<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    This is a very good summary of this issues Josh, I'm with you.<br>
    <br>
    Shall we initiate a vote and make this happen or is more discussion
    needed?<br>
    <br>
    - Jim<br>
    <br>
    <div class="moz-cite-prefix">On 8/18/15 8:37 AM, Josh Sokol wrote:<br>
    </div>
    <blockquote
cite="mid:CAFwvDeyDVTGUkZ6WtfQ3tbrF+4qxrG_S-zzNXmEFn-U7pqpoRA@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>One additional thought here as I was about to write
            something more formal up.  Officially, the Bylaws state:<br>
            <br>
            <i>Failure by a board member to meet the 75% attendance
              requirement after any tabulation will cause a mandatory
              vote of confidence by the remaining board members, whose
              votes will be publicly recorded.  An overall vote of "no
              confidence" is recorded if half or more of the board
              members vote for it, which causes the board member in
              question to be instantly removed from their seat on the
              board.</i><br>
            <br>
          </div>
          I think that the key here is failure after <u><b>ANY
              TABULATION</b></u>.  Personally, I think this is a flaw in
          the Bylaws.  For one, we do not ever specify what the
          timeframe for tabulation is.  Is it over the two years that
          you are elected as a Board member?  Is it per year?  That
          really needs to be clarified.  Secondly, let's say the
          timeframe is a calendar year for the sake of argument and we
          are doing monthly meetings, do we really want a situation
          where if someone misses any one of the first, second, or third
          Board meetings of the year a vote of no confidence is
          automatically triggered because they are at 0%, 50%, or 66%? 
          That seems unreasonable to me and is an unintended side-effect
          of how this is worded.  In light of that, I don't think there
          is any way that I could, in good conscience, actually vote to
          remove Fabio, but I still think that we need to adhere to the
          Bylaws as written and have a formal vote.  Once we do that, we
          should probably consider changing the verbiage to reflect what
          I think we actually want here which is that if someone is on
          the Board, but not doing their job, they are removed.  My
          $0.02.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Aug 18, 2015 at 1:24 PM, Eoin
          Keary <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:eoin.keary@owasp.org" target="_blank">eoin.keary@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="auto">
              <div>Wise words Josh. That's why you're a great board
                member and OWASP leader!!</div>
              <div>Thanks for understanding. <span class=""><br>
                  <br>
                  Eoin Keary
                  <div>OWASP Volunteer</div>
                  <div>@eoinkeary</div>
                  <div><span style="font-size:13pt"><br>
                    </span></div>
                  <div><br>
                  </div>
                </span></div>
              <div>
                <div class="h5">
                  <div><br>
                    On 18 Aug 2015, at 19:22, Josh Sokol <<a
                      moz-do-not-send="true"
                      href="mailto:josh.sokol@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:josh.sokol@owasp.org">josh.sokol@owasp.org</a></a>>
                    wrote:<br>
                    <br>
                  </div>
                  <blockquote type="cite">
                    <div>
                      <div dir="ltr">
                        <div>I agree 100% Eoin.  The rule is there for a
                          reason.  Voting to change it is one thing, but
                          that change cannot be applied retroactively to
                          the present situation.  The Bylaws are very
                          clear in that this should trigger a Board vote
                          to determine whether they should be removed. 
                          I am absolutely pushing for that vote to
                          happen, regardless of whether it actually
                          results in a removal.  If the Board wants to
                          evaluate a change to the Bylaws at a later
                          date, then so be it, but I will not support
                          it.  The Board is a commitment.  When you run,
                          you are doing so knowing that meetings will
                          not always happen when convenient and that you
                          are expected to attend 75% of them.  There are
                          certainly extenuating circumstances where a
                          case could be made here, but I don't think
                          I've heard any thus far.<br>
                          <br>
                        </div>
                        ~josh<br>
                      </div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On Tue, Aug 18, 2015 at
                          1:04 PM, Eoin Keary <span dir="ltr"><<a
                              moz-do-not-send="true"
                              href="mailto:eoin.keary@owasp.org"
                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:eoin.keary@owasp.org">eoin.keary@owasp.org</a></a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote"
                            style="margin:0 0 0 .8ex;border-left:1px
                            #ccc solid;padding-left:1ex">
                            <div dir="auto">
                              <div>Sorry I have to write this
                                email....but...</div>
                              <div><br>
                              </div>
                              <div>I hope you don't change the rules
                                just because certain members have not
                                complied by them....</div>
                              <div><br>
                              </div>
                              <div>I was forwarded some emails regarding
                                board attendance today which appear that
                                the 75% rule of board meeting attendance
                                is now going to be changed because some
                                folks on the board have issue with it. </div>
                              <div><br>
                              </div>
                              <div>This is like turkeys voting for
                                Christmas.</div>
                              <div><br>
                              </div>
                              <div>I respectfully hope the board abides
                                by its owen guidelines, if not I have
                                great issue with the foundations
                                governance.</div>
                              <div><br>
                              </div>
                              <div>Respect, for the good guys in OWASP. </div>
                              <span>
                                <div><br>
                                  <br>
                                  Eoin Keary
                                  <div>OWASP Volunteer</div>
                                  <div>@eoinkeary</div>
                                  <div><span style="font-size:13pt"><br>
                                    </span></div>
                                  <div><br>
                                  </div>
                                </div>
                              </span>
                              <div>
                                <div>
                                  <div><br>
                                    On 18 Aug 2015, at 17:08, Josh Sokol
                                    <<a moz-do-not-send="true"
                                      href="mailto:josh.sokol@owasp.org"
                                      target="_blank">josh.sokol@owasp.org</a>>
                                    wrote:<br>
                                    <br>
                                  </div>
                                  <blockquote type="cite">
                                    <div>
                                      <div dir="ltr">
                                        <div>
                                          <div>
                                            <div>
                                              <div>
                                                <div>Johanna,<br>
                                                  <br>
                                                  <blockquote
                                                    style="margin:0px
                                                    0px 0px
                                                    0.8ex;border-left:1px
                                                    solid
                                                    rgb(204,204,204);padding-left:1ex"
                                                    class="gmail_quote">So
                                                    far I remember , the
                                                    idea was proposed to
                                                    the board by you and
                                                    the board took the
                                                    decision to
                                                    implement Committee
                                                    2.0. I believe this
                                                    was done with all
                                                    good intentions but
                                                    is not working.<br>
                                                  </blockquote>
                                                  <br>
                                                </div>
                                                Actually, I would argue
                                                that even though there's
                                                only a single committee
                                                right now, it is working
                                                exactly as intended. 
                                                The truth is that
                                                OWASP's leadership sits
                                                somewhere in-between an
                                                Oligarchy (as you
                                                describe it) and an
                                                Anarchy.  We're
                                                currently somewhere
                                                between Democracy and
                                                Ochlocracy depending on
                                                the topic if you really
                                                want to get technical. 
                                                In any case, what you
                                                need to realize is that
                                                somebody needs to have
                                                the power to make
                                                decisions or decisions
                                                will never get made and
                                                we veer into Anarchy. 
                                                What Committees 2.0 did
                                                is specify that decision
                                                making power starts with
                                                the Board as they have
                                                the fiduciary
                                                responsibility for the
                                                OWASP Foundation in all
                                                legal sense.  What it
                                                also did is allow any of
                                                our leaders to carve out
                                                a piece of that power
                                                that they are passionate
                                                about and run with it,
                                                just as you did with
                                                projects.  I really
                                                thought that we would
                                                see some other
                                                committees pop up
                                                similar to what we had
                                                before in other core
                                                areas of OWASP like
                                                Governance or Chapters,
                                                but the fact that there
                                                isn't just tells me that
                                                as of yet, no leader is
                                                passionate enough about
                                                it to carve out that
                                                power.  Maybe it's
                                                because of time
                                                commitments or because
                                                of some perceived "red
                                                tape" or even (I hope)
                                                because most people
                                                think the Board is doing
                                                an OK job making
                                                decisions, but the fact
                                                is that the ability is
                                                there and you are an
                                                example of it being
                                                used.  So, as I said,
                                                the system is working. 
