    <div class="gmail_extra"><br>
                                      <br>
                                      <div class="gmail_quote">On Thu,
                                        Feb 27, 2014 at 11:18 AM, Tobias
                                        <span dir="ltr"><<a
                                            moz-do-not-send="true"
                                            href="mailto:tobias.gondrom@owasp.org"
                                            target="_blank">tobias.gondrom@owasp.org</a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote"
                                          style="margin:0 0 0
                                          .8ex;border-left:1px #ccc
                                          solid;padding-left:1ex">
                                          <div bgcolor="#FFFFFF"
                                            text="#000000">
                                            <div>Hi Josh, <br>
                                              <br>
                                              my understanding is the
                                              following: <br>
                                              1. the main purpose of
                                              compliance officer is to
                                              allow people to "blow the
                                              whistle" without exposing
                                              themselves (if they fear
                                              retaliation) I.e. someone
                                              can send an email to him
                                              in confidence via <a
                                                moz-do-not-send="true"
                                                href="mailto:compliance@owasp.org"
                                                target="_blank">compliance@owasp.org</a>
                                              without exposing oneself.
                                              Note: I am not sure a
                                              google form would add
                                              anything beyond the email
                                              we already have, in fact
                                              one might feel that it
                                              rather is more risky of
                                              loosing confidentiality
                                              with the form than a
                                              simple email. So am not
                                              sure what the form would
                                              add. <br>
                                              <br>
                                              This is mainly for
                                              purposes if there are
                                              issues with staff or
                                              financial or accounting
                                              issues. E.g. a staff
                                              member would find a
                                              accounting irregularity or
                                              potentially fraudulent
                                              behaviour and wants to
                                              report the issue and the
                                              evidence in confidence to
                                              avoid retaliation from the
                                              suspected person (that is
                                              if that person is in a
                                              position to exercise such
                                              retaliation). <br>
                                              <br>
                                              2. Second, based on the
                                              written document, my
                                              understanding is that the
                                              compliance officer is
                                              investigator and advisor,
                                              but not judge. In several
                                              places, the policy states
                                              clearly that the
                                              compliance officer works
                                              on behalf of the board and
                                              provides the report to the
                                              board for judgement. <br>
                                              One edge case might be if
                                              the compliance officer
                                              finds proof that the board
                                              itself would act in a
                                              fraudulent way, in which
                                              case, I would expect the
                                              Compliance officer to
                                              report this to the
                                              community and the police -
                                              along with the found
                                              evidence. <br>
                                              <br>
                                              3. The end result from the
                                              compliance officer is his
                                              report to the board,
                                              preferably with a
                                              recommendation. <br>
                                              (note again: the key
                                              feature is that the
                                              compliance officer may
                                              leave out the identity of
                                              the reporting person in
                                              his report - not the
                                              evidence itself uncovered
                                              in his investigation - to
                                              protect that person from
                                              retaliation.)<br>
                                              <br>
                                              This is basically the
                                              standard compliance
                                              officer / whistle blower
                                              scenario for
                                              organisations. If you and
                                              Martin feel that the
                                              current policy is not
                                              clear enough on the
                                              purpose and scope of the
                                              role or ambiguous, the
                                              board should indeed
                                              clarify it. <br>
                                              <br>
                                              Best regards, Tobias
                                              <div>
                                                <div><br>
                                                  <br>
                                                  <br>
                                                  <br>
                                                  On 27/02/14 14:54,
                                                  Josh Sokol wrote:<br>
                                                </div>
                                              </div>
                                            </div>
                                            <blockquote type="cite">
                                              <div>
                                                <div>
                                                  <div dir="ltr">
                                                    <div>
                                                      <div>
                                                        <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Board,<br>
                                                          <br>
                                                          </div>
                                                          I have been
                                                          speaking with
                                                          Martin in
                                                          private in an
                                                          attempt to
                                                          clarify my
                                                          understanding
                                                          of the role of
                                                          the compliance
                                                          officer and
                                                          the processes
                                                          involved.  It
                                                          sounds like,
                                                          to some
                                                          extent, we are
                                                          expecting him
                                                          to develop the
                                                          process,
                                                          instead of
                                                          regulate and
                                                          enforce it,
                                                          and this
                                                          doesn't seem
                                                          fair or
                                                          correct as the
                                                          act of
                                                          creating the
                                                          process could
                                                          actually
                                                          create
                                                          accusations of
                                                          bias.  As
                                                          such, I think
                                                          that it is
                                                          reasonable for
                                                          the Board to
                                                          discuss what
                                                          this process
                                                          should look
                                                          like beginning
                                                          with intake,
                                                          inclusive of
                                                          investigation,
                                                          and ending
                                                          with the
                                                          resolution. 
                                                          Some important
                                                          questions:<br>
                                                          <br>
                                                          1) How is the
                                                          complaint
                                                          initiated?<br>
                                                          <br>
                                                          I think that
                                                          we should
                                                          strongly
                                                          discourage
                                                          allegations on
                                                          the pubic
                                                          mailing lists
                                                          as accusations
                                                          will lead to
                                                          conflict which
                                                          leads to
                                                          chaos.  Yoda
                                                          said that,
                                                          right?  In any
                                                          case, Martin
                                                          had an
                                                          excellent idea
                                                          to create a
                                                          form
                                                          requesting
                                                          specific
                                                          information
                                                          from the
                                                          accuser.  If
                                                          the form is
                                                          not completed
                                                          properly, then
                                                          I think it is
                                                          fair for the
                                                          Compliance
                                                          Officer to
                                                          either request
                                                          additional
                                                          information if
                                                          the source is
                                                          known or
                                                          discard it if
                                                          the source is
                                                          not known.  My
                                                          suggestion was
                                                          to have this
                                                          form go to <a
moz-do-not-send="true" href="mailto:compliance@owasp.org"
                                                          target="_blank">compliance@owasp.org</a>
                                                          which would be
                                                          the new
                                                          mailing list
                                                          (I'm not sure
                                                          I like
                                                          "ombud"). 
