<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Josh, <br>
      <br>
      Let's fix the problem instead of creating a new list, just because
      the old one was not totally uptodate. Especially as we have not
      even really tried hard to update the existing list and keep it
      maintained. So I would rather fix the problem you mention, aka
      "update the list", then to make a more complicated construct with
      letting people parse and search through a long unstructured list.
      <br>
      <br>
      This will equally achieve the same objective, which I agree is
      important. Just with clearer structure and less searching and
      confusion. <br>
      <br>
      Best regards, Tobias<br>
      <br>
      <br>
      On 13/10/15 21:10, Josh Sokol wrote:<br>
    </div>
    <blockquote
cite="mid:CAFwvDexHG0tA7Dfhv=ZKOEcunB3DpJFQ-G1i8t6SQdSO=w+DyQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>
          <div>All,<br>
            <br>
          </div>
          Take a look at the list of what is allowed in the project or
          chapter handbook.  Then consider all of the things that
          chapters and projects spend their money on today.  These lists
          are not kept up-to-date which what is appropriate.  It's not a
          problem in-and-of-itself as Paul et al are usually pretty
          quick to approve, but we have heard from a number of members
          of our community that it is NOT CLEAR WHAT they can spend
          their money on.  Think of the current approach as an Access
          Control List where we have a default deny and a very short
          list of what is allowed through.  It's secure, but the
          usability is challenging.  This proposal allows us to
          dynamically expand that ACL based on what others in the
          organization are doing.  Stuff not in the list requires
          approval from Ops, just as it does today, but with the
          knowledge that approval is an explicit approval for anyone to
          do it.  We should have no situation at OWASP where something
          is OK for one chapter or project and not OK for another.  If
          you can think of one, please let me know and prove me wrong. 
          Liability is limited to 1) The amount in a chapter or project
          account (ie. they are spending "their" money) and 2) What has
          already been approved for someone else.  This is VERY LOW RISK
          and VERY HIGH REWARD because it gets money moving.  If you
          want to propose revised language to fine-tune it, please do
          so, but this is very much necessary to get people spending.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Oct 13, 2015 at 11:45 AM, Paul
          Ritchie <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:paul.ritchie@owasp.org" target="_blank">paul.ritchie@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">To Foundation Board list.
              <div><br>
              </div>
              <div><u>On this proposal #6, and the red-tape issue, or
                  excessive effort for Operations:</u></div>
              <div><br>
              </div>
              <div>On approving and paying reimbursements, we really
                don't have much red-tape....when the expense is fully
                covered within the Chapter or Project budget.</div>
              <div>We Ask:  Does the Project/Chapt have the budget?  
                 Does the expense fit the guidelines in the Handbook?  
                IF yes, the reimbursement is paid, no problem.</div>
              <div><br>
              </div>
              <div><u>On Maintaining a list</u></div>
              <div>From an operations point, I'd like to keep the
                Project & Chapter Handbooks updated as the source of
                the spending guidelines & policy statements. Those
                are our "manuals" and I'd like to reinforce all
                community members to look there first.  The current
                lists could be updated by Noreen & Claudia.</div>
              <div><br>
              </div>
              <div>For new listing, it is probably smart to add a list
                or table of 'approved & supported' expenses to the
                wiki pages for Funding, Projects & Chapters.   My
                belief here is that it is the 'same info' as found in
                the Handbook, its just immediately visible on the main
                page of the Project or Chapter wiki pages.</div>
              <div>Yes, some medium amount of work to create &
                update this list, but its mostly a one-time effort.</div>
              <div><br>
              </div>
              <div><u>The only Caution:</u></div>
              <div><br>
              </div>
              <div>We have seen a couple projects or chapters ask for
                hardware, or cloud-based software services.  My Caution
                is that before we just auto-approve an expense for this
                category of 'stuff' we ask if the Chapter or Project
                need can be solved with existing Foundation
                Infrastructure.......or the infrastructure already owned
                or rented by other Chapters.</div>
              <div><br>
              </div>
              <div>Just trying to minimize redundancy on this topic.  
                Plus, ownership is a red-tape issue here as the
                Foundation is the only one who has been signing
                contracts and agreements for hardware & software.</div>
              <div><br>
              </div>
              <div>Paul</div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div class="gmail_extra"><br clear="all">
                <div>
                  <div>
                    <div dir="ltr">
                      <div>
                        <div dir="ltr">
                          <div>Best Regards, Paul Ritchie</div>
                          <div>OWASP Executive Director</div>
                          <div><a moz-do-not-send="true"
                              href="mailto:paul.ritchie@owasp.org"
                              target="_blank">paul.ritchie@owasp.org</a></div>
                          <div><br>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </div>
                <div>
                  <div class="h5"> <br>
                    <div class="gmail_quote">On Tue, Oct 13, 2015 at
                      2:43 AM, Jim Manico <span dir="ltr"><<a
                          moz-do-not-send="true"
                          href="mailto:jim.manico@owasp.org"
                          target="_blank">jim.manico@owasp.org</a>></span>
                      wrote:<br>
                      <blockquote class="gmail_quote" style="margin:0 0
                        0 .8ex;border-left:1px #ccc
                        solid;padding-left:1ex">
                        <div dir="auto">
                          <div>Been thinking about this, I think you're
                            right Fabio and Tobias. Perhaps make this
                            bill more general and let operations figure
                            out the "how"?</div>
                          <div><br>
                          </div>
                          <div>It's doesn't look like this will pass as
                            is.<span><br>
                              <br>
                              <div>--</div>
                              <div>Jim Manico</div>
                              <div>
                                <div>
                                  <div style="word-wrap:break-word">
                                    <div><span
                                        style="background-color:rgba(255,255,255,0)">Global


