[Owasp-leaders] Indemnity

Jeff Williams jeff.williams at owasp.org
Wed Aug 10 23:34:50 EDT 2011

Hi Mark,


I appreciate the sentiment, but recognize that in a community with over 300
project and chapter leaders we need rules, and that means discussion about
rules.  Some of these discussions have been very interesting and immensely
important for OWASP.  Frankly, most leaders ignore these messages except
when they're really passionate about something.  And of course there are a
few leaders who seem driven to make a big deal about nothing at all.


All of this, including your message and my response here have already
happened countless times in countless other communities.  Despite your
message, I know that you have a strong interest in the creation of
community.  You've proven that you have the ability to get people focused
and motivated.  I hope you'll use those skills to keep OWASP going strong
and attract new leaders.


Everyone please, don't get sucked into discussions that are not productive.
Refuse to be terrorized.





From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of mark curphey
Sent: Wednesday, August 10, 2011 11:06 PM
To: Christian Heinrich
Cc: <global_membership_committee at lists.owasp.org>; OWASP Leaders
Subject: Re: [Owasp-leaders] Indemnity


Please forgive what maybe a naive message. Having been away form OWASP for a
number of years I just don't recognize the project I left or understand how
things work these days. 


This list seems to be focus on beuraucracy and administivia (neither of
which I personally have any interest in). Is there a "leaders" list where
project leaders focus on improving the state of application security,
discussing ways to make OWASP have more impact or share ideas on how
individual projects can be better? If so I would like to unsubscribe for
this list and join that one. 


I look forward to hearing from you. 








On Aug 10, 2011, at 6:28 PM, Christian Heinrich wrote:


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

Most companies have an indemnity clause in their bylaws because officers and
directors have a fiduciary duty to the company.  A fiduciary duty entails a
Duty of Loyalty and Duty of Care.  


What is the difference between a "Company" and a "Not for Profit Foundation"
i.e. OWASP as defined by USA Law?


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

A duty of loyalty requires officers and directors to place the interests of
the organization above their own.  This implies that officers and directors
cannot usurp opportunities for themselves which could have be taken by the
organization unless notifying non-interested directors and getting approval
or if the organization would not be able to avail itself of the opportunity.
If an officer or director breaches this duty they can be sued.  However, the
indemnity will only apply when the officer or director does not have an
adverse ruling against him/her in the proceeding.  If the officer or
director is found to have acted in bad faith they, individually, he/she will
be responsible for paying their attorney's fees (no indemnity and


On a slight tangent, does the above paragraph infer that OWASP Board Members
have to declare all commercial opportunities, i.e. webappsec product or
professional service, delivered by their respective employer?


I am very much in favor of reducing perceived conflict of interests within
the OWASP Board.


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

Members do not have a fiduciary duty to the organization per se.  However,
if a member is acting as an agent of the organization and the organization
has held the agent out as representing the organization or acknowledged the
agency relationship then the organization will be liable for the member's
actions (indemnity).  An example of agency would be were members set up
conferences like AppSec USA and sign contracts for the venue, food,
services, etc. on behalf of OWASP.  So there is indemnity of members in
certain cases.


I believe this addresses my request and is therefore similar to my
experience in NSW, Australia i.e.


Does this indemnity extend to:

1. Libel/slander on OWASP Mailing Lists and Chapter Meetings or Conferences?

2. Lack of OH&S, such as an attendee breaking their arm in a fall at an
OWASP Chapter Meeting or Conference?   


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

But requiring OWASP to indemnify all of its members would be a tremendous
legal burden. Especially if the member is not acting as an agent for OWASP.
This would open OWASP to potential liability for actions that any member
partakes (hacking government institutions, negligence, as well as other
criminal and civil torts).


The above would then be addressed by their employer's indemnity insurance -


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

I have to say this is an unreasonable request and it is not related to
Americans trying to control everything.  


I deliberately avoided making reference to this - rather I am interested in
the difference between the USA and Australian (State) Laws regarding "Not
For Profits". 


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

I attended this year's OWASP leadership conference in Lisbon, Portugal.
This conference was not held in the states.  And although it was a pain
flying to Europe from the US I think we had good representation of members
outside of the US for leadership purposes.  This shows that OWASP is
globally centric and not US centric.


I might address the Summit in a separate thread.  However, the OWASP
Community has extended beyond Europe and USA.


On Thu, Aug 11, 2011 at 1:04 AM, Abraham Kang <abraham.kang at owasp.org>

Come guys, OWASP wants to support and reach out to the world.


Thanks for taking the time to clarify this in detail.

Christian Heinrich

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20110810/6d7f3e60/attachment.html 

More information about the OWASP-Leaders mailing list