                                                Where this is a void in
                                                the community wanting to
                                                take the power to make
                                                decisions, the Board
                                                fills that void.  In
                                                other words, if the
                                                community really thinks
                                                that they can do
                                                something better than
                                                the Board, they can form
                                                a Committee (or "Action
                                                Team" or "Initiative" or
                                                whatever they want to
                                                call it), and do it.<br>
                                                <br>
                                                <blockquote
                                                  style="margin:0px 0px
                                                  0px
                                                  0.8ex;border-left:1px
                                                  solid
                                                  rgb(204,204,204);padding-left:1ex"
                                                  class="gmail_quote">Projects
                                                  are global. They
                                                  promote owasp at a
                                                  global level. What is
                                                  OWASP known for? for
                                                  its chapters? Its
                                                  conferences? I
                                                  strongly believe OWASP
                                                  is know for its
                                                  projects, Code Review,
                                                  Testing guide, the
                                                  Cheat Sheets, ASVS,
                                                  ZAP... Many references
                                                  in major publications
                                                  refer to OWASP top ten
                                                  and respect them
                                                  because of its
                                                  projects.PCI  and
                                                  major vendors use them
                                                  as reference and
                                                  guidelines.<br>
                                                </blockquote>
                                                <br>
                                              </div>
                                              There is no doubt in my
                                              mind that Projects are
                                              important for OWASP.  They
                                              spread our mission in
                                              places where even our
                                              Chapters cannot go.  But,
                                              if you want to talk about
                                              where most people
                                              interface with OWASP, it's
                                              not projects, it's
                                              Chapters.  You won't find
                                              a reference in a major
                                              publication to the OWASP
                                              Austin Chapter, for
                                              example, but we held a
                                              CryptoParty in January and
                                              invited members of our
                                              community, the media, etc
                                              to participate because we
                                              wanted to educate others
                                              on the importance of
                                              privacy.  You're
                                              passionate about OWASP
                                              Projects, I get that, and
                                              I love it.  I'm passionate
                                              about OWASP Chapters. 
                                              Neither should be
                                              trivialized as they both
                                              play a very important role
                                              within OWASP.<br>
                                              <br>
                                              <blockquote
                                                style="margin:0px 0px
                                                0px
                                                0.8ex;border-left:1px
                                                solid
                                                rgb(204,204,204);padding-left:1ex"
                                                class="gmail_quote">I
                                                would like to see is a
                                                better schema for them
                                                to get more awareness,
                                                especially people doing
                                                great things and because
                                                of lack of funds cannot
                                                promote their projects.
                                                Chapters are rich
                                                ,projects are poor. That
                                                is in my opinion a huge
                                                misbalance.<br>
                                              </blockquote>
                                              <br>
                                            </div>
                                            We have many chapters with
                                            small bank accounts, some
                                            even negative, and a few
                                            with quite large accounts. 
                                            Total it all up and it's a
                                            pretty decent sum of money. 
                                            But, what you're arguing for
                                            here is effectively
                                            Socialism.  You're saying
                                            that it doesn't matter that
                                            the OWASP chapter in Denver
                                            busted their ass (it is over
                                            a year's worth of effort by
                                            a team of people) to put on
                                            last year's AppSecUSA
                                            Conference.  It doesn't
                                            matter that it can cost a
                                            chapter hundreds if not
                                            thousands of dollars to rent
                                            meeting space, bring in
                                            food, fly in speakers, etc. 
                                            You only see that they have
                                            money, you do not, and you
                                            want it.  Not because you
                                            have a plan to spend it
                                            either, because if you did
                                            you could simply ask the
                                            Foundation for it, but
                                            because it is perceived as
                                            being disproportionate. 
                                            There is no payoff for
                                            OWASP's mission if we rob
                                            from the rich, give to the
                                            poor, and at the end of the
                                            day still just have money
                                            sitting in a savings
                                            account.  This highlights
                                            the underlying issue here. 
                                            The issue is not that
                                            Chapters or Projects HAVE
                                            money.  The issue is that
                                            they have money and are NOT
                                            SPENDING IT to further the
                                            OWASP Mission.  Thus, the
                                            approach to fix this issue
                                            (and I agree that it's an
                                            issue) shouldn't be to take
                                            away their money, it should
                                            be to get them to spend it.<br>
                                            <br>
                                            <blockquote
                                              style="margin:0px 0px 0px
                                              0.8ex;border-left:1px
                                              solid
                                              rgb(204,204,204);padding-left:1ex"
                                              class="gmail_quote">The
                                              limit of USD2,000- for
                                              supporting a project
                                              leader a year is for most
                                              leaders not enough. If a
                                              leader outside US or EU is
                                              invited to blackhat , that
                                              amount is not enough to
                                              cover his traveling
                                              expenses.  And thats the
                                              maximum he can have in a
                                              year after filling on
                                              forms and going through
                                              some back-and-forth emails
                                              with the staff...<br>
                                            </blockquote>
                                            <br>
                                          </div>
                                          Ahhhhh, finally we get to the
                                          root of the issue.  The issue
                                          isn't that money isn't
                                          available, because, frankly,
                                          we had a significant amount of
                                          money budgeted last year that
                                          wasn't used.  The issue is
                                          that there is a cap on what
                                          any one project leader can
                                          request/spend.  My personal
                                          opinion here is that this $2k
                                          cap should be treated as a
                                          guideline, not a rule.  It is
                                          likely in place to prevent
                                          abuse by having a significant
                                          amount of money from the pool
                                          go to any one individual. 
                                          But, that cap certainly should
                                          not prevent the OWASP
                                          Foundation from investing in
                                          the projects, and people
                                          behind the projects, to make
                                          them better.  The Board
                                          entrusts Paul, as Executive
                                          Director, and the OWASP staff
                                          to handle the day-to-day
                                          operations of the OWASP
                                          Foundation.  Part of their job
                                          is to review these types of
                                          requests in order to determine
                                          whether they make sense and
                                          there are funds available. 
                                          That said, if you get to a
                                          point where you feel that they
                                          are being unreasonable, the
                                          Board can certainly step in
                                          and try to determine if an
                                          exception should be made.  So,
                                          net-net, maybe that $2k cap is
                                          too low.  Should we raise it? 
                                          If so, what should it be? 
                                          What amount would be
                                          reasonable for any one
                                          individual to consume from
                                          that shared pool of funds? 
                                          Guidelines can be changed. 
                                          Guidelines can even be
                                          overruled for the right
                                          reasons.  This is a relatively
                                          minor issue that it sounds
                                          like should be re-evaluated
                                          given rising costs, bigger
                                          budget pools, unused funds,
                                          etc.  Can you please come up
                                          with a reasonable proposal
                                          here and I will take that to
                                          the Board for approval to
                                          change this guideline?<br>
                                          <br>
                                          <blockquote style="margin:0px
                                            0px 0px
                                            0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Should we scrap
                                            projects and focus to be a
                                            dedicated conference
                                            organisation?...thats what
                                             I see is happening whether
                                            consciously or not. <br>
                                          </blockquote>
                                          <br>
                                        </div>
                                        Your perception is VERY far from
                                        the truth.  I've spent the past
                                        8.5 years working with the OWASP
                                        Austin chapter and I've seen it
                                        grow from literally 3 people in
                                        a monthly meeting to around 70. 
                                        You, yourself, even said that
                                        OWASP is being referenced in
                                        major publications and our tools
                                        are being used around the
                                        globe.  That said, keep in mind
                                        that the OWASP mission is one of
                                        education, and conferences
                                        address that mission directly. 