                                        Board Member</span></div>
                                    <span
                                      style="background-color:rgba(255,255,255,0)">OWASP


                                      Foundation</span>
                                    <div><a moz-do-not-send="true"
                                        href="https://www.owasp.org/"
                                        style="background-color:rgba(255,255,255,0)"
                                        target="_blank"><font
                                          color="#000000">https://www.owasp.org</font></a></div>
                                  </div>
                                </div>
                                <div><span
                                    style="background-color:rgba(255,255,255,0)">Join


                                    me in Rome for AppSecEU 2016!</span></div>
                              </div>
                            </span></div>
                          <div>
                            <div>
                              <div><br>
                                On Oct 13, 2015, at 11:35 AM, Fabio
                                Cerullo <<a moz-do-not-send="true"
                                  href="mailto:fcerullo@owasp.org"
                                  target="_blank">fcerullo@owasp.org</a>>


                                wrote:<br>
                                <br>
                              </div>
                              <blockquote type="cite">
                                <div>I share Tobias concerns on this
                                  one. A populated list maintained by
                                  the Foundation might be a better
                                  approach IMHO.<br>
                                  <div><br>
                                    <div>
                                      <div
style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
                                        <div
style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
                                          <div
style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word">
                                            <div>Fabio Cerullo</div>
                                            <div>Global Board Member</div>
                                            OWASP Foundation
                                            <div><a
                                                moz-do-not-send="true"
                                                href="https://www.owasp.org"
                                                target="_blank">https://www.owasp.org</a></div>
                                          </div>
                                        </div>
                                      </div>
                                    </div>
                                    <br>
                                    <div>
                                      <blockquote type="cite">
                                        <div>On 13 Oct 2015, at 6:27
                                          a.m., Jim Manico <<a
                                            moz-do-not-send="true"
                                            href="mailto:jim.manico@owasp.org"
                                            target="_blank">jim.manico@owasp.org</a>>


                                          wrote:</div>
                                        <br>
                                        <div>
                                          <blockquote type="cite"
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                            <div><br>
                                              1. Sorry for re-iterating
                                              my point from before, but
                                              I do think this will
                                              create more effort,
                                              compared to a list of
                                              pre-approved items. I
                                              think a list of
                                              pre-approved items will be
                                              less "red-tape" than to
                                              make everyone go through
                                              the list of published
                                              precedents and then let us
                                              find out whether they are
                                              the "same".<span> </span><br>
                                            </div>
                                          </blockquote>
                                          <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">All