                                                          This way the
                                                          Board and
                                                          others could
                                                          stay in the
                                                          loop on the
                                                          public facing
                                                          side, which
                                                          includes the
                                                          original
                                                          allegation,
                                                          but will
                                                          continue to
                                                          allow the
                                                          compliance
                                                          officer to
                                                          perform the
                                                          investigation
                                                          from there.<br>
                                                          <br>
                                                          </div>
                                                          2) The
                                                          reporting
                                                          procedure (<a
moz-do-not-send="true"
href="https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure"
target="_blank">https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure</a>)
                                                          says that
                                                          people are
                                                          required to
                                                          report their
                                                          complaints to
                                                          the Compliance
                                                          Officer who
                                                          then has the
                                                          responsibility
                                                          to investigate
                                                          all reported
                                                          complaints. 
                                                          Is the
                                                          Compliance
                                                          officer
                                                          required to
                                                          notify anyone
                                                          at the time of
                                                          complaint or
                                                          at any point
                                                          during the
                                                          process?<br>
                                                          <br>
                                                          My personal
                                                          feeling is
                                                          that, as with
                                                          any system,
                                                          there should
                                                          be checks and
                                                          balances, so I
                                                          feel like this
                                                          activity
                                                          should not be
                                                          run completely
                                                          in a vacuum. 
                                                          I believe that
                                                          the Compliance
                                                          Officer should
                                                          be required to
                                                          report the
                                                          complaint to
                                                          the Board (not
                                                          necessarily
                                                          the person who
                                                          reported it
                                                          unless
                                                          relevant) and
                                                          should be
                                                          required to
                                                          maintain
                                                          evidence of
                                                          the
                                                          investigation
                                                          for review by
                                                          the Board. 
                                                          I'm fine with
                                                          the
                                                          investigation
                                                          itself being a
                                                          relative black
                                                          box, but
                                                          evidence,
                                                          along with the
                                                          recommendation,
                                                          should be
                                                          provided to
                                                          the Board as
                                                          the end
                                                          result.<br>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          3) What is the
                                                          end result of
                                                          the Compliance
                                                          Officers
                                                          investigation?<br>
                                                          <br>
                                                        </div>
                                                        The way this
                                                        whistleblower
                                                        policy current
                                                        reads
                                                        "appropriate
                                                        corrective
                                                        action will be
                                                        taken if
                                                        warranted by the
                                                        investigation"
                                                        and "the
                                                        Compliance
                                                        Officer will
                                                        complete a final
                                                        report noting
                                                        the actors
                                                        involved,
                                                        allegations,
                                                        remediation
                                                        actions, and
                                                        rationale for
                                                        the
                                                        determination". 
                                                        So, to be clear,
                                                        the policy today
                                                        not only has the
                                                        Compliance
                                                        Officer
                                                        receiving the
                                                        complaint, but
                                                        performing the
                                                        investigation,
                                                        and doling out
                                                        the punishment. 
                                                        In effect, we
                                                        have made the
                                                        Compliance
                                                        Officer judge,
                                                        jury, and
                                                        executioner. 
                                                        Our unbiased
                                                        Compliance
                                                        Officer can no
                                                        longer maintain
                                                        his objectivity
                                                        in future
                                                        investigations
                                                        if he is
                                                        responsible for
                                                        all three of
                                                        these roles.  In
                                                        my opinion, the
                                                        Compliance
                                                        Officer should ,
                                                        in the end,
                                                        provide a report
                                                        to the Board
                                                        with a
                                                        recommendation
                                                        and rationale
                                                        for the
                                                        determination as
                                                        well as
                                                        supporting
                                                        evidence that
                                                        they considered
                                                        to make that
                                                        decision.  This
                                                        report should be
                                                        made public, on
                                                        the compliance
                                                        mailing list. 
                                                        Then, the Board
                                                        should vote (if
                                                        necessary) on
                                                        the result.  <br>
                                                        <br>
                                                      </div>
                                                      Am I way off base
                                                      here or does this
                                                      make sense? 
                                                      Please discuss.<br>
                                                      <br>
                                                    </div>
                                                    ~josh<br>
                                                  </div>
                                                  <br>
                                                  <fieldset></fieldset>
                                                  <br>
                                                </div>
                                              </div>
                                              <pre>_______________________________________________
Owasp-board mailing list
<a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
                                            </blockquote>
                                            <br>
                                          </div>
                                        </blockquote>
                                      </div>
                                      <br>
                                    </div>
                                  </blockquote>
                                  <br>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </div>
                  </blockquote>
                  <blockquote type="cite">
                    <div><span>_______________________________________________</span><br>
                      <span>Owasp-board mailing list</span><br>
                      <span><a moz-do-not-send="true"
                          href="mailto:Owasp-board@lists.owasp.org"
                          target="_blank">Owasp-board@lists.owasp.org</a></span><br>
                      <span><a moz-do-not-send="true"
                          href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>