<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">Hi all, <br>
      <br>
      I think travel to have meetings in person about complaints is not
      feasible for an organisation of our size. <br>
      We are a global organisation and complaints are coming from
      anywhere. So only under special circumstances should we make the
      financial investment to arrange travel for face-2-face meetings. <br>
      And we use skype/Google hangout for all other operations, so it
      would be overdoing it to spend money on travel to see face to face
      complaining parties. <br>
      <br>
      Looking at the amount of complaints work coming in over the last
      24 months, I would agree that a compliance team would be more
      suitable to allow for a timely resolution and to share the burden
      across several people. <br>
      <br>
      Best, Tobias<br>
      <br>
      <br>
      <br>
      <br>
      On 17/11/14 06:32, Bil Corry wrote:<br>
    </div>
    <blockquote cite="mid:000001d00284$1c14d3d0$543e7b70$@owasp.org"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
        {font-family:Consolas;
        panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML Preformatted Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
span.HTMLPreformattedChar
        {mso-style-name:"HTML Preformatted Char";
        mso-style-priority:99;
        mso-style-link:"HTML Preformatted";
        font-family:Consolas;
        color:black;}
span.EmailStyle19
        {mso-style-type:personal-reply;
        font-family:"Arial","sans-serif";
        color:black;
        font-weight:normal;
        font-style:normal;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">This
            may be of interest:<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">IETF
            Anti-Harassment Procedures<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><a
              moz-do-not-send="true"
href="http://datatracker.ietf.org/doc/draft-farrresnickel-harassment/?include_text=1">http://datatracker.ietf.org/doc/draft-farrresnickel-harassment/?include_text=1</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black">-
            Bil<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:black"><o:p> </o:p></span></p>
        <div>
          <div style="border:none;border-top:solid #B5C4DF
            1.0pt;padding:3.0pt 0in 0in 0in">
            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
                <a class="moz-txt-link-abbreviated" href="mailto:owasp-board-bounces@lists.owasp.org">owasp-board-bounces@lists.owasp.org</a>
                [<a class="moz-txt-link-freetext" href="mailto:owasp-board-bounces@lists.owasp.org">mailto:owasp-board-bounces@lists.owasp.org</a>] <b>On
                  Behalf Of </b>Jim Manico<br>
                <b>Sent:</b> Saturday, November 15, 2014 3:02 AM<br>
                <b>To:</b> Martin Knobloch; Andrew van der Stock<br>
                <b>Cc:</b> OWASP Foundation Board List; Matt Konda<br>
                <b>Subject:</b> Re: [Owasp-board] OWASP Whistleblower
                Policy Updates<o:p></o:p></span></p>
          </div>
        </div>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p class="MsoNormal" style="margin-bottom:12.0pt">I think the
          answer here is to turn the "compliance officer" role into a
          "compliance committee". This is to much for one person.<br>
          <br>
          > I would be, to a certain extend and only if there is a
          clear benefit, be willing to travel. But is the board okay
          with the additional expenses?<br>
          <br>
          This seems rather expensive, both in your lost work time and
          in travel costs. Do you think something like online video
          would suffice?<br>
          <br>
          Thank you, Martin.<br>
          - Jim<br>
          <br>
          <o:p></o:p></p>
        <div>
          <p class="MsoNormal">On 11/13/14 5:38 PM, Martin Knobloch
            wrote:<o:p></o:p></p>
        </div>
        <blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
          <div>
            <div>
              <div>
                <div>
                  <div>
                    <div>
                      <div>
                        <p class="MsoNormal"
                          style="margin-bottom:12.0pt">Andrew, Josh,<o:p></o:p></p>
                      </div>
                      <p class="MsoNormal">I like your comments Andrew
                        and am definitely in favor of a soon as possible
                        investigation and closing of matters.