                                            that this "bill" is saying
                                            is : Keep a list of
                                            per-approved items and add
                                            to it over time as new items
                                            get approved. I do not see
                                            this as adding more work
                                            over time and the effort
                                            should lessen as less new
                                            item categories get approved
                                            over time.</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <blockquote type="cite"
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                            <div><br>
                                              2. I also like to point
                                              out that the current
                                              proposal text does not
                                              speak of the "exact same
                                              thing in the past" as Josh
                                              used in his explanation.
                                              The current proposal text
                                              is more broadly and may
                                              result in us discussing
                                              what is the "same" from
                                              the precedents.<span> </span><br>
                                              <br>
                                              Let me be clear, I am not
                                              against the spirit of the
                                              approach, only I have
                                              doubts about this specific
                                              implementation route.
                                              Overall, I really think
                                              the consolidated (updated)
                                              list of acceptable
                                              expenses is the best
                                              approach. As I mentioned,
                                              it is a good idea to
                                              populate and update this
                                              list based on previous
                                              published expenses, but I
                                              really prefer the
                                              consolidated list to be
                                              the reference point, not
                                              an unsorted list of all
                                              expenses from the past
                                              (that potentially lacks
                                              context information and
                                              what not).<span> </span><br>
                                            </div>
                                          </blockquote>
                                          <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">Fair


                                            concerns, this is the right
                                            time to be discussing...</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <blockquote type="cite"
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                            <div><br>
                                              Best regards, Tobias<br>
                                              <br>
                                              <br>
                                              <br>
                                              <br>
                                              On 13/10/15 06:33, Jim
                                              Manico wrote:<br>
                                            </div>
                                            <blockquote type="cite">
                                              <div>Do you see this
                                                "bill" causing harm to
                                                the foundation in some
                                                way? I do not. I see
                                                this as facilitating
                                                efficiency, primary,
                                                which is a good thing.<br>
                                                <br>
                                                <div>--</div>
                                                <div>Jim Manico</div>
                                                <div>
                                                  <div>
                                                    <div
                                                      style="word-wrap:break-word">
                                                      <div><span
                                                          style="background-color:rgba(255,255,255,0)">Global


                                                          Board Member</span></div>
                                                      <span
                                                        style="background-color:rgba(255,255,255,0)">OWASP


                                                        Foundation</span>
                                                      <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font>https://www.owasp.org</font></a></div>
                                                    </div>
                                                  </div>
                                                  <div><span
                                                      style="background-color:rgba(255,255,255,0)">Join


                                                      me in Rome for
                                                      AppSecEU 2016!</span></div>
                                                </div>
                                              </div>
                                              <div><br>
                                                On Oct 13, 2015, at 6:22
                                                AM, Matt Konda <<a
                                                  moz-do-not-send="true"
href="mailto:matt.konda@owasp.org" target="_blank">matt.konda@owasp.org</a>>


                                                wrote:<br>
                                                <br>
                                              </div>
                                              <blockquote type="cite">
                                                <div>
                                                  <div dir="ltr">Right.
                                                    <div><br>
                                                    </div>
                                                    <div>Do we spend a
                                                      lot of time with
                                                      red tape
                                                      currently?</div>
                                                    <div><br>
                                                    </div>
                                                    <div>Matt</div>
                                                    <div><br>
                                                    </div>
                                                  </div>
                                                  <div
                                                    class="gmail_extra"><br>
                                                    <div
                                                      class="gmail_quote">On


                                                      Mon, Oct 12, 2015
                                                      at 10:59 PM, Jim
                                                      Manico<span> </span><span
                                                        dir="ltr"><<a
moz-do-not-send="true" href="mailto:jim.manico@owasp.org"
                                                          target="_blank">jim.manico@owasp.org</a>></span><span> </span>wrote:<br>
                                                      <blockquote
                                                        class="gmail_quote"
                                                        style="margin:0px