                                        They are also the main
                                        fundraiser that helps to make
                                        sure that our chapters and
                                        projects have the money that
                                        they need in order to be
                                        successful.<br>
                                        <br>
                                        <blockquote style="margin:0px
                                          0px 0px 0.8ex;border-left:1px
                                          solid
                                          rgb(204,204,204);padding-left:1ex"
                                          class="gmail_quote">Should we
                                          scrap conferences and focus to
                                          gather those funds to create a
                                          better platforms for projects
                                          and become the next Apache
                                          foundation?<br>
                                        </blockquote>
                                        <div><br>
                                        </div>
                                        <div>Where do you think those
                                          funds would come from?  By
                                          far, the majority of OWASP's
                                          annual revenue comes from
                                          AppSecUSA and AppSecEU.  To be
                                          frank, OWASP would be VERY
                                          different if it weren't for
                                          our conferences. <br>
                                          <br>
                                          <blockquote style="margin:0px
                                            0px 0px
                                            0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Should we use
                                            crowdsource for gathering
                                            funds for projects through
                                            the OWASP foundation?<br>
                                          </blockquote>
                                          <br>
                                        </div>
                                        <div>This is not a mutually
                                          exclusive solution.  Yes,
                                          absolutely, use crowdfunding
                                          to gather funds for projects. 
                                          Please prove out this model of
                                          bringing another revenue
                                          source to OWASP.  I would
                                          imagine that this is a way
                                          that projects would be able to
                                          get funds that a chapter never
                                          could.  <br>
                                          <br>
                                          <blockquote style="margin:0px
                                            0px 0px
                                            0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Project summits =
                                            events . Thats what I'm
                                            proposing. That Summits are
                                            treated like events to
                                            generate money for projects
                                            so they have also a fair way
                                            to generate money as
                                            chapters do. They will
                                            depend less from sponsors
                                            with commercial intentions.<br>
                                          </blockquote>
                                          <br>
                                        </div>
                                        <div>OK, but every project
                                          summit that we have had thus
                                          far has cost OWASP money, not
                                          made it.  Speaking as the
                                          former Co-Chair of LASCON and
                                          AppSecUSA, I can tell you that
                                          these types of events are a
                                          lot of work and that it is
                                          difficult to attract
                                          attendees.  Attendees actually
                                          barely end up covering their
                                          own costs (food, schwag,
                                          etc).  Sponsors and trainings
                                          are usually the ones who
                                          generate the profit for these
                                          events.  So, let's say you do
                                          a project summit.  How would
                                          you intend to attract
                                          attendees who are willing to
                                          pay for the content?  If not,
                                          how would you intend to
                                          attract sponsors whose sole
                                          purpose in being there is to
                                          sell product to the
                                          attendees?  Especially if you
                                          don't want sponsors with
                                          commercial intentions.  You
                                          would be lucky if you get
                                          enough sponsors to cover
                                          costs.  Or, in the situation
                                          of every past project summit
                                          that we've had, the Foundation
                                          ends up covering the
                                          difference.  I'm not saying
                                          that you shouldn't try to
                                          prove out this model.  I'm
                                          saying that it hasn't been
                                          proven to date.  Also, it's a
                                          bit naive to say that chapters
                                          leveraging their members and
                                          holding a conference isn't
                                          "fair".  We should be
                                          encouraging as many endeavors
                                          as we can at OWASP that spread
                                          our mission.  Even more so if
                                          they generate additional
                                          revenue because that helps to
                                          further our mission even more
                                          after the conference is over. 
                                          Nothing is stopping a project
                                          from having a conference. 
                                          This isn't a matter of "fair"
                                          or "unfair".  It's a matter of
                                          a team of people putting in
                                          the effort and making it
                                          happen.  Please don't
                                          trivialize those efforts.<br>
                                          <br>
                                          <blockquote style="margin:0px
                                            0px 0px
                                            0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote">Also more focus
                                            on crowdsourcing projects.
                                            If people finds it a great
                                            idea they will sponsor it.<br>
                                          </blockquote>
                                          <br>
                                        </div>
                                        <div>As I said above, I think
                                          this is a great idea.  Let's
                                          do it!<br>
                                          <br>
                                          <blockquote style="margin:0px
                                            0px 0px
                                            0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex" class="gmail_quote">I will ask the
                                            staff to create a survey and
                                            ask the community about it. 
                                            This is my proposal and
                                            based on those results I
                                            hope and expect the board to
                                            take actions.</blockquote>
                                          <br>
                                        </div>
                                        <div>Ask the staff to create a
                                          survey?  Why not make the
                                          survey yourself?  What exactly
                                          are we surveying and why?  The
                                          only thing that I think you've
                                          identified as an actual issue
                                          preventing projects from
                                          operating efficiently is a cap
                                          on the amount of funding
                                          availing.  That doesn't
                                          require a survey to get
                                          changed, just a plan and an
                                          approval.  I can't guarantee
                                          support or action as it
                                          depends on the varying
                                          opinions of 7 unique
                                          individuals, but the Board
                                          would certainly evaluate any
                                          proposal that is put on the
                                          table.<br>
                                          <br>
                                        </div>
                                        <div>~josh<br>
                                        </div>
                                      </div>
                                      <div class="gmail_extra"><br>
                                        <div class="gmail_quote">On Mon,
                                          Aug 17, 2015 at 8:31 PM,
                                          johanna curiel curiel <span
                                            dir="ltr"><<a
                                              moz-do-not-send="true"
                                              href="mailto:johanna.curiel@owasp.org"
                                              target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                          wrote:<br>
                                          <blockquote
                                            class="gmail_quote"
                                            style="margin:0 0 0
                                            .8ex;border-left:1px #ccc
                                            solid;padding-left:1ex">
                                            <div dir="ltr">Josh,
                                              <div><br>
                                              </div>
                                              <div>
                                                <div>So far I remember ,
                                                  the idea was proposed
                                                  to the board by you
                                                  and the board took the
                                                  decision to implement
                                                  Committee 2.0. I
                                                  believe this was done
                                                  with all good
                                                  intentions but is not
                                                  working.</div>
                                                <div><a
                                                    moz-do-not-send="true"
href="http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html"
                                                    target="_blank"><a class="moz-txt-link-freetext" href="http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html">http://lists.owasp.org/pipermail/owasp-leaders/2014-May/011794.html</a></a><br>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>In this same email
                                                  Sarah mentions:</div>
                                                <div>
                                                  <pre style="white-space:pre-wrap;color:rgb(0,0,0)">The 2008 committees worked, for the most part, independently of each other.
This often created duplicate or even conflicting efforts leading to frustration.</pre>
                                                </div>
                                                <div>Results now: I'm
                                                  the only committee
                                                  called the Project
                                                  Task Force.Maybe thats
                                                  why none wants to
                                                  create anymore
                                                  committees.<br>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>Projects are
                                                  global. They promote
                                                  owasp at a global
                                                  level. What is OWASP
                                                  known for? for its
                                                  chapters? Its
                                                  conferences? I
                                                  strongly believe OWASP
                                                  is know for its
                                                  projects, Code Review,
                                                  Testing guide, the
                                                  Cheat Sheets, ASVS,
                                                  ZAP... Many references
                                                  in major publications
                                                  refer to OWASP top ten
                                                  and respect them
                                                  because of its
                                                  projects.PCI  and
                                                  major vendors use them
                                                  as reference and
                                                  guidelines.</div>
                                                <div><br>
                                                </div>
                                                <div>I would like to see
                                                  is a better schema for
                                                  them to get more
                                                  awareness, especially
                                                  people doing great
                                                  things and because of
                                                  lack of funds cannot
                                                  promote their
                                                  projects. Chapters are
                                                  rich ,projects are
                                                  poor. That is in my
                                                  opinion a huge
                                                  misbalance. </div>
                                                <div><br>
                                                </div>
                                                <div>The limit of
                                                  USD2,000- for
                                                  supporting a project
                                                  leader a year is for
                                                  most leaders not
                                                  enough. If a leader
                                                  outside US or EU is
                                                  invited to blackhat ,
                                                  that amount is not
                                                  enough to cover his
                                                  traveling expenses. 
