[Owasp-leaders] Seeking Your Feedback on OWASP Participation

Josh Sokol josh.sokol at owasp.org
Mon Feb 24 20:26:41 UTC 2014

Thank you to everyone who has provided their feedback here.  It seems that
the overwhelming majority support the ability for a leader to remove an
individual who is behaving in a manner not aligned with the OWASP Code of
Ethics.  The Board discussed this during our meeting today and came up with
a potential change to the OWASP Bylaws in order to address this:

Participation in OWASP activities (conferences, meetings, mailings lists,
> projects, etc) is subject to adherence to the OWASP Code of Ethics and
> OWASP leaders may revoke the privilege of participation to those who choose
> not to abide by that code.

Leaders, before we vote on whether to approve this, the Board wanted to see
what you all think.  Does this statement accurately reflect the sentiment
reflected by those who responded?  Do you have other suggestions?  Thank


Josh Sokol

On Thu, Feb 20, 2014 at 1:17 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

> IMHO - I think that it would be wise to explore this issue more, and to
> discuss possible dynamic frameworks, in general, to accommodate as many
> members' participation as possible, while protecting the community's
> positive momentum. These types of issues are often complex, and not so
> simple, so well worth some serious conversation, discussions, and research.
> Diverse perceptions are important. Perhaps assign a committee to put some
> time into researching possibilities?
> Bev
> On Thu, Feb 20, 2014 at 2:05 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Jerry,
>> Fortunately, we haven't had this issue with the OWASP Austin chapter and
>> our community tends to be very positive and cooperative overall.  I count
>> us lucky in that regard, but there are more than one chapters out there
>> where I know this issue strikes very close to home.  In both cases that I
>> am aware of, said individual has been counseled to cease their activities,
>> but to no avail.  The chapters have taken steps, as suggested by others, to
>> keep these individuals away, but in hearing this it did force me to
>> re-evaluate what we mean when we say that OWASP is free and open to all.
>> Hence, my bringing it to the leaders to see what you all think about the
>> topic.  So far, the majority who have contacted me both in public and in
>> private seem to favor the approach of NOT letting one rotten apple spoil
>> the bunch.  I tend to agree with this, but wanted to seek advice on what
>> the impact of such an action was on OWASP's overall ideology of openness.
>> Is there anyone out there who disagrees and feels that even in the face of
>> this adversity we should strictly adhere to the standard of openness and
>> allow this individual access despite their behavior?
>> ~josh
>> On Thu, Feb 20, 2014 at 12:53 PM, Jerry Hoff <jerry at owasp.org> wrote:
>>> Josh,
>>> Apologies in advance if you have already done this - but have you told
>>> to the offending individual to chill?  When I used to do martial arts, lots
>>> of people would come in super amp'd and wild.
>>> Sometimes just bringing it to their attention and letting them know,
>>> Texas style, that they need to get with the program, not interrupt other
>>> people's presentations or spoil the mood of the event is enough.  I
>>> wouldn't consider banning them from an event until they've had a fair
>>> warning or two to cut it out.
>>> Jerry
>>>  --
>>> Jerry Hoff
>>> @jerryhoff
>>> jerry at owasp.org
>>> On Feb 20, 2014, at 1:45 PM, Steven van der Baan <
>>> steven.van.der.Baan at owasp.org> wrote:
>>> Hi Josh,
>>> Even though that non-members don't know our 'code', that doesn't free
>>> them from it. Especially if the code is an extension on 'social behaviour'.
>>> I see a similarity in law, where you as an individual living in a
>>> country have to live by that law, even if you don't know the exact writing
>>> of it. This is a universal principle within communities and OWASP should be
>>> no exception to that.
>>> Steven.
>>> On 20 Feb 2014 17:22, "Josh Sokol" <josh.sokol at owasp.org> wrote:
>>>> I appreciate your feedback Steven.  For those who haven't read it, the
>>>> OWASP Code of Ethics that Steven is referring to can be found here:
>>>> https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#Code_of_Ethics
>>>> I most certainly agree that this document dictates expectations on how
>>>> those in our community should behave.  The real questions are how do we
>>>> respond to those who do not follow this code.  You bring up an interesting
>>>> point as well about the member vs non-member aspect of this.  I'd guess
>>>> that the majority of non-members who attend meetings haven't read that Code
>>>> of Ethics.  Heck, I'd guess that the majority of members haven't.  Is this
>>>> equivalent to "you didn't read the fine print" or do we have an obligation
>>>> to be more explicit here?
>>>> As you can imagine, this is far from a purely hypothetical situation
>>>> and I'm very interested to hear what our leaders think particularly about
>>>> preaching "openness" while at the same time closing the door on those who
>>>> don't conform to our Ethics.  Thank you.
>>>> ~josh
>>>> On Thu, Feb 20, 2014 at 11:03 AM, Steven van der Baan <
>>>> steven.van.der.baan at owasp.org> wrote:
>>>>>  Hi Josh,
>>>>> this is a big problem.
>>>>> I personally would refuse that person entrance to the meetings based
>>>>> on the code of conduct, even if he/she is not a (paying) member.
>>>>> I believe that anybody who is attending an OWASP meeting is bound by
>>>>> our principles and code of ethics  And the behaviour that you described is
>>>>> in clear violation of that.
>>>>> However, there should be a possibility for the person to demonstrate
>>>>> the willingness of abiding to the principles and be able to attend the
>>>>> meetings again.
>>>>> But that is just my point of view.
>>>>> Good luck with it,
>>>>> Steven.
>>>>> On 20/02/14 16:34, Josh Sokol wrote:
>>>>>    OWASP Leaders,
>>>>>  Let's say that there is an individual in your local security
>>>>> community who is routinely feuding with other security professionals in the
>>>>> area.  No physical violence, but fairly frequent name calling, negative
>>>>> insinuations, etc.  Their attendance at your OWASP functions (metings,
>>>>> happy hours, conferences, etc) makes other people uncomfortable due to
>>>>> their tendency to cause problems and perhaps these people have even said
>>>>> that they will not attend these events if this individual is also in
>>>>> attendance.  Attempts to seek peace with the individual have failed and the
>>>>> behavior will not change.  What do you do?  Is it acceptable to ban them
>>>>> from these events?  Do you allow this one rotten apple to spoil the bunch
>>>>> because OWASP policy says that we are free and open to all?  Is there a
>>>>> point where an individual becomes enough of a distraction that we should
>>>>> consider banning them from OWASP altogether?
>>>>>  A couple of points of reference:
>>>>> Our mission statement says "everyone is free to participate in OWASP" (
>>>>> http://www.owasp.org).
>>>>>  Our Chapter Handbook says "Local chapter meetings must be free for
>>>>> everyone to attend, regardless of whether the attendee is a paid member,
>>>>> and open to anyone." (
>>>>> https://www.owasp.org/index.php/Chapter_Handbook/Chapter_2:_Mandatory_Chapter_Rules#Organize_free_and_open_meetings<https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#Mailing_Lists>
>>>>> )
>>>>>  Your feedback is greatly appreciated.
>>>>>  ~josh
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>  _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140224/b4415775/attachment.html>

More information about the OWASP-Leaders mailing list