                                                        0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                        <div dir="auto">
                                                          <div>The
                                                          motivation
                                                          here is
                                                          efficiency,
                                                          removal of red
                                                          tape and
                                                          encouragement
                                                          to spend for
                                                          the mission.
                                                          Once an
                                                          expense type
                                                          is approved
                                                          the goal of
                                                          this "bill" is
                                                          to have that
                                                          expense type
                                                          auto-approved.</div>
                                                          <div><br>
                                                          <div>--</div>
                                                          <div>Jim
                                                          Manico</div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          style="word-wrap:break-word">
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Global


                                                          Board Member</span></div>
                                                          <span
                                                          style="background-color:rgba(255,255,255,0)">OWASP


                                                          Foundation</span>
                                                          <div><a
                                                          moz-do-not-send="true"
href="https://www.owasp.org/"
                                                          style="background-color:rgba(255,255,255,0)"
target="_blank"><font>https://www.owasp.org</font></a></div>
                                                          </div>
                                                          </div>
                                                          <div><span
                                                          style="background-color:rgba(255,255,255,0)">Join


                                                          me in Rome for
                                                          AppSecEU 2016!</span></div>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          On Oct 13,
                                                          2015, at 4:26
                                                          AM, Matt Konda
                                                          <<a
                                                          moz-do-not-send="true"
href="mailto:matt.konda@owasp.org" target="_blank">matt.konda@owasp.org</a>>


                                                          wrote:<br>
                                                          <br>
                                                          </div>
                                                          <blockquote
                                                          type="cite">
                                                          <div>
                                                          <div dir="ltr">I'm


                                                          still
                                                          considering #6
                                                          as are all but
                                                          Josh and Jim
                                                          based on this
                                                          discussion
                                                          thread.
                                                          <div><br>
                                                          </div>
                                                          <div>I am
                                                          supportive of
                                                          the idea
                                                          behind it and
                                                          would vote yes
                                                          if it came to
                                                          a head.  </div>
                                                          <div><br>
                                                          </div>
                                                          <div>Honestly,
                                                          I don't think
                                                          it is risky
                                                          but I don't
                                                          think I grasp
                                                          the motivation
                                                          - perhaps Josh
                                                          and/or Paul
                                                          could
                                                          elaborate on
                                                          how this might
                                                          help the
                                                          Foundation.</div>
                                                          <div><br>
                                                          </div>
                                                          <div>Matt</div>
                                                          <div><br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On


                                                          Fri, Oct 9,
                                                          2015 at 4:18
                                                          PM, Josh Sokol<span> </span><span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:josh.sokol@owasp.org"
                                                          target="_blank">josh.sokol@owasp.org</a>></span><span> </span>wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0px


                                                          0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Andrew,<br>
                                                          <br>
                                                          </div>
                                                          I definitely
                                                          hear you, but
                                                          we have rules
                                                          in place to
                                                          even prevent
                                                          that.  For
                                                          example<span> </span><a
moz-do-not-send="true"
href="https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts"
target="_blank">Section 4.10 of the Chapter Leader Handbook</a><span> </span>says


                                                          that "Chapter
                                                          leaders are
                                                          not authorized
                                                          to sign
                                                          contracts or
                                                          enter into any
                                                          legal
                                                          agreements on
                                                          behalf of the
                                                          OWASP
                                                          Foundation". 
                                                          You will not
                                                          have any sort
                                                          of a $50k
                                                          venue
                                                          guarantee for
                                                          services
                                                          without a
                                                          signed
                                                          contract. 
                                                          This is the
                                                          control that
                                                          prevents abuse
                                                          in that
                                                          specific
                                                          situation. 
                                                          There are many
                                                          others.<br>
                                                          <br>
                                                          </div>
                                                          Also, keep in
                                                          mind that they
                                                          are authorized
                                                          only so long
                                                          as "<b>they
                                                          have an
                                                          account
                                                          balance which
                                                          covers that
                                                          expense in
                                                          full</b>". 
                                                          So, if a
                                                          Chapter or
                                                          Project has
                                                          $50k in their
                                                          account, and
                                                          wants to spend
                                                          it on a venue
                                                          for a
                                                          conference,
                                                          why should we
                                                          stand in their
                                                          way or require
                                                          additional
                                                          approvals if
                                                          others have
                                                          done the exact
                                                          same thing in
                                                          the past?  The
                                                          limiting
                                                          factor here is
                                                          their account
                                                          balance and we
                                                          need to
                                                          empower them
                                                          to spend it
                                                          how they
                                                          desire as long
                                                          as it is in
                                                          adherence with
                                                          the OWASP
                                                          mission.<br>
                                                          <br>
                                                          </div>
                                                          Tobias: This
                                                          has not been
                                                          motioned or
                                                          seconded yet. 
                                                          I put it out
                                                          there for
                                                          discussion
                                                          first, since
                                                          there was not
                                                          a general
                                                          consensus on
                                                          it.<span><font
color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                          <span><font
                                                          color="#888888">~josh<br>
                                                          </font></span></div>
                                                          <div>
                                                          <div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On


