[Owasp-leaders] [Owasp-board] On ring-fencing finances, communicating with OWASP and more

Bev Corwin bev.corwin at owasp.org
Fri Aug 21 01:29:30 UTC 2015

If funds are not spent by the end of an annual budget cycle, couldn't they
go into a general fund after a period of time, and spent by some kind of
voting process?


On Thu, Aug 20, 2015 at 8:17 PM, Andrew van der Stock <vanderaj at owasp.org>

> Remember, Dinis, Josh and I had a podcast on this a little while ago, and
> Dinis noted that it was an experiment to try and get chapters to be more
> involved and spend more of their money.
> As chapters are collecting more and more money which is not being spent,
> we as a board need to work out the best way forward. I agree with Josh that
> we need to get chapters to spend their money, but I also feel that as
> there's no hard and fast bylaw on splits, we need to work out a new model
> that is based upon desired outcomes. Money sitting in the bank doing
> nothing in a non-profit is not meeting our mission. We are not a banker to
> chapters.
> This time, we really need to do proper modelling to understand the effect
> of various splits before we commit to them. Otherwise, we'll be back here
> in less than 2 years with chapters with a million in the bank, and the
> Foundation and projects still scrapping for tidbits. We need to have
> balance. I'm happy to discuss that balance.
> thanks
> Andrew
> On Tue, Aug 18, 2015 at 8:52 AM, <tomb at proactiverisk.com> wrote:
>> FYI there is some detail recorded in a few places for clarity.
>> Archive 2013 60/40 split
>> https://lists.owasp.org/pipermail/owasp-board/2013-February/011674.html
>> And here
>> 90/10 Split 2014
>> https://www.owasp.org/index.php/OWASP_Board_Votes
>> The first effort was a (1) year experiment to provide a split to chapters
>> to get them energized.  It was voted on year two and passed as well. (2009
>> time frame) might've in Kate's notes or wiki mins she was the scribe and
>> took them back in those days they do exist.
>> Moving to a global model and empowering a local model will solve this
>> rich/poor chapters debate.  Investment in projects will also solve the
>> current issue. For every $1.00 the foundation brings in $.50 should support
>> projects, .25 outreach marketing and .25 administrative staff. Will discuss
>> my thoughts on it during my upcoming board interview in more detail. Take a
>> look at the annual report this will help put things in context.
>> Sent from my iPhone
>> On Aug 17, 2015, at 6:12 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> The OWASP foundation made a promise to chapters - years ago - that we
>> would isolate earned funds from each chapter for that chapter only. We then
>> set up a regional conference profit sharing program for chapters and gave
>> chapters a percentage of membership funds for members that flagged their
>> chapter. This was all set up years ago before the election of any current
>> board member.
>> I do not think the foundation should break that promise (if not verbal
>> contract) to chapters around the world and reverse current chapter
>> ringfencing.
>> But we can certainly change that policy moving forward if needed, which
>> is actively being discussed by the board, staff and others.
>> I look at this as many things in computer science - as a tradeoff, not a
>> battle between good and evil.
>> Again, my hope is that we work together as adults to collaborate on a
>> better policy if one is needed. *There is no way we are going to make
>> everyone happy*. If you mess with chapter ringfencing, you are going to
>> upset a lot of very hard working and active chapters. If we leave the
>> ringfencing, it's going to limit major investment capability of the
>> foundation.
>> This is not a cut and dry issue in my opinion. I can see the benefits
>> either way. I am most concerned about what the community thinks is best and
>> what is best for the foundation and serving our mission.
>> Also, the whole board voting process slows things down. That "slowing"
>> factor, like adaptive key generation algorithms, is by design. It takes a
>> voting quorum of board members to significantly change policy or embark on
>> major investments. So for those of you who are frustrated by what you
>> perceive as "bureaucracy" then when what is the alternative? Do you want
>> one "king" to just make all decisions? Do you want any member to just
>> dictate new policy? I think for sure governance can be very inefficient -
>> but no governance is even more inefficient.
>> So please, if you want to see something changed - there are positive
>> avenues to do so. *Propose an bylaw change to the board or just ask
>> questions on the board list,* *talk with members of staff,* *participate
>> on the governance email list and trigger good debate* - while emailing
>> the leaders list is a good way to get community involvement in your cause -
>> please consider following  through with action that works with the
>> foundation to actually make change beyond leaders list email.