                                                  And thats the maximum
                                                  he can have in a year
                                                  after filling on forms
                                                  and going through some
                                                  back-and-forth emails
                                                  with the staff...</div>
                                                <div><br>
                                                </div>
                                                <div>
                                                  <ul>
                                                    <li>Should we scrap
                                                      projects and focus
                                                      to be a dedicated
                                                      conference
                                                      organisation?...thats
                                                      what  I see is
                                                      happening whether
                                                      consciously or
                                                      not. <br>
                                                    </li>
                                                    <li>Should we scrap
                                                      conferences and
                                                      focus to gather
                                                      those funds to
                                                      create a better
                                                      platforms for
                                                      projects and
                                                      become the next
                                                      Apache foundation?<br>
                                                    </li>
                                                    <li>Should we use
                                                      crowdsource for
                                                      gathering funds
                                                      for projects
                                                      through the OWASP
                                                      foundation?<br>
                                                    </li>
                                                  </ul>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>I would like to see
                                                  a solution to this or
                                                  an action.</div>
                                                <div><br>
                                                </div>
                                                <div>
                                                  <div>Project summits =
                                                    events . Thats what
                                                    I'm proposing. That
                                                    Summits are treated
                                                    like events to
                                                    generate money for
                                                    projects so they
                                                    have also a fair way
                                                    to generate money as
                                                    chapters do. They
                                                    will depend less
                                                    from sponsors with
                                                    commercial
                                                    intentions.(easier
                                                    to avoid  Logogate
                                                    issues and projects
                                                    with the intention
                                                    to promote apssec
                                                    companies). Also
                                                    more focus on
                                                    crowdsourcing
                                                    projects. If people
                                                    finds it a great
                                                    idea they will
                                                    sponsor it.</div>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>I will ask the
                                                  staff to create a
                                                  survey and ask the
                                                  community about it.
                                                  This is my proposal
                                                  and based on those
                                                  results I hope and
                                                  expect the board to
                                                  take actions.<br>
                                                </div>
                                                <div><br>
                                                </div>
                                                <div>regards</div>
                                                <span><font
                                                    color="#888888">
                                                    <div><br>
                                                    </div>
                                                    <div>Johanna</div>
                                                    <div><br>
                                                    </div>
                                                    <div><br>
                                                    </div>
                                                  </font></span></div>
                                            </div>
                                            <div>
                                              <div>
                                                <div class="gmail_extra"><br>
                                                  <div
                                                    class="gmail_quote">On
                                                    Mon, Aug 17, 2015 at
                                                    7:41 PM, Mario
                                                    Robles <span
                                                      dir="ltr"><<a
                                                        moz-do-not-send="true"
href="mailto:mario.robles@owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:mario.robles@owasp.org">mario.robles@owasp.org</a></a>></span>
                                                    wrote:<br>
                                                    <blockquote
                                                      class="gmail_quote"
                                                      style="margin:0 0
                                                      0
                                                      .8ex;border-left:1px
                                                      #ccc
                                                      solid;padding-left:1ex">
                                                      <div
                                                        bgcolor="#FFFFFF"
                                                        text="#000000">
                                                        Hey Josh,<br>
                                                        <br>
                                                        I could be wrong
                                                        but the term
                                                        Committee is
                                                        commonly
                                                        associated with
                                                        "bureaucracy"
                                                        even if it's not
                                                        what you meant,
                                                        at least it was
                                                        the first thing
                                                        on top of my
                                                        head, I'm sure
                                                        if you change
                                                        the word
                                                        Committee to
                                                        something like
                                                        "Action Team" it
                                                        would be better
                                                        accepted<br>
                                                        <br>
                                                        Just my point
                                                        view,<br>
                                                        <br>
                                                        Mario
                                                        <div>
                                                          <div><br>
                                                          <div>
                                                          <table
                                                          style="font-size:12px">
                                                          <tbody>
                                                          <tr>
                                                          <td><br>
                                                          </td>
                                                          <td> <br>
                                                          </td>
                                                          </tr>
                                                          </tbody>
                                                          </table>
                                                          </div>
                                                          <div>On
                                                          17/08/2015
                                                          04:21 p.m.,
                                                          Josh Sokol
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                        </div>
                                                        <blockquote
                                                          type="cite">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <blockquote
                                                          style="margin:0px
                                                          0px 0px
                                                          0.8ex;border-left:1px
                                                          solid
                                                          rgb(204,204,204);padding-left:1ex"
class="gmail_quote">I think we need to create Project Summits in the
                                                          form of events
                                                          with the whole
                                                          purpose to
                                                          gather funds
                                                          for projects<br>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          Please forgive
                                                          my ignorance. 
                                                          How does a
                                                          Project Summit
                                                          generate funds
                                                          for project? 
                                                          Every Project
                                                          Summit that we
                                                          have had to
                                                          date has cost
                                                          the Foundation
                                                          money, hasn't
                                                          it?  Can you
                                                          please
                                                          elaborate?<br>
                                                          <br>
                                                          <blockquote
                                                          style="margin:0px
                                                          0px 0px
                                                          0.8ex;border-left:1px
                                                          solid
                                                          rgb(204,204,204);padding-left:1ex"
class="gmail_quote">Look, Denver chapter has around 50K in their bucket.
                                                          The richest
                                                          Project is ZAP
                                                          with 10k...
                                                          but thats is
                                                          the exception.
                                                          Even worse
                                                          when you look
                                                          at chapters
                                                          outside US or
                                                          EU, mine has
                                                          only USD40
                                                          dollars. Most
                                                          projects have
                                                          Zero Dollars.<br>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          I'm not sure I
                                                          understand the
                                                          fixation on
                                                          what other
                                                          chapters have
                                                          in their
                                                          bucket.  They
                                                          have these
                                                          funds because
                                                          they worked
                                                          hard to obtain
                                                          them.  In the
                                                          case of
                                                          Denver, they
                                                          ran last
                                                          year's
                                                          AppSecUSA
                                                          Conference. 
                                                          Just because
                                                          they have
                                                          money in their
                                                          account, it
                                                          doesn't mean
                                                          that you
                                                          aren't able to
                                                          do things with
                                                          the $40 you
                                                          have in your
                                                          account.  It
                                                          just means
                                                          that they have
                                                          to use their
                                                          account funds
                                                          first before
                                                          being able to
                                                          use money from
                                                          the Foundation
                                                          pool while you
                                                          would need to
                                                          request funds
                                                          from that pool
                                                          for anything
                                                          over $40.  Any
                                                          sort of
                                                          reallocation
                                                          just moves the
                                                          "ring fenced
                                                          funds" issue
                                                          to another
                                                          account.  The
                                                          model of
                                                          chapters and
                                                          projects
                                                          having
                                                          accounts is
                                                          not what's
                                                          broken here. 
                                                          It's the model
                                                          of chapters
                                                          and projects
                                                          saving their
                                                          funds instead
                                                          of spending
                                                          them.  This is
                                                          why I voted
                                                          "no" on the
                                                          Summer of Code
                                                          initiative. 
                                                          It was giving
                                                          money to those
                                                          who already
                                                          had it and not
                                                          forcing them
                                                          to spend their
                                                          funds first. 
                                                          In any case,
                                                          I'm not sure I
                                                          understand why
                                                          the amount of
                                                          money Denver
                                                          has in their
                                                          account has
                                                          any impact on
                                                          any other
                                                          chapter or
                                                          project other
                                                          than
                                                          themselves. 
                                                          We have tens
                                                          of thousands
                                                          of dollars
                                                          allocated by
                                                          the Foundation
                                                          to project and
                                                          chapters on an
                                                          annual basis,
                                                          much of which
                                                          goes
                                                          completely
                                                          unused.  There
                                                          is money
                                                          available at
                                                          OWASP for
                                                          those who need
                                                          it and I have
                                                          yet to hear of
                                                          a situation
                                                          where someone
                                                          was told
                                                          otherwise.<br>
                                                          <br>
                                                          <blockquote
                                                          style="margin:0px
                                                          0px 0px
                                                          0.8ex;border-left:1px
                                                          solid
                                                          rgb(204,204,204);padding-left:1ex"
class="gmail_quote">Yes but how do they know where to go, that's why the
                                                          survey. The
                                                          survey is the
                                                          compass. And
                                                          the leaders
                                                          are elected to
                                                          listed to the
                                                          community.<br>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          I agree with
                                                          this notion. 