                                                          Fri, Oct 9,
                                                          2015 at 3:49
                                                          PM, Tobias<span> </span><span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:tobias.gondrom@owasp.org"
                                                          target="_blank">tobias.gondrom@owasp.org</a>></span><span> </span>wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0px


                                                          0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                          <div
                                                          bgcolor="#FFFFFF"
                                                          text="#000000">
                                                          <div>As our
                                                          mailing-list
                                                          got a bit
                                                          swamped, this
                                                          might have got
                                                          lost in the
                                                          hundred voting
                                                          emails, do we
                                                          have any
                                                          further
                                                          discussion
                                                          elements on
                                                          this one?<span> </span><br>
                                                          And if people
                                                          like vote on
                                                          this, can they
                                                          please confirm
                                                          that they have
                                                          at least
                                                          acknowledged
                                                          this
                                                          discussion
                                                          when casting
                                                          their vote?<span> </span><br>
                                                          Thanks, Tobias
                                                          <div>
                                                          <div><br>
                                                          <br>
                                                          <br>
                                                          On 09/10/15
                                                          14:17, Andrew
                                                          van der Stock
                                                          wrote:<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <div>
                                                          <div>
                                                          <blockquote
                                                          type="cite">
                                                          <div dir="ltr">
                                                          <div>I am
                                                          really keen to
                                                          reduce the
                                                          amount of
                                                          bureaucracy
                                                          involved in
                                                          expense
                                                          management,
                                                          but this is a
                                                          really well
                                                          trodden path
                                                          in every
                                                          single SME to
                                                          major
                                                          enterprise. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>My main
                                                          concern is no
                                                          upper bounds
                                                          on
                                                          pre-approved
                                                          expenses. This
                                                          means that a
                                                          local chapter
                                                          that managed
                                                          to get an
                                                          approval for a
                                                          $50k
                                                          conference
                                                          centre fee,
                                                          say AppSec AU
                                                          in 2011, would
                                                          mean that all
                                                          chapters would
                                                          be
                                                          automatically
                                                          allowed to
                                                          claim that
                                                          expense too. I
                                                          want to enable
                                                          that, whilst
                                                          not allowing
                                                          us to be hit
                                                          with hundreds
                                                          of large
                                                          conferences
                                                          being
                                                          organised
                                                          throughout the
                                                          year. We
                                                          simply don't
                                                          have the staff
                                                          bandwidth nor
                                                          the funds to
                                                          do that
                                                          today. </div>
                                                          <div><br>
                                                          </div>
                                                          Typical
                                                          financial
                                                          governance is
                                                          pre-approval
                                                          for expenses
                                                          under a
                                                          certain dollar
                                                          value, and a
                                                          single sign
                                                          off within the
                                                          Foundation
                                                          approval for
                                                          expenses
                                                          between say
                                                          the cut off
                                                          and say a $10k
                                                          limit, and
                                                          senior
                                                          management
                                                          approval above
                                                          $10k. In my
                                                          view, we can
                                                          hit the home
                                                          run we all are
                                                          looking for,
                                                          whilst still
                                                          maintaining
                                                          good financial
                                                          governance
                                                          over major
                                                          expenses
                                                          whilst not
                                                          ruling out ANY
                                                          type of
                                                          expense that a
                                                          chapter might
                                                          be able to
                                                          come up with.
                                                          <div>
                                                          <div><br>
                                                          </div>
                                                          <div>My view
                                                          is that we go
                                                          through all
                                                          the paid out
                                                          expenses over
                                                          the last two
                                                          years, and
                                                          work out some
                                                          limits. We can
                                                          tummy tussle
                                                          over the exact
                                                          limits, but I
                                                          feel the
                                                          following
                                                          would be a
                                                          good start:</div>
                                                          <div><br>
                                                          </div>
                                                          <div>$0 -
                                                          $1500 should
                                                          cover nearly
                                                          all expenses
                                                          paid to date
                                                          along with the
                                                          above
                                                          proposal's
                                                          list of
                                                          pre-approved
                                                          expenses</div>
                                                          <div>$1500 to
                                                          $10k should be
                                                          an approval
                                                          level granted
                                                          to a project
                                                          coordinator or
                                                          chapters
                                                          coordinator.
                                                          All expenses
                                                          are subject to
                                                          sign off prior
                                                          to incurring
                                                          the expense</div>
                                                          <div>$10k ...
                                                          $100k is
                                                          within the
                                                          signing range
                                                          of the
                                                          Executive
                                                          Director, and
                                                          would require
                                                          pre-approval
                                                          before
                                                          incurring the
                                                          expense</div>
                                                          <div>Above
                                                          $100k would
                                                          require Exec
                                                          Dir + Board
                                                          approval. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>That way,
                                                          local area
                                                          conference
                                                          bills of $50k
                                                          don't hit us
                                                          without
                                                          forewarning,
                                                          and yet we
                                                          have the
                                                          flexibility of
                                                          allowing
                                                          LAScon and
                                                          AppSec Cali to
                                                          work without a
                                                          special rule
                                                          or budgetary
                                                          process. The
                                                          majority of
                                                          projectors,
                                                          catering, room
                                                          fees, and so
                                                          on would never
                                                          be huge
                                                          amounts of
                                                          work for
                                                          Foundation
                                                          staff.<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          <div>I think
                                                          it hits what
                                                          you're trying
                                                          to achieve
                                                          without
                                                          opening us up
                                                          to some
                                                          serious
                                                          financial
                                                          problems down
                                                          the track. </div>
                                                          <div><br>
                                                          </div>
                                                          <div>thanks,</div>
                                                          <div>Andrew</div>
                                                          </div>
                                                          </div>
                                                          <div
                                                          class="gmail_extra"><br>
                                                          <div
                                                          class="gmail_quote">On


