[Owasp-leaders] [Owasp-board] Please provide a status update to the membership

Josh Sokol josh.sokol at owasp.org
Wed Oct 15 15:25:29 UTC 2014


We fully understand and appreciate your concerns.  In keeping with your
incident response analogy, what you are asking for is equivalent to
notifying the customer prior to determining the scope and impact of the
incident.  Do you send a mass email to your customers every time you get an
anti-virus alert or do you investigate it first to determine what happened
and what all is affected?  We have received an alert (ie. been notified of
the issue), acknowledged it with stakeholders (ie. the Leaders list), and
are actively investigating.  Once the scope and impact has been determined
we will be in a better position to assess our next steps.  The ops team is
actively working on this.  Please give them a chance to do their job and we
will communicate once we have more information.  The update right now is
that the operations team has acknowledged the complaint and is working on
determining what the issue is.  Thanks.


Josh Sokol
On Oct 15, 2014 9:50 AM, "Andrew Muller" <andrew.muller at owasp.org> wrote:

> Josh/Tobias,
>   I don't think anyone is attacking the actions of the ops team or trying
> to interrupt their work. Rather Andrew, myself and others believe that this
> isn't just a technical issue. Something has clearly gone wrong during an
> election and OWASP should determine whether the integrity of the election
> process has been compromised as a result and keep the community informed.
> If it has been compromised, then what next? If not, then why not let people
> know?
> You may think I'm overstating it, but I can't help but think of analogies
> of poor communications after security incidents that have damaged the
> reputation of organisations. I don't want to see OWASP suffer this fate.
> Andrew
> On Thu, Oct 16, 2014 at 1:26 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>  +1 for Josh.
>> I can fully support Josh's statements.
>> I know things may look calm on the outside, but let me assure you the
>> whole team (incl. the board) takes this as the highest priority and there
>> is very high activity on the inside by everyone pulling together to get
>> this analysed and fixed ASAP.
>> As you know the election is still open for another 9 days until Oct-24 (
>> https://www.owasp.org/index.php/2014_Board_Elections), so please have a
>> little more patience and give our team a chance to fix it. And based on the
>> findings we will decide on what to do in addition - hopefully we know more
>> in a few hours.
>> Best wishes, Tobias
>> Tobias Gondrom
>> OWASP Global Board Member
>> On 15/10/14 15:10, Josh Sokol wrote:
>> Andrew,
>> I had at least half a dozen emails back and forth yesterday related to my
>> issue with not receiving the voting email and Kelly was well engaged with
>> me and SimplyVoting.  They tracked my particular issue down to having
>> unsubscribed to a SimplyVoting email during the WASPY awards process.  My
>> issue was just one of many reported and being worked on.  Kate, who was in
>> training this week, was pulled from it in order to work on these issues.
>> This is item #1 on the ops team's plate and they are laser focused on
>> making sure this process is being handled professionally and without
>> missing votes.  Your concerns are very valid and are all being
>> investigated.   If there is cause to pause the election process, I assure
>> you that it will be done.  I do want to say, however, that this is an
>> operations issue and Board involvement beyond supporting the ops team could
>> constitute tampering with the election process.  We need to work
>> diligently, yet judiciously, in order to ensure the process is fair for
>> everyone involved.  There were several emails on this topic yesterday along
>> with a TON of ops team activity, and an update is planned for today.  Keep
>> in mind that its early morning on day 2 here in the US where the ops team
>> is based.  I'm not saying that there isn't a problem, but patience is
>> definitely a virtue when you want to make sure that things are handled
>> properly.  Please give the ops team a chance to research what happened and
>> communicate it out before assuming that the issue is just being ignored.
>> Thank you.
>> Sincerely,
>> Josh Sokol
>> On Oct 15, 2014 7:16 AM, "Andrew van der Stock" <vanderaj at owasp.org>
>> wrote:
>>> Michael and the Board,
>>> I write to you formally to request a status update on the global OWASP
>>> Board of Directors election process, in particular, I implore the
>>> current Board to take affirmative action to investigate and manage a
>>> resolution to the technical hitches in membership and balloting, and
>>> if necessary delay the election, so that all eligible members can
>>> vote. There is no activity on the Board list to address this issue,
>>> and this, too, needs to be addressed.
>>> Members need to have trust of the integrity of the balloting
>>> (enfranchisement) and voting processes. There are rules posted
>>> regarding the process and deadlines, and for at least some (and
>>> possibly many) members, these deadlines have been missed by the OWASP