                                                          The OWASP
                                                          Board should
                                                          act in
                                                          accordance
                                                          with the
                                                          desires of the
                                                          community and
                                                          should be
                                                          doing frequent
                                                          checks to
                                                          confirm that
                                                          initiatives
                                                          are aligned.<br>
                                                          <br>
                                                          <blockquote
                                                          style="margin:0px
                                                          0px 0px
                                                          0.8ex;border-left:1px
                                                          solid
                                                          rgb(204,204,204);padding-left:1ex"
class="gmail_quote">So the committee concept in theory seemed like a
                                                          great idea but
                                                          in practice is
                                                          not working
                                                          because in my
                                                          eyes, creating
                                                          a committee is
                                                          creating a
                                                          mini board
                                                          inside OWASP.<br>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          To be honest,
                                                          I have been
                                                          surprised by
                                                          the lack of
                                                          desire to
                                                          participate in
                                                          OWASP
                                                          Committees. 
                                                          The community
                                                          has said that
                                                          they want
                                                          empowerment
                                                          and the goal
                                                          of the
                                                          committees was
                                                          to do that. 
                                                          But, now that
                                                          it's there,
                                                          nobody wants
                                                          it?  Your
                                                          example with
                                                          John Lita
                                                          follows the
                                                          Committees 2.0
                                                          process almost
                                                          verbatim.  The
                                                          only
                                                          difference is
                                                          that it
                                                          provides
                                                          scoping to
                                                          ensure that we
                                                          don't have
                                                          competing, or
                                                          even worse,
                                                          conflicting
                                                          initiatives
                                                          and it
                                                          specifies that
                                                          the
                                                          individuals
                                                          involved need
                                                          to work within
                                                          that scope. 
                                                          Without it,
                                                          you have a
                                                          loosely knit
                                                          group of
                                                          people running
                                                          around with
                                                          their own
                                                          individual
                                                          initiatives. 
                                                          At that level,
                                                          OWASP is just
                                                          a funding
                                                          source for
                                                          experimentation,
                                                          not a
                                                          Foundation. 
                                                          There is no
                                                          accountability,
                                                          but the
                                                          liability on
                                                          the Foundation
                                                          is still
                                                          there. 
                                                          Legally, we
                                                          can't just
                                                          have people
                                                          running around
                                                          spending money
                                                          without any
                                                          form of
                                                          guidance.  <br>
                                                          <br>
                                                          <blockquote
                                                          style="margin:0px
                                                          0px 0px
                                                          0.8ex;border-left:1px
                                                          solid
                                                          rgb(204,204,204);padding-left:1ex"
class="gmail_quote">
                                                          <div> Allow me
                                                           and let the
                                                          staff know
                                                          that they
                                                          should support
                                                          me and any
                                                          other
                                                          volunteers
                                                          seeking for
                                                          implementing
                                                          their ideas
                                                          ;-). </div>
                                                          <div>Lets cut
                                                          the red tape
                                                          with
                                                          committees and
                                                          let people
                                                          know that if
                                                          they want to
                                                          do something,</div>
                                                          <ul>
                                                          <li>Contact
                                                          the staff. <br>
                                                          </li>
                                                          <li>Set a
                                                          survey and
                                                          gather support<br>
                                                          </li>
                                                          <li>Need more
                                                          money? Set a
                                                          crowd funding
                                                          project @ <a
                                                          moz-do-not-send="true"
href="https://www.kickstarter.com" target="_blank"><a class="moz-txt-link-freetext" href="https://www.kickstarter.com">https://www.kickstarter.com</a></a>
                                                          under OWASP</li>
                                                          <li>Volunteers
                                                          implement idea
                                                          or project
                                                          with the
                                                          support of
                                                          owasp staff
                                                          and other
                                                          volunteers</li>
                                                          </ul>
                                                          </blockquote>
                                                          <p>I'm not
                                                          sure how this
                                                          is that much
                                                          different from
                                                          a Committee. 
                                                          Contact the
                                                          community via
                                                          the mailing
                                                          list and
                                                          gather
                                                          support, scope
                                                          the activities
                                                          (ie. define
                                                          the project),
                                                          Board ensures
                                                          that there's
                                                          no conflict,
                                                          do your
                                                          thing.  The
                                                          "red tape"
                                                          that you keep
                                                          referring to
                                                          is just a
                                                          process
                                                          document that
                                                          walks you
                                                          through how to
                                                          set up a
                                                          committee. 
                                                          After that's
                                                          done, the idea
                                                          was to empower
                                                          you to act
                                                          within the
                                                          defined scope
                                                          without going
                                                          to the Board. 
                                                          If we're
                                                          talking
                                                          specifically
                                                          about
                                                          projects,
                                                          which it
                                                          sounds like
                                                          this is geared
                                                          towards, then
                                                          it's even
                                                          easier. 
                                                          Register as a
                                                          project (so
                                                          that staff
                                                          knows you
                                                          exist and can
                                                          support you)
                                                          and do your
                                                          thing.  If you
                                                          need money,
                                                          ask for it. 
                                                          I'm not sure I
                                                          see the
                                                          problem here. 
                                                          I'm also not
                                                          sure what
                                                          you're asking
                                                          for as it
                                                          doesn't seem
                                                          that different
                                                          to me than how
                                                          the status quo
                                                          is supposed to
                                                          operate.  Is
                                                          it operating
                                                          differently in
                                                          practice than
                                                          it should in
                                                          theory?  I
                                                          don't have an
                                                          OWASP project
                                                          and so perhaps
                                                          I'm blind to
                                                          the
                                                          realities.  If
                                                          so, then the
                                                          specific
                                                          issues need to
                                                          be addressed
                                                          by bylaw
                                                          change, policy
                                                          change, staff
                                                          engagement,
                                                          etc.  So far,
                                                          all you've
                                                          said is
                                                          "projects need
                                                          money", which
                                                          you have
                                                          access to, and
                                                          "cut the red
                                                          tape", of
                                                          which I don't
                                                          see anything
                                                          more than a
                                                          step to say
                                                          "Hey, I want
                                                          to be a
                                                          project". 
                                                          Please help me
                                                          to understand.<br>
                                                          </p>
                                                          ~josh<br>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Aug 17,
                                                          2015 at 12:04
                                                          PM, johanna
                                                          curiel curiel
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:johanna.curiel@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr"><span>
                                                          <div> >I
                                                          don't think
                                                          there is
                                                          anything
                                                          preventing a
                                                          project from
                                                          doing the
                                                          same, but I
                                                          haven't seen
                                                          it done at
                                                          this point.</div>
                                                          <div><br>
                                                          </div>
                                                          </span>
                                                          <div>I think
                                                          we need to
                                                          create Project
                                                          Summits in the
                                                          form of events
                                                          with the whole
                                                          purpose to
                                                          gather funds
                                                          for projects
                                                          .Open samm has
                                                          done this and
                                                          I think we can
                                                          try that. Fo
                                                          that we need
                                                          the support of
                                                          the staff
                                                          Business
                                                          liaison, Event
                                                          manager, just
                                                          as they put
                                                          their work and
                                                          efforts in
                                                          Events and
                                                          appsecs. Here
                                                          cut share
                                                          between OWASp
                                                          staff time and
                                                          projects can
                                                          also be done.</div>
                                                          <span>
                                                          <div><br>
                                                          </div>
                                                          <div> >OWASP
                                                          has a project
                                                          funding
                                                          bucket.</div>
                                                          </span>
                                                          <div>Look,
                                                          Denver chapter
                                                          has around 50K
                                                          in their
                                                          bucket. The
                                                          richest
                                                          Project is ZAP
                                                          with 10k...