                                                          Fri, Oct 9,
                                                          2015 at 1:20
                                                          PM, Josh Sokol<span> </span><span
                                                          dir="ltr"><<a
moz-do-not-send="true" href="mailto:josh.sokol@owasp.org"
                                                          target="_blank">josh.sokol@owasp.org</a>></span><span> </span>wrote:<br>
                                                          <blockquote
                                                          class="gmail_quote"
                                                          style="margin:0px


                                                          0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>Here is
                                                          the current
                                                          text for
                                                          proposal 6:<br>
                                                          <br>
                                                          <div
                                                          style="margin-left:40px"><b>If


                                                          a request for
                                                          funding has
                                                          been approved
                                                          for one
                                                          chapter or
                                                          project, then
                                                          it can be
                                                          considered an
                                                          acceptable
                                                          expense for
                                                          all chapters
                                                          or projects. 
                                                          If they have
                                                          an account
                                                          balance which
                                                          covers that
                                                          expense in
                                                          full, then
                                                          they should be
                                                          considered
                                                          pre-approved
                                                          for spending.</b></div>
                                                           <br>
                                                          <u><b>Tobias:</b></u><br>
                                                          I agree in
                                                          spirit, but I
                                                          think this
                                                          needs
                                                          clarification
                                                          and am a bit
                                                          concerned
                                                          about liberal
                                                          interpretations