                        Unfortunately, it is as Josh says, as volunteer
                        I do not have the resources to guarantee this.<o:p></o:p></p>
                    </div>
                    <p class="MsoNormal" style="margin-bottom:12.0pt">On
                      the other hand, some issues are just not possible
                      to solve inside the suggested time limit of 90
                      days. Reasons for that can be dependencies like
                      court procedures etc. Of course, luckily we can
                      consider those as exceptions to the rule.<o:p></o:p></p>
                  </div>
                  <p class="MsoNormal" style="margin-bottom:12.0pt">So,
                    for the first point, if a 90 day closure is wanted,
                    I would need to occasionally drop assignments in
                    order to full-fill this expectations. Of course,
                    thereby I would loos income. With other words, on a
                    volunteer-base this is not possible.<o:p></o:p></p>
                </div>
                <p class="MsoNormal">One thing, this has been discussed
                  earlier, there would also be the option of seeing
                  people in person in order to solve matters. Downside
                  would be (next to loosing assignments as said before) 
                  travel expenses.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal">I would be, to a certain extend and
                  only if there is a clear benefit, be willing to
                  travel. But is the board okay with the additional
                  expenses?<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal">Of course, there is still the
                  matter of lost of income.<o:p></o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <p class="MsoNormal">Cheers,<o:p></o:p></p>
            </div>
            <p class="MsoNormal">-martin<o:p></o:p></p>
          </div>
          <div>
            <p class="MsoNormal"><o:p> </o:p></p>
            <div>
              <p class="MsoNormal">On Thu, Nov 13, 2014 at 8:19 AM,
                Andrew van der Stock <<a moz-do-not-send="true"
                  href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>>
                wrote:<o:p></o:p></p>
              <div>
                <p class="MsoNormal">Actually thinking more about
                  whistleblower policies, I know that my soon to be
                  ex-employer not only has confidentiality around this
                  but also an anonymous tip off box so as to encourage
                  free and frank disclosure of difficult topics.
                  Sunshine is the best disinfectant is as the saying
                  goes, and I don't mind sunshine being let in.  <o:p></o:p></p>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">Considering the desired outcomes
                    of blowing the whistle is to provide tip offs about
                    poor behavior or not so nice activities and possibly
                    about those who wield some power within the
                    organisation, I think confidentiality is actually
                    important to provide a layer of protection for those
                    willing to put in a complaint. So please ignore me
                    on confidentiality. <o:p></o:p></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">As you say, I think as long as
                    the process is demonstrably fair and balanced, and
                    the results communicated publicly, that is in my
                    view sufficient. Let's not worry about it.<o:p></o:p></p>
                </div>
                <div>
                  <p class="MsoNormal"><o:p> </o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">thanks,<o:p></o:p></p>
                </div>
                <div>
                  <p class="MsoNormal">Andrew<o:p></o:p></p>
                </div>
              </div>
              <div>
                <div>
                  <div>
                    <p class="MsoNormal"><o:p> </o:p></p>
                    <div>
                      <p class="MsoNormal">On Thu, Nov 13, 2014 at 4:39
                        PM, Josh Sokol <<a moz-do-not-send="true"
                          href="mailto:josh.sokol@owasp.org"
                          target="_blank">josh.sokol@owasp.org</a>>
                        wrote:<o:p></o:p></p>
                      <div>
                        <div>
                          <div>
                            <div>
                              <p class="MsoNormal"
                                style="margin-bottom:12.0pt">The
                                confidentiality piece is an interesting
                                one and I feel like it really becomes a
                                situational thing.  My biggest concern
                                is that when initially disclosed, an
                                accusation feels more like an attack to
                                the accused, but without the ability to
                                defend oneself.  On the other end, you
                                have people who feel like a public
                                ruling is a violation of our code of
                                ethics because it can "injure and
                                impugn" their professional reputation. 
                                That said, we are an open organization
                                and having a truly transparent process
                                fits that mold.  But then again, what
                                about a more personal situation
                                involving sexual harassment or similar? 