                                                          but thats is
                                                          the exception.
                                                          Even worse
                                                          when you look
                                                          at chapters
                                                          outside US or
                                                          EU, mine has
                                                          only USD40
                                                          dollars. Most
                                                          projects have
                                                          Zero Dollars.</div>
                                                          <div>And the
                                                          limits right
                                                          now are a
                                                          support but do
                                                          not help to
                                                          get important
                                                          things moving
                                                          like OWASP
                                                          Academy
                                                          portal,
                                                          Leaders like
                                                          Azzedine
                                                          assist and
                                                          show case his
                                                          chapter or
                                                          project or
                                                          other more
                                                          complex
                                                          initiatives.
                                                          Or major
                                                          improvements
                                                          or promotions
                                                          to their
                                                          projects. <br>
                                                          </div>
                                                          <span>
                                                          <div><br>
                                                          </div>
                                                          <div> 
                                                          >Remember
                                                          that the Board
                                                          is just a
                                                          handful of
                                                          leaders who
                                                          were elected
                                                          to set the
                                                          compass.</div>
                                                          </span>
                                                          <div>  Yes but
                                                          how do they
                                                          know where to
                                                          go, that's why
                                                          the survey.
                                                          The survey is
                                                          the compass.
                                                          And the
                                                          leaders are
                                                          elected to
                                                          listed to the
                                                          community.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>And About
                                                          committees...</div>
                                                          <div>The only
                                                          existing
                                                          active
                                                          committee
                                                          right now is
                                                          the Project
                                                          Review (which
                                                          I still call
                                                          myself a
                                                          taskforce). I
                                                          haven't see
                                                          much
                                                          initiatives or
                                                          participation
                                                          from other
                                                          committees. So
                                                          the committee
                                                          concept in
                                                          theory seemed
                                                          like a great
                                                          idea but in
                                                          practice is
                                                          not working
                                                          because in my
                                                          eyes, creating
                                                          a committee is
                                                          creating a
                                                          mini board
                                                          inside OWASP.
                                                          We do not want
                                                          to create
                                                          oligarchies in
                                                          the end.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>  I thik
                                                          we should cut
                                                          off that
                                                          comitee idea
                                                          and be more
                                                          practical.
                                                          More like this</div>
                                                          <div><br>
                                                          </div>
                                                          <div> 
                                                          Example:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <ul>
                                                          <li>John Lita
                                                          wants to
                                                          create an
                                                          academy portal
                                                          but developing
                                                          it costs money
                                                          and resources
                                                          that
                                                          volunteers
                                                          alone cannot
                                                          be easy pull
                                                          off(owaspa
                                                          project was
                                                          the same and
                                                          died, just
                                                          like many
                                                          educational
                                                          initiatives)<br>
                                                          </li>
                                                          <li>John must
                                                          create a
                                                          proposal with
                                                          defined goals
                                                          and how to
                                                          reach them. He
                                                          joins other
                                                          volunteers in
                                                          this effort.
                                                          No need to be
                                                          a commitee.<br>
                                                          </li>
                                                          <li> John
                                                          & Claudia
                                                          create a
                                                          survey and
                                                          seek support
                                                          of the
                                                          community<br>
                                                          </li>
                                                          <li>  If the
                                                          idea has major
                                                          feedback and
                                                          volunteers,
                                                          then John has
                                                          the support
                                                          from the staff
                                                          to execute
                                                          including
                                                          looking for
                                                          sponsors using
                                                          crowdsource
                                                          funding
                                                          portals<br>
                                                          </li>
                                                          <li>Staff
                                                          monitors
                                                          development
                                                          and results of
                                                          the actions
                                                          taken<br>
                                                          </li>
                                                          <li>Staff
                                                          reports
                                                          results to the
                                                          community back</li>
                                                          </ul>
                                                          </div>
                                                          <div>This is
                                                          in my eyes how
                                                          I have been
                                                          working in the
                                                          end, because ,
                                                          as volunteers,
                                                          available time
                                                          mostly depends
                                                          on one or 2
                                                          passionate
                                                          individuals
                                                          like
                                                          John-Lita,
                                                          which are more
                                                          dedicated and
                                                          the rest
                                                          follows...<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Now if we
                                                          want to change
                                                          things, don't
                                                          tell me to set
                                                          a committee,
                                                          because Josh ,
                                                          this has not
                                                          work so far. </div>
                                                          <div><br>
                                                          </div>
                                                          <div> Allow me
                                                           and let the
                                                          staff know
                                                          that they
                                                          should support
                                                          me and any
                                                          other
                                                          volunteers
                                                          seeking for
                                                          implementing
                                                          their ideas
                                                          ;-). </div>
                                                          <div>Lets cut
                                                          the red tape
                                                          with
                                                          committees and
                                                          let people
                                                          know that if
                                                          they want to
                                                          do something,</div>
                                                          <div>
                                                          <ul>
                                                          <li>Contact
                                                          the staff. <br>
                                                          </li>
                                                          <li>Set a
                                                          survey and
                                                          gather support<br>
                                                          </li>
                                                          <li>Need more
                                                          money? Set a
                                                          crowd funding
                                                          project @ <a
                                                          moz-do-not-send="true"
href="https://www.kickstarter.com" target="_blank"><a class="moz-txt-link-freetext" href="https://www.kickstarter.com">https://www.kickstarter.com</a></a>
                                                          under OWASP</li>
                                                          <li>Volunteers
                                                          implement idea
                                                          or project
                                                          with the
                                                          support of
                                                          owasp staff
                                                          and other
                                                          volunteers</li>
                                                          </ul>
                                                          <div>How do we
                                                          get this idea
                                                          to action? </div>
                                                          <div>Shall we
                                                          create a
                                                          survey? </div>
                                                          <div>Do you
                                                          need to
                                                          discuss this
                                                          on a board
                                                          meeting?</div>
                                                          </div>
                                                          <div>How do I
                                                          get empowered
                                                          and let the
                                                          staff know
                                                          that as a
                                                          volunteer I
                                                          have your
                                                          support for
                                                          this?(if I
                                                          do? </div>
                                                          <div><br>
                                                          </div>
                                                          <div>You
                                                          see...how
                                                          dependable I'm
                                                          from the board
                                                          to be able to
                                                          execute?</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Off
                                                          course I can
                                                          always do this
                                                          on my own but
                                                          them I better
                                                          do it without
                                                          OWASP...</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Regards</div>
                                                          <span><font
                                                          color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          </font></span></div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On
                                                          Mon, Aug 17,
                                                          2015 at 10:55
                                                          AM, Josh Sokol
                                                          <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:josh.sokol@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:josh.sokol@owasp.org">josh.sokol@owasp.org</a></a>></span>
                                                          wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Johanna,<br>
                                                          <br>
                                                          </div>
                                                          Thank you for
                                                          putting your
                                                          thoughts out
                                                          there for
                                                          everyone. 
                                                          Silence is not
                                                          good for
                                                          anyone and
                                                          OWASP will be
                                                          far more
                                                          successful if
                                                          we know what
                                                          our leaders
                                                          are struggling
                                                          with and make
                                                          a conscious
                                                          effort to
                                                          improve it.  I
                                                          think that
                                                          many of your
                                                          points are
                                                          very valid and
                                                          strongly
                                                          support the
                                                          idea of polls
                                                          to gauge
                                                          community
                                                          support for
                                                          actions being
                                                          taken.  I also
                                                          support the
                                                          idea that the
                                                          Board should
                                                          be making as
                                                          few of these
                                                          decisions as
                                                          possible and
                                                          putting the
                                                          power back in
                                                          the hands of
                                                          the community
                                                          with support
                                                          from the
                                                          staff.  The
                                                          Board should
                                                          be the
                                                          "compass"
                                                          making sure
                                                          that we are
                                                          moving in the
                                                          right
                                                          direction with
                                                          the community
                                                          and staff
                                                          being the ones
                                                          actually
                                                          pushing us
                                                          forward. 