                                                          of what is the
                                                          same expense
                                                          type. Expenses
                                                          tend to not be
                                                          exactly
                                                          identical and
                                                          I like to safe
                                                          chapter and
                                                          project leads
                                                          from searching
                                                          the public
                                                          expense lists
                                                          for
                                                          precedence. As
                                                          one example if
                                                          a flight
                                                          ticket is
                                                          approved for a
                                                          chapter leader
                                                          to attend the
                                                          AppSec chapter
                                                          leader
                                                          workshop, that
                                                          should not
                                                          mean we also
                                                          approve a
                                                          flight ticket
                                                          to Bahamas for
                                                          holiday for
                                                          another
                                                          chapter
                                                          leader.
                                                          Technically
                                                          both are
                                                          flight
                                                          expenses for
                                                          chapter
                                                          leaders. (I
                                                          know I am
                                                          splitting
                                                          hairs...)<br>
                                                          <br>
                                                          Suggested
                                                          revision:<br>
                                                          Proposal 6: If
                                                          a request for
                                                          funding has
                                                          been approved
                                                          for one
                                                          chapter or
                                                          project, then
                                                          it can be
                                                          considered an
                                                          acceptable
                                                          expense for
                                                          all chapters
                                                          or projects.
                                                          Our operations
                                                          team shall
                                                          periodically
                                                          (at least once
                                                          every 3
                                                          months) review
                                                          the list of
                                                          published
                                                          expenses and
                                                          if new expense
                                                          types come up
                                                          add them to
                                                          the published
                                                          list of
                                                          acceptable
                                                          expenses. If
                                                          the chapters
                                                          or projects
                                                          have an
                                                          account
                                                          balance which
                                                          covers that
                                                          expense in
                                                          full, then
                                                          they should be
                                                          considered
                                                          pre-approved
                                                          for spending.<br>
                                                          <br>
                                                          <u><b>Josh:</b></u><br>
                                                          I think that
                                                          we need to
                                                          trust people
                                                          to do the
                                                          right thing. 
                                                          To my
                                                          knowledge, we
                                                          have never had
                                                          a person try
                                                          to request
                                                          reimbursement
                                                          for a trip to
                                                          the Bahamas
                                                          because
                                                          someone got a
                                                          flight paid
                                                          for to
                                                          AppSec.  Also,
                                                          keep in mind
                                                          that this is a
                                                          reimbursement
                                                          process so our
                                                          Operations
                                                          Team
                                                          determines
                                                          whether a
                                                          request is
                                                          legit.  To me,
                                                          it would seem
                                                          like you're
                                                          putting a lot
                                                          of extra work
                                                          on the Ops
                                                          Team with
                                                          little added
                                                          benefit since
                                                          they are still
                                                          going to have
                                                          to find a way
                                                          to write it up
                                                          so that it
                                                          will not be
                                                          misinterpreted. 
                                                          I think we
                                                          have
                                                          reasonable
                                                          controls in
                                                          place to
                                                          prevent abuse
                                                          and our
                                                          liability here
                                                          is minimal.  I
                                                          don't see a
                                                          need to revise
                                                          it in this
                                                          manner.<br>
                                                          <br>
                                                          <u><b>Tobias:</b></u><br>
                                                          Well, I don't
                                                          think to
                                                          maintain a
                                                          list of good
                                                          examples is
                                                          unnecessarily
                                                          heavy
                                                          workload. And
                                                          in the long
                                                          run, searching
                                                          through a long
                                                          unstructured
                                                          list of
                                                          published
                                                          expense claims
                                                          will be more
                                                          work load for
                                                          both the staff
                                                          and the
                                                          community to
                                                          check for good
                                                          expense
                                                          precedents. If
                                                          we do this one
                                                          time per
                                                          quarter, the
                                                          effort is
                                                          clearly
                                                          limited. If we
                                                          (staff and
                                                          leaders) have
                                                          to review an
                                                          unlimited year
                                                          long list for
                                                          precedent,
                                                          this seems
                                                          much more
                                                          effort.<br>
                                                          <br>
                                                          </div>
                                                          <u><b>Josh:</b></u><br>
                                                          </div>
                                                          In theory we
                                                          are supposed
                                                          to be
                                                          maintaining a
                                                          list of good
                                                          examples
                                                          already.  Some
                                                          of them are
                                                          listed in the
                                                          Chapter and
                                                          Project Leader
                                                          Handbooks. 
                                                          That said,
                                                          they aren't
                                                          anywhere close
                                                          to all of the
                                                          possible
                                                          things one
                                                          would want to
                                                          spend their
                                                          money on.  The
                                                          idea here was
                                                          simply to
                                                          maintain the
                                                          running list
                                                          of all
                                                          expenses that
                                                          are approved
                                                          or denied
                                                          (proposal 5)
                                                          and use that
                                                          to drive
                                                          spending. 
                                                          Again, I think
                                                          this comes
                                                          down to a
                                                          matter of
                                                          trust.  We
                                                          need to trust
                                                          our Leaders to
                                                          do the right
                                                          thing.  We
                                                          need to trust
                                                          the staff to
                                                          ensure that
                                                          the
                                                          reimbursement
                                                          is legitimate
                                                          before sending
                                                          them a check. 
                                                          With so many
                                                          complaints
                                                          about
                                                          difficulties
                                                          withe the
                                                          reimbursement
                                                          process (as
                                                          much as I've
                                                          never seen
                                                          them), we
                                                          should be
                                                          looking for
                                                          ways to strip
                                                          away the red
                                                          tape, not add
                                                          more of it.<span><font
color="#888888"><br>
                                                          <br>
                                                          </font></span></div>
                                                          <span><font
                                                          color="#888888">~josh<br>
                                                          </font></span></div>
                                                          <br>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          <br>
                                                          <fieldset></fieldset>
                                                          <br>
                                                          <pre>_______________________________________________
Owasp-board mailing list
<a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
                                                          </blockquote>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          <br>
_______________________________________________<br>
                                                          Owasp-board
                                                          mailing list<br>
                                                          <a
                                                          moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a><br>
                                                          <a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          rel="noreferrer"
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          </blockquote>
                                                          <blockquote
                                                          type="cite">
                                                          <div><span>_______________________________________________</span><br>
                                                          <span>Owasp-board