>> *Communication Resources:*
>>    1. Contact the Staff w/ Tracking: https://www.tfaforms.com/308703
>>    2. OWASP Board List: https://lists.owasp.org/listinfo/owasp-board
>>    3. OWASP Governance List:
>>    https://lists.owasp.org/mailman/listinfo/governance
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundationhttps://www.owasp.org
>> Join me at AppSecUSA 2015!
>> PS: When the OWASP foundation did not use tracking forms, we received a
>> large number of complains that support issues fell through the cracks. Now
>> that we have a contact form with a tracking ID, we get complaints of
>> bureaucracy. I think it's more important to NOT let issues fall through the
>> cracks...
>> On 8/17/15 11:31 AM, Eoin Keary wrote:
>> Johanna,
>> The funds distribution in OWASP is broken. Has been broken for years.
>> Some funds are legally allocated to chapters and projects and can not be
>> moved. Other funds can be moved but the mix is unclear.
>> The Owasp foundation should have reserved the right to allocate funds
>> where required. I believe this has been done but unsure.
>> I believe some of the funds in OWASP would be best used as banking test
>> data as it will persist in banking systems forever :)
>> This is my humble understanding of the issue.
>> Eoin Keary
>> OWASP Volunteer
>> @eoinkeary
>> On 17 Aug 2015, at 18:04, johanna curiel curiel <
>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>  >I don't think there is anything preventing a project from doing the
>> same, but I haven't seen it done at this point.
>> I think we need to create Project Summits in the form of events with the
>> whole purpose to gather funds for projects .Open samm has done this and I
>> think we can try that. Fo that we need the support of the staff Business
>> liaison, Event manager, just as they put their work and efforts in Events
>> and appsecs. Here cut share between OWASp staff time and projects can also
>> be done.
>>  >OWASP has a project funding bucket.
>> Look, Denver chapter has around 50K in their bucket. The richest Project
>> is ZAP with 10k... but thats is the exception. Even worse when you look at
>> chapters outside US or EU, mine has only USD40 dollars. Most projects have
>> Zero Dollars.
>> And the limits right now are a support but do not help to get important
>> things moving like OWASP Academy portal, Leaders like Azzedine assist and
>> show case his chapter or project or other more complex initiatives. Or
>> major improvements or promotions to their projects.
>>   >Remember that the Board is just a handful of leaders who were elected
>> to set the compass.
>>   Yes but how do they know where to go, that's why the survey. The survey
>> is the compass. And the leaders are elected to listed to the community.
>> And About committees...
>> The only existing active committee right now is the Project Review (which
>> I still call myself a taskforce). I haven't see much initiatives or
>> participation from other committees. So the committee concept in theory
>> seemed like a great idea but in practice is not working because in my eyes,
>> creating a committee is creating a mini board inside OWASP. We do not want
>> to create oligarchies in the end.
>>   I thik we should cut off that comitee idea and be more practical. More
>> like this
>>   Example:
>>    - John Lita wants to create an academy portal but developing it costs
>>    money and resources that volunteers alone cannot be easy pull off(owaspa
>>    project was the same and died, just like many educational initiatives)
>>    - John must create a proposal with defined goals and how to reach
>>    them. He joins other volunteers in this effort. No need to be a commitee.
>>    -  John & Claudia create a survey and seek support of the community
>>    -   If the idea has major feedback and volunteers, then John has the
>>    support from the staff to execute including looking for sponsors using
>>    crowdsource funding portals
>>    - Staff monitors development and results of the actions taken
>>    - Staff reports results to the community back
>> This is in my eyes how I have been working in the end, because , as
>> volunteers, available time mostly depends on one or 2 passionate
>> individuals like John-Lita, which are more dedicated and the rest follows...
>> Now if we want to change things, don't tell me to set a committee,
>> because Josh , this has not work so far.
>>  Allow me  and let the staff know that they should support me and any
>> other volunteers seeking for implementing their ideas ;-).
>> Lets cut the red tape with committees and let people know that if they
>> want to do something,
>>    - Contact the staff.
>>    - Set a survey and gather support
>>    - Need more money? Set a crowd funding project @
>>    <https://www.kickstarter.com>https://www.kickstarter.com under OWASP
>>    - Volunteers implement idea or project with the support of owasp
>>    staff and other volunteers
>> How do we get this idea to action?
>> Shall we create a survey?
>> Do you need to discuss this on a board meeting?
>> How do I get empowered and let the staff know that as a volunteer I have
>> your support for this?(if I do?