                                                          That's not to
                                                          say that
                                                          members of the
                                                          Board won't
                                                          have their own
                                                          projects or
                                                          initiatives,
                                                          but they do so
                                                          as part of the
                                                          community, not
                                                          because of
                                                          their roles on
                                                          the Board. 
                                                          The Committees
                                                          2.0 framework
                                                          was a first
                                                          step in
                                                          driving this
                                                          level of
                                                          empowerment
                                                          back to the
                                                          community
                                                          while
                                                          maintaining
                                                          accountability
                                                          and providing
                                                          appropriately
                                                          scoped
                                                          actions.  My
                                                          impression was
                                                          that the
                                                          Projects
                                                          Committee was
                                                          rolling
                                                          forward quite
                                                          well under
                                                          this guidance,
                                                          but it sounds
                                                          like maybe I
                                                          was wrong. 
                                                          Are there
                                                          specific
                                                          actions that
                                                          you have tried
                                                          to take on the
                                                          committee that
                                                          got blocked by
                                                          the Board or
                                                          hung up in
                                                          "red tape"? 
                                                          Are there
                                                          needs for
                                                          funding that
                                                          haven't been
                                                          met?<br>
                                                          <br>
                                                          </div>
                                                          Regarding the
                                                          project vs
                                                          chapter
                                                          funding
                                                          schemas, I'm
                                                          not sure that
                                                          there is a
                                                          good answer. 
                                                          Projects are
                                                          typically made
                                                          up of a pocket
                                                          of
                                                          individuals. 
                                                          Typically one
                                                          leader with
                                                          sometimes one
                                                          or two others
                                                          assisting. 
                                                          Chapters are
                                                          typically
                                                          anywhere from
                                                          20 people to
                                                          hundreds.  We
                                                          provide
                                                          members with
                                                          the ability to
                                                          allocate their
                                                          funds to
                                                          either, but
                                                          most associate
                                                          themselves
                                                          with a chapter
                                                          rather than a
                                                          project
                                                          because that's
                                                          where they
                                                          participate. 
                                                          We also have
                                                          chapters
                                                          putting on
                                                          conferences
                                                          with the goal
                                                          of raising
                                                          funds.  I
                                                          don't think
                                                          there is
                                                          anything
                                                          preventing a
                                                          project from
                                                          doing the
                                                          same, but I
                                                          haven't seen
                                                          it done at
                                                          this point. 
                                                          Those are the
                                                          two main ways
                                                          that I see
                                                          chapters
                                                          raising
                                                          money.  Yes,
                                                          there is
                                                          certainly a
                                                          difference in
                                                          schemas and
                                                          projects will
                                                          have a more
                                                          difficult
                                                          time, but
                                                          that's also
                                                          why OWASP has
                                                          a project
                                                          funding
                                                          bucket.  Money
                                                          from these
                                                          local events
                                                          as well as
                                                          funds raised
                                                          by our AppSec
                                                          conferences
                                                          gets budgeted
                                                          specifically
                                                          for this
                                                          purpose.  To
                                                          my knowledge,
                                                          no reasonable
                                                          request for
                                                          funds by
                                                          projects has
                                                          been denied. 
                                                          Just because
                                                          there isn't
                                                          money sitting
                                                          "ring fenced"
                                                          in an account
                                                          for the
                                                          projects,
                                                          doesn't mean
                                                          that there
                                                          isn't money
                                                          that can be
                                                          spent.  It
                                                          just means
                                                          that it needs
                                                          to be
                                                          requested from
                                                          the pool. 
                                                          Yes, it's a
                                                          different
                                                          model of
                                                          funding, but
                                                          the end result
                                                          is the same. 
                                                          There are
                                                          funds
                                                          available at
                                                          OWASP for
                                                          everyone who
                                                          needs them.<br>
                                                          <br>
                                                          </div>
                                                          There are
                                                          obviously many
                                                          things that
                                                          need to be
                                                          improved at
                                                          OWASP and,
                                                          unfortunately,
                                                          the Board has
                                                          been tied up
                                                          in rules,
                                                          events,
                                                          bylaws, etc
                                                          for a while
                                                          now.  It's
                                                          definitely not
                                                          the "fun" part
                                                          of the job and
                                                          it is very
                                                          time
                                                          consuming. 
                                                          That said, I
                                                          would argue
                                                          that these are
                                                          the things
                                                          that need to
                                                          be changed in
                                                          order for
                                                          everyone else
                                                          (staff,
                                                          community,
                                                          etc) to be
                                                          able to be
                                                          better
                                                          served.  We've
                                                          made several
                                                          changes to the
                                                          Bylaws and are
                                                          working on
                                                          more.  We've
                                                          hired an
                                                          Executive
                                                          Director
                                                          (Paul), an
                                                          Event Manager
                                                          (Laura), a
                                                          Community
                                                          Manager
                                                          (Noreen), and
                                                          a Project
                                                          Coordinator
                                                          (Claudia) just
                                                          in the almost
                                                          two years that
                                                          I've been on
                                                          the Board. 
                                                          The needle on
                                                          the compass is
                                                          set and, while
                                                          it takes some
                                                          time to right
                                                          the ship, we
                                                          are getting
                                                          there by
                                                          giving our
                                                          community the
                                                          support it
                                                          requires to be
                                                          successful. 
                                                          So, here's my
                                                          general
                                                          thought:<br>
                                                          <br>
                                                          </div>
                                                          1) If it's
                                                          within the
                                                          scope of a
                                                          defined
                                                          Committee,
                                                          JUST DO IT!<br>
                                                          <br>
                                                          </div>
                                                          2) If there's
                                                          no Committee
                                                          defined for
                                                          it, CREATE
                                                          ONE, then JUST
                                                          DO IT!<br>
                                                          <br>
                                                          </div>
                                                          3) If a
                                                          Committee
                                                          doesn't make
                                                          sense, ASK THE
                                                          STAFF FOR IT!<br>
                                                          <br>
                                                          </div>
                                                          4) If asking
                                                          the staff
                                                          isn't working
                                                          or we need to
                                                          change a
                                                          policy to make
                                                          it happen, LET
                                                          THE BOARD
                                                          KNOW!<br>
                                                          <br>
                                                          </div>
                                                          The Board
                                                          should be the
                                                          last resort,
                                                          in my opinion,
                                                          not the
                                                          first.  We
                                                          should be the
                                                          enabler, not
                                                          the
                                                          bottleneck.  I
                                                          think that our
                                                          leaders make
                                                          too many
                                                          assumptions
                                                          (probably
                                                          based on past
                                                          Board actions)
                                                          about what
                                                          needs to go to
                                                          the Board and
                                                          we need to get
                                                          away from
                                                          that. 
                                                          Remember that
                                                          the Board is
                                                          just a handful
                                                          of leaders who
                                                          were elected
                                                          to set the
                                                          compass.  We
                                                          have a finite
                                                          number of
                                                          things that we
                                                          can handle and
                                                          our Board
                                                          meetings are
                                                          typically
                                                          overflowing
                                                          with topics. 
                                                          So, if
                                                          something is
                                                          bothering you,
                                                          I would
                                                          encourage you
                                                          to change it. 
                                                          That's why,
                                                          with the David
                                                          Rook
                                                          situation, I
                                                          encouraged
                                                          creation of a
                                                          new Committee
                                                          to determine a
                                                          reasonable
                                                          solution.  If
                                                          it requires a
                                                          policy change
                                                          by the Board,
                                                          then we can
                                                          vote on that,
                                                          but asking the
                                                          Board to take
                                                          action just
                                                          perpetuates
                                                          the oligarchy
                                                          that you
                                                          mention in
                                                          your e-mail. 