                                Publicly disclosing that could lead to
                                unwanted embarrassment.  I'll be the
                                first one to say that I don't have a
                                good answer here and would be willing to
                                listen if someone feels passionately
                                about it one way or the other.<o:p></o:p></p>
                            </div>
                            <p class="MsoNormal"
                              style="margin-bottom:12.0pt">I like the
                              general idea of imposing a time limit for
                              the reasons you mentioned.  My concern is
                              that our Compliance Officer is only one
                              person and can be handling multiple issues
                              at one time.  We also have to keep in mind
                              that they are 100% volunteer in this
                              capacity and putting time constraints on
                              them could be very stressful and lead to a
                              less effective investigation in order to
                              fit it in the timeframe.  I'm not sure how
                              much sense it would make to time-box this.<o:p></o:p></p>
                          </div>
                          <p class="MsoNormal"
                            style="margin-bottom:12.0pt">Yes, you are
                            right.  Independence, not neutrality, is
                            really the more fitting word here.  I've
                            changed it.  Thanks for your feedback.  I
                            love your passion Andrew!<o:p></o:p></p>
                        </div>
                        <p class="MsoNormal"><span style="color:#888888">~josh</span><o:p></o:p></p>
                      </div>
                      <div>
                        <div>
                          <div>
                            <p class="MsoNormal"><o:p> </o:p></p>
                            <div>
                              <p class="MsoNormal">On Wed, Nov 12, 2014
                                at 10:57 PM, Andrew van der Stock <<a
                                  moz-do-not-send="true"
                                  href="mailto:vanderaj@owasp.org"
                                  target="_blank">vanderaj@owasp.org</a>>
                                wrote:<o:p></o:p></p>
                              <div>
                                <p class="MsoNormal">The policy is big
                                  on keeping things confidential. Now I
                                  do think this can be helpful to
                                  diffuse hot tempers, but is it
                                  actually necessary? I am happy if this
                                  is a policy that is adopted from a
                                  formal DRP or whistleblowers policy,
                                  and that's the norm for this type of
                                  policy. <o:p></o:p></p>
                                <div>
                                  <p class="MsoNormal"><o:p> </o:p></p>
                                </div>
                                <div>
                                  <p class="MsoNormal">Time limits. It
                                    always seems like Australia is a
                                    breeding ground for bush lawyers,
                                    but one of the issues we had over
                                    the last three years is a sports
                                    doping scandal. The regulator took a
                                    very long time to come to a
                                    conclusion. Should the policy put in
                                    guidelines for timely conclusions? I
                                    would like to see all investigations
                                    investigated and finalised within 90
                                    days to be fair on the person being
                                    investigated as well as provide a
                                    timly outcome for those whose
                                    complaints are upheld. Is this
                                    possible and still maintain quality
                                    of results?<o:p></o:p></p>
                                </div>
                                <div>
                                  <p class="MsoNormal"><o:p> </o:p></p>
                                </div>
                                <div>
                                  <p class="MsoNormal">Lastly, I think
                                    "neutrality" is a good goal, but
                                    independence is the word I think you
                                    mean when the policy says "neutral".
                                    The compliance officer not only
                                    needs to be independent, so as to
                                    enable investigations where
                                    Foundation or Board members are the
                                    complainants or the subject of an
                                    investigation, but also they need to
                                    be strong enough to resist efforts
                                    to compromise their independence,
                                    such as limiting scope of
                                    investigations (such as restricting
                                    the time or the nature of the
                                    complaint). I strongly feel that the
                                    Compliance Officer should be able to
                                    set their own terms of reference and
                                    run the complaints process without
                                    interference. <span
                                      style="color:#888888"><o:p></o:p></span></p>
                                  <div>
                                    <div>
                                      <p class="MsoNormal"><span
                                          style="color:#888888"><o:p> </o:p></span></p>
                                    </div>
                                    <div>
                                      <p class="MsoNormal"><span
                                          style="color:#888888">Andrew<o:p></o:p></span></p>
                                    </div>
                                  </div>
                                </div>
                              </div>
                              <div>
                                <div>
                                  <div>
                                    <p class="MsoNormal"><o:p> </o:p></p>
                                    <div>
                                      <p class="MsoNormal">On Thu, Nov
                                        13, 2014 at 3:03 PM, Josh Sokol
                                        <<a moz-do-not-send="true"
                                          href="mailto:josh.sokol@owasp.org"
                                          target="_blank">josh.sokol@owasp.org</a>>
                                        wrote:<o:p></o:p></p>
                                      <div>
                                        <div>
                                          <div>
                                            <blockquote
                                              style="border:none;border-left:solid
                                              #CCCCCC 1.0pt;padding:0in
                                              0in 0in
                                              6.0pt;margin-left:4.8pt;margin-right:0in">
                                              <div>
                                                <p class="MsoNormal">1.
                                                  The compliant officers
                                                  role as neutral <span
                                                    lang="EN">conciliator
                                                    / mediator</span><o:p></o:p></p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">It
                                                  might be people
                                                  hesitate in filing an
                                                  official complaint, as
                                                  this is a harsh
                                                  measure, and reaching
                                                  out to the compliant
                                                  officer as neutral
                                                  party in an not yet
                                                  escalated conflict.<o:p></o:p></p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">The
                                                  current policy does
                                                  not describe this
                                                  possibility, it comes
                                                  close to "<b><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">IV.
                                                      Commitment to
                                                      Peaceful Conflict
                                                      Resolution</span></b>",
                                                  but without filing an
                                                  official compliant.<o:p></o:p></p>
                                              </div>
                                              <div>
                                                <p class="MsoNormal">This
                                                  could be in chapter "<b><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">IX.