>>> Foundation. There is no current membership list. Members have expired
>>> and not been renewed or processed and have missed out on receiving
>>> their vote to the election. It is entirely possible that some of the
>>> candidates, through no fault of their own, are not in good standing.
>>> We just don't know.
>>> The only semi-official message in relation to my queries so far is
>>> "please don't be inflammatory". That is simply not good enough. I am
>>> not sledging the ops team - that is not my intent - but I am saying
>>> there is an critical issue and it is not being managed or communicated
>>> properly, and that requires Board oversight.
>>> In Australia, we recently had to send an entire state back to re-vote
>>> their senate because our electoral commission lost 1300 votes, which
>>> was more votes than the winning margin. I don't ever recall any open
>>> source project or Foundation ever having this type of problem before.
>>> I hope that it's a small issue that can be addressed in a timely and
>>> comprehensive fashion.
>>> Please as a matter of urgency, please work out and communicate with
>>> all the members, (and not just those on the leaders list):
>>> * What is the Board's position on challenges to the election,
>>> postponing or delaying the vote to get the membership and balloting
>>> right, or doing a re-run?
>>> * Were renewal notices sent out to expiring and expired members in a
>>> timely fashion to make the September 30 renewal eligibility deadline?
>>> * If not, will OWASP be e-mailing or making contact with all expired
>>> members to see if they wanted to renew and give them a vote in the
>>> election? If so, when will this occur? Will it occur by the time
>>> voting closes?
>>> * Are all current Board candidates in good standing? If not, will the
>>> Board reach out to the candidates in question, and offer them back
>>> dated honorary membership to comply with the bylaws? Or will they be
>>> ineligible to stand?
>>> * Are all membership renewals (paid, lifetime, and honorary) submitted
>>> prior to September 30 now processed?
>>> * If so, is there an up to date membership list that does not date
>>> back to April 8, 2014? Can this be added to the OWASP Board 2014
>>> elections page?
>>> * As the CRM process wasn't working for some time, what steps are the
>>> Board putting into place to ensure that it is fixed and monitored for
>>> the next election?
>>> These questions have to be answered. No answer is simply not an
>>> option. I don't mind if you take these on notice and reply in pieces,
>>> but please communicate frequently, openly and honestly with us.
>>> I know the vote is open until next week, but I feel that even if there
>>> are only a handful of members piping up on the Leaders mailing list
>>> today, the CRM process has been broken for at least two months, which
>>> covers about 15% of members. It may have been broken as far back as
>>> April 8 when the membership list was seemingly last generated, which
>>> covers around 45-50% of the members.
>>> Simply enrolling those who pipe up in one venue misses those who don't
>>> hang out on the Leaders list and disenfranchises those who might have
>>> wanted a say in OWASP's future. If this is actually a small issue, it
>>> should be easy to determine: compare July, August's and September's
>>> membership totals with that from the year before. If the totals are
>>> reduced, then there is a problem of a known magnitude. But without an
>>> accurate and up to date membership list, we cannot determine if there
>>> are disenfranchised members or how many have been potentially
>>> disenfranchised.
>>> I gave the ops team nearly two month's notice that something wasn't
>>> right, and stayed in fairly constant communication during that time. I
>>> even gave a heads up about my fellow candidates, who I sincerely hope
>>> have their membership sorted so OWASP members have a geographically
>>> varied and interesting selection of candidates to choose from.
>>> I've been here since very nearly the beginning, I don't think I've
>>> ever seen such disarray in our internal processes, especially such key
>>> processes that directly elect the Board.
>>> I implore the Board to take this very seriously. Please communicate
>>> clearly and frequently with us on next steps. If the Board or the
>>> Foundation needs time - more time than there exists until the end of
>>> voting, I am more than willing to give the benefit of the doubt to
>>> ensure that we have an open, transparent membership and voting system
>>> with integrity for a vote to be open to all members, not just those
>>> unaffected by the technical glitches. I can't speak for the other
>>> candidates, but please ask them too. I'd rather this be done right.
>>> I am reachable on +61 451 057 580 <%2B61%20451%20057%20580> if you want
>>> a chat, but I am UTC+11,
>>> which makes it tricky during US business hours.
>>> thanks,
>>> Andrew
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> ____________________
> *Andrew Muller*
> Canberra OWASP Chapter Leader
> OWASP Testing Guide Co-Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141015/04b08d73/attachment.html>

More information about the OWASP-Leaders mailing list