                                                          Instead of
                                                          pushing these
                                                          issues up to
                                                          the Board for
                                                          action, let's
                                                          have the
                                                          community
                                                          DECIDE what
                                                          they want and
                                                          have the Board
                                                          change the
                                                          compass needle
                                                          via bylaws,
                                                          policies, and
                                                          staff
                                                          discussions,
                                                          accordingly. 
                                                          At least,
                                                          that's my
                                                          vision for
                                                          OWASP.  Is
                                                          that something
                                                          that you can
                                                          get on board
                                                          with?<span><font
color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                          <span><font
                                                          color="#888888">~josh<br>
                                                          </font></span></div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">
                                                          <div>
                                                          <div>On Mon,
                                                          Aug 17, 2015
                                                          at 8:11 AM,
                                                          johanna curiel
                                                          curiel <span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:johanna.curiel@owasp.org"
                                                          target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:johanna.curiel@owasp.org">johanna.curiel@owasp.org</a></a>></span>
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0
                                                          0 0
                                                          .8ex;border-left:1px
                                                          #ccc
                                                          solid;padding-left:1ex">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">Members
                                                          of the board,
                                                          <div><br>
                                                          </div>
                                                          <div>With the
                                                          recent issue
                                                          regarding
                                                          David Rook,
                                                          and my latest
                                                          experience
                                                          with red-tape,
                                                          I'm proposing
                                                          the following.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>My goals
                                                          is to call
                                                          your attention
                                                          to these
                                                          issues which I
                                                          have been
                                                          observing for
                                                          a years and
                                                          not as a
                                                          critique to
                                                          your work, but
                                                          I think if you
                                                          do not pay
                                                          attention to
                                                          these issues
                                                          and DO
                                                          something
                                                          about them,
                                                          OWASP will
                                                          loose valuable
                                                          community
                                                          participation.</div>
                                                          <div>
                                                          <ul>
                                                          <li>When an
                                                          initiative is
                                                          proposed or
                                                          launched by a
                                                          member of the
                                                          board, this
                                                          should be
                                                          followed up by
                                                          a survey where
                                                          the community
                                                          can
                                                          vote.Wether is
                                                          a rule or
                                                          money, these
                                                          decisions
                                                          should be
                                                          taken based on
                                                          collected data
                                                          and proper
                                                          substantiation
                                                          to avoid
                                                          oligarchy </li>
                                                          <li>When an
                                                          initiative is
                                                          launched by a
                                                          member of the
                                                          community,
                                                          especially
                                                          when this
                                                          initiative
                                                          cost more than
                                                          10k, it should
                                                          be
                                                          substantiated
                                                          with data how
                                                          this
                                                          initiative
                                                          will benefit
                                                          the community.
                                                          Also should be
                                                          followed by a
                                                          survey</li>
                                                          <li>Staff
                                                          should help
                                                          creating the
                                                          survey and
                                                          analyse the
                                                          votes</li>
                                                          <li><b>In
                                                          other words:
                                                          do more survey
                                                          to find out
                                                          what the
                                                          community
                                                          needs and
                                                          wants.</b></li>
                                                          </ul>
                                                          <div>My
                                                          observations
                                                          and where I
                                                          think you need
                                                          to give more
                                                          attention:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <ul>
                                                          <li>Board/Executive
                                                          director
                                                          should work
                                                          closer with
                                                          the staff for
                                                          guidance and
                                                          empowering
                                                          their role. I
                                                          have the
                                                          feeling that
                                                          the staff is
                                                          paralysed
                                                          waiting for
                                                          instructions
                                                          or following
                                                          strict rules.
                                                          The staff
                                                          should be
                                                          motivated to
                                                          take
                                                          initiative and
                                                          implement
                                                          projects on
                                                          their own that
                                                          can help the
                                                          community.
                                                          They should
                                                          not be too
                                                          dependent on
                                                          an Executive
                                                          director or
                                                          member of the
                                                          board for this
                                                          part</li>
                                                          </ul>
                                                          </div>
                                                          </div>
                                                          <div>As I see
                                                          it ,OWASP is
                                                          known for his
                                                          Projects &
                                                          Chapter
                                                          leaders which
                                                          as volunteers
                                                          have
                                                          contributed
                                                          the most to
                                                          set OWASP on
                                                          the spotlight.
                                                          Therefore:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>
                                                          <ul>
                                                          <li>You should
                                                          determine and
                                                          implement
                                                          better ways
                                                           to provide
                                                          better funding
                                                          schemas for
                                                          projects .
                                                          This is
                                                          something a
                                                          volunteer
                                                          cannot do. And
                                                          <i>nothing</i>
                                                          has been done
                                                          to help  solve
                                                          this issue</li>
                                                          <li>There is
                                                          an unfair
                                                          inequality in
                                                          the way
                                                          chapters can
                                                          generate funds
                                                          vs Projects.</li>
                                                          <li>Money is
                                                          locked down in
                                                          the chapters
                                                          budget</li>
                                                          <li>Chapters
                                                          outside US
                                                          & EU have
                                                          more struggles
                                                          to find
                                                          support. You
                                                          should
                                                          consider a way
                                                          to support
                                                          better these
                                                          ones since
                                                          their
                                                          countries are
                                                          not developed
                                                          in the area of
                                                          security as
                                                          countries in
                                                          EU and US.<br>
                                                          </li>
                                                          <li>Follow up:
                                                          when issues
                                                          like David
                                                          Rook or a
                                                          volunteer
                                                          rants(like me
                                                          or others )
                                                          out of
                                                          frustation,
                                                          take action.
                                                          Put it in the
                                                          agenda and try
                                                          to solve and
                                                          discuss the
                                                          issues to
                                                          improve the
                                                          actual
                                                          problems. So
                                                          far I have
                                                          seen very
                                                          little follow
                                                          up on major
                                                          issues and
                                                          discussions
                                                          raised in the
                                                          mailing lists</li>
                                                          <li>Way to
                                                          much attention
                                                          to rules, <i>events</i>
                                                          and bylaws
                                                          etc. Time to
                                                          take action
                                                          and take
                                                          decisions and
                                                          propose plans
                                                          for
                                                          improvements
                                                          of the actual
                                                          situation
                                                          above
                                                          mentioned</li>
                                                          </ul>
                                                          <div>Being
                                                          that said, and
                                                          with all due
                                                          respect to
                                                          you, I hope
                                                          that you can
                                                          take actions
                                                          and <i>execute</i>
                                                          improvements
                                                          that have been
                                                          an issue since
                                                          I joined OWASP
                                                          3 years ago.</div>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Regards</div>
                                                          <span><font
                                                          color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          </font></span></div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <span>_______________________________________________<br>
                                                          Governance
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:Governance@lists.owasp.org" target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:Governance@lists.owasp.org">Governance@lists.owasp.org</a></a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/governance"
                                                          rel="noreferrer"
target="_blank"><a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/governance">https://lists.owasp.org/mailman/listinfo/governance</a></a><br>
                                                          <br>
                                                          </span></blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <pre>_______________________________________________
OWASP-Leaders mailing list
<a moz-do-not-send="true" href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                                        </blockquote>
                                                        <br>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                </div>
                                              </div>
                                            </div>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </div>
                                  </blockquote>
                                  <blockquote type="cite">
                                    <div><span>_______________________________________________</span><br>
                                      <span>Governance mailing list</span><br>
                                      <span><a moz-do-not-send="true"
                                          href="mailto:Governance@lists.owasp.org"
                                          target="_blank">Governance@lists.owasp.org</a></span><br>
                                      <span><a moz-do-not-send="true"
                                          href="https://lists.owasp.org/mailman/listinfo/governance"
                                          target="_blank">https://lists.owasp.org/mailman/listinfo/governance</a></span><br>
                                    </div>
                                  </blockquote>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Governance mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Governance@lists.owasp.org">Governance@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/governance">https://lists.owasp.org/mailman/listinfo/governance</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a class="moz-txt-link-freetext" href="https://www.owasp.org">https://www.owasp.org</a>
Join me at AppSecUSA 2015!</pre>
  </body>
</html>