                                                          mailing list</span><br>
                                                          <span><a
                                                          moz-do-not-send="true"
href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a></span><br>
                                                          <span><a
                                                          moz-do-not-send="true"
href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                                                          target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a></span><br>
                                                          </div>
                                                          </blockquote>
                                                          </div>
                                                          </div>
                                                        </div>
                                                      </blockquote>
                                                    </div>
                                                    <br>
                                                  </div>
                                                </div>
                                              </blockquote>
                                              <br>
                                              <fieldset></fieldset>
                                              <br>
                                              <pre>_______________________________________________
Owasp-board mailing list
<a moz-do-not-send="true" href="mailto:Owasp-board@lists.owasp.org" target="_blank">Owasp-board@lists.owasp.org</a>
<a moz-do-not-send="true" href="https://lists.owasp.org/mailman/listinfo/owasp-board" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
                                            </blockquote>
                                            <br>
                                          </blockquote>
                                          <br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <pre cols="72" style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;background-color:rgb(255,255,255)">-- 
Jim Manico
Global Board Member
OWASP Foundation
<a moz-do-not-send="true" href="https://www.owasp.org/" target="_blank">https://www.owasp.org</a></pre>
                                          <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">_______________________________________________</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <span
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);float:none;display:inline!important">Owasp-board


                                            mailing list</span><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <a moz-do-not-send="true"
                                            href="mailto:Owasp-board@lists.owasp.org"
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"
                                            target="_blank">Owasp-board@lists.owasp.org</a><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                          <a moz-do-not-send="true"
                                            href="https://lists.owasp.org/mailman/listinfo/owasp-board"
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)"
                                            target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br
style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255)">
                                        </div>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                </div>
                              </blockquote>
                            </div>
                          </div>
                        </div>
                        <br>
                        _______________________________________________<br>
                        Owasp-board mailing list<br>
                        <a moz-do-not-send="true"
                          href="mailto:Owasp-board@lists.owasp.org"
                          target="_blank">Owasp-board@lists.owasp.org</a><br>
                        <a moz-do-not-send="true"
                          href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                          rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                        <br>
                      </blockquote>
                    </div>
                    <br>
                  </div>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-board mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-board"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>