                                                      Compliance Officer</span></b>".<o:p></o:p></p>
                                              </div>
                                              <p class="MsoNormal">Q: is
                                                this part of the
                                                compliant officers role?<o:p></o:p></p>
                                            </blockquote>
                                            <p class="MsoNormal"><o:p> </o:p></p>
                                          </div>
                                          <p class="MsoNormal"
                                            style="margin-bottom:12.0pt">I
                                            *think* what you're talking
                                            about is under section III.
                                            Initiating an Informal
                                            Complaint.  The ED, Board,
                                            and Compliance Officer are
                                            all identified in this
                                            paragraph as possible
                                            contacts for informal
                                            complaints.<o:p></o:p></p>
                                          <p class="MsoNormal">2. Early
                                            notification of the
                                            compliant officer in case of
                                            serious complaints.<br>
                                            As reason history has shown
                                            actions of investigation
                                            should been handed to the
                                            investigation soon possible.
                                            It might not be part of the
                                            Whistelblower Policy, but
                                            can we find an agreement any
                                            serious complaints the board
                                            or a board member has
                                            received, the Compliant
                                            Officer should be notified
                                            about early, before
                                            escalation!<o:p></o:p></p>
                                          <p class="MsoNormal"
                                            style="margin-bottom:12.0pt"><br>
                                            I agree that the Board needs
                                            to work with the Compliance
                                            Officer to discuss serious
                                            complaints as early as
                                            possible.  I think that what
                                            you are referring to here is
                                            basically the difference
                                            between an informal and a
                                            formal complaint.  At the
                                            stage of an informal
                                            complaint, the goal is to
                                            resolve the conflict with
                                            those that the conflict
                                            involves.  I have no
                                            argument either for or
                                            against involving the
                                            Compliance Officer at this
                                            stage.  But once we get to
                                            the formal complaint stage,
                                            then I think that the
                                            Compliance Officer becomes
                                            the key player in the
                                            conflict resolution process.<o:p></o:p></p>
                                          <p class="MsoNormal">In
                                            general, I think the role,
                                            responsibility of the
                                            Compliance Officer should be
                                            expressed in more clearly.
                                            As the independence of the
                                            board. <o:p></o:p></p>
                                          <p class="MsoNormal"><o:p> </o:p></p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"
                                            style="margin-bottom:12.0pt">Maybe
                                            you could provide an example
                                            wording for what you would
                                            like to see changed here? 
                                            This is effectively what I
                                            was going with under section
                                            IX when I say <span
                                              style="font-family:"Arial","sans-serif"">"</span><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">The
                                              Compliance Officer is
                                              empowered to conduct their
                                              investigations in
                                              isolation of the Board in
                                              order to maintain
                                              neutrality, but are free
                                              to involve members of the
                                              Board as necessary.  It is
                                              solely the Compliance
                                              Officer’s charge to
                                              determine whether or not a
                                              complaint can be
                                              considered valid for
                                              investigation though any
                                              individual may submit a
                                              complaint as noted above."</span><o:p></o:p></p>
                                        </div>
                                        <div>
                                          <p class="MsoNormal"><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">~josh</span><span
                                              style="color:#888888"><o:p></o:p></span></p>
                                        </div>
                                      </div>
                                      <div>
                                        <div>
                                          <div>
                                            <p class="MsoNormal"><o:p> </o:p></p>
                                            <div>
                                              <p class="MsoNormal">On
                                                Wed, Nov 12, 2014 at
                                                5:07 PM, Martin Knobloch
                                                <<a
                                                  moz-do-not-send="true"
href="mailto:martin.knobloch@owasp.org" target="_blank">martin.knobloch@owasp.org</a>>
                                                wrote:<o:p></o:p></p>
                                              <div>
                                                <div>
                                                  <p class="MsoNormal"
                                                    style="margin-bottom:12.0pt">Josh,
                                                    et all,<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"
                                                    style="margin-bottom:12.0pt">Two
                                                    questions from my
                                                    side as current
                                                    developments raised
                                                    this.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">1.
                                                    The compliant
                                                    officers role as
                                                    neutral <span
                                                      lang="EN">conciliator
                                                      / mediator</span><o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">It
                                                    might be people
                                                    hesitate in filing
                                                    an official
                                                    complaint, as this
                                                    is a harsh measure,
                                                    and reaching out to
                                                    the compliant
                                                    officer as neutral
                                                    party in an not yet
                                                    escalated conflict.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">The
                                                    current policy does
                                                    not describe this
                                                    possibility, it
                                                    comes close to "<b><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">IV.
                                                        Commitment to
                                                        Peaceful
                                                        Conflict
                                                        Resolution</span></b>",
                                                    but without filing
                                                    an official
                                                    compliant.<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">This
                                                    could be in chapter
                                                    "<b><span
style="font-size:11.5pt;font-family:"Arial","sans-serif"">IX.
                                                        Compliance
                                                        Officer</span></b>".<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"
                                                    style="margin-bottom:12.0pt">Q:
                                                    is this part of the
                                                    compliant officers
                                                    role? <o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal"
                                                    style="margin-bottom:12.0pt">2.
                                                    Early notification
                                                    of the compliant
                                                    officer in case of
                                                    serious complaints.<br>
                                                    As reason history
                                                    has shown actions of
                                                    investigation should
                                                    been handed to the
                                                    investigation soon
                                                    possible. It might
                                                    not be part of the
                                                    Whistelblower
                                                    Policy, but can we
                                                    find an agreement
                                                    any serious
                                                    complaints the board
                                                    or a board member
                                                    has received, the
                                                    Compliant Officer
                                                    should be notified
                                                    about early, before
                                                    escalation!<br>
                                                    <br>
                                                    In general, I think
                                                    the role,
                                                    responsibility of
                                                    the Compliance
                                                    Officer should be
                                                    expressed in more
                                                    clearly. As the
                                                    independence of the
                                                    board. <o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">Cheers,<o:p></o:p></p>
                                                </div>
                                                <div>
                                                  <p class="MsoNormal">-martin<o:p></o:p></p>
                                                </div>
                                              </div>
                                              <div>
                                                <div>
                                                  <div>
                                                    <p class="MsoNormal"><o:p> </o:p></p>
                                                    <div>
                                                      <p
                                                        class="MsoNormal">On
                                                        Wed, Nov 12,
                                                        2014 at 7:40 PM,
                                                        Josh Sokol <<a
moz-do-not-send="true" href="mailto:josh.sokol@owasp.org"
                                                          target="_blank">josh.sokol@owasp.org</a>>
                                                        wrote:<o:p></o:p></p>
                                                      <div>
                                                        <div>
                                                          <div>
                                                          <p
                                                          class="MsoNormal"
style="margin-bottom:12.0pt">Based on the feedback I received from
                                                          Martin, I made
                                                          a few changes
                                                          to the
                                                          Whistleblower
                                                          policy that I
                                                          had previously
                                                          sent out. 
                                                          Please review
                                                          when you have
                                                          a chance and
                                                          feel free to
                                                          provide
                                                          feedback
                                                          either via
                                                          comment or by
                                                          responding
                                                          back to this
                                                          e-mail.  Here
                                                          is the link:<br>
                                                          <br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://docs.google.com/a/owasp.org/document/d/1OwoHQtNGWxpr2qgSGbTqCRJJYLayh5d8zvzxoh2Cnqk/edit"
target="_blank">https://docs.google.com/a/owasp.org/document/d/1OwoHQtNGWxpr2qgSGbTqCRJJYLayh5d8zvzxoh2Cnqk/edit</a><o:p></o:p></p>
                                                          </div>
                                                          <p
                                                          class="MsoNormal"
style="margin-bottom:12.0pt">Thanks!<o:p></o:p></p>
                                                        </div>
                                                        <p
                                                          class="MsoNormal"><span
style="color:#888888">~josh</span><o:p></o:p></p>
                                                      </div>
                                                    </div>
                                                    <p class="MsoNormal"><o:p> </o:p></p>
                                                  </div>
                                                </div>
                                              </div>
                                            </div>
                                            <p class="MsoNormal"><o:p> </o:p></p>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                    <p class="MsoNormal"><o:p> </o:p></p>
                                  </div>
                                </div>
                              </div>
                            </div>
                            <p class="MsoNormal"><o:p> </o:p></p>
                          </div>
                        </div>
                      </div>
                    </div>
                    <p class="MsoNormal"><o:p> </o:p></p>
                  </div>
                </div>
              </div>
            </div>
            <p class="MsoNormal"><o:p> </o:p></p>
          </div>
          <p class="MsoNormal"><br>
            <br>
            <br>
            <o:p></o:p></p>
          <pre>_______________________________________________<o:p></o:p></pre>
          <pre>Owasp-board mailing list<o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><o:p></o:p></pre>
          <pre><a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a><o:p></o:p></pre>
        </blockquote>
        <p class="MsoNormal"><o:p> </o:p></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>