>> You see...how dependable I'm from the board to be able to execute?
>> Off course I can always do this on my own but them I better do it without
>> OWASP...
>> Regards
>> Johanna
>> On Mon, Aug 17, 2015 at 10:55 AM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>> Johanna,
>>> Thank you for putting your thoughts out there for everyone.  Silence is
>>> not good for anyone and OWASP will be far more successful if we know what
>>> our leaders are struggling with and make a conscious effort to improve it.
>>> I think that many of your points are very valid and strongly support the
>>> idea of polls to gauge community support for actions being taken.  I also
>>> support the idea that the Board should be making as few of these decisions
>>> as possible and putting the power back in the hands of the community with
>>> support from the staff.  The Board should be the "compass" making sure that
>>> we are moving in the right direction with the community and staff being the
>>> ones actually pushing us forward.  That's not to say that members of the
>>> Board won't have their own projects or initiatives, but they do so as part
>>> of the community, not because of their roles on the Board.  The Committees
>>> 2.0 framework was a first step in driving this level of empowerment back to
>>> the community while maintaining accountability and providing appropriately
>>> scoped actions.  My impression was that the Projects Committee was rolling
>>> forward quite well under this guidance, but it sounds like maybe I was
>>> wrong.  Are there specific actions that you have tried to take on the
>>> committee that got blocked by the Board or hung up in "red tape"?  Are
>>> there needs for funding that haven't been met?
>>> Regarding the project vs chapter funding schemas, I'm not sure that
>>> there is a good answer.  Projects are typically made up of a pocket of
>>> individuals.  Typically one leader with sometimes one or two others
>>> assisting.  Chapters are typically anywhere from 20 people to hundreds.  We
>>> provide members with the ability to allocate their funds to either, but
>>> most associate themselves with a chapter rather than a project because
>>> that's where they participate.  We also have chapters putting on
>>> conferences with the goal of raising funds.  I don't think there is
>>> anything preventing a project from doing the same, but I haven't seen it
>>> done at this point.  Those are the two main ways that I see chapters
>>> raising money.  Yes, there is certainly a difference in schemas and
>>> projects will have a more difficult time, but that's also why OWASP has a
>>> project funding bucket.  Money from these local events as well as funds
>>> raised by our AppSec conferences gets budgeted specifically for this
>>> purpose.  To my knowledge, no reasonable request for funds by projects has
>>> been denied.  Just because there isn't money sitting "ring fenced" in an
>>> account for the projects, doesn't mean that there isn't money that can be
>>> spent.  It just means that it needs to be requested from the pool.  Yes,
>>> it's a different model of funding, but the end result is the same.  There
>>> are funds available at OWASP for everyone who needs them.
>>> There are obviously many things that need to be improved at OWASP and,
>>> unfortunately, the Board has been tied up in rules, events, bylaws, etc for
>>> a while now.  It's definitely not the "fun" part of the job and it is very
>>> time consuming.  That said, I would argue that these are the things that
>>> need to be changed in order for everyone else (staff, community, etc) to be
>>> able to be better served.  We've made several changes to the Bylaws and are
>>> working on more.  We've hired an Executive Director (Paul), an Event
>>> Manager (Laura), a Community Manager (Noreen), and a Project Coordinator
>>> (Claudia) just in the almost two years that I've been on the Board.  The
>>> needle on the compass is set and, while it takes some time to right the
>>> ship, we are getting there by giving our community the support it requires
>>> to be successful.  So, here's my general thought:
>>> 1) If it's within the scope of a defined Committee, JUST DO IT!
>>> 2) If there's no Committee defined for it, CREATE ONE, then JUST DO IT!
>>> 3) If a Committee doesn't make sense, ASK THE STAFF FOR IT!
>>> 4) If asking the staff isn't working or we need to change a policy to
>>> make it happen, LET THE BOARD KNOW!
>>> The Board should be the last resort, in my opinion, not the first.  We
>>> should be the enabler, not the bottleneck.  I think that our leaders make
>>> too many assumptions (probably based on past Board actions) about what
>>> needs to go to the Board and we need to get away from that.  Remember that
>>> the Board is just a handful of leaders who were elected to set the
>>> compass.  We have a finite number of things that we can handle and our
>>> Board meetings are typically overflowing with topics.  So, if something is
>>> bothering you, I would encourage you to change it.  That's why, with the
>>> David Rook situation, I encouraged creation of a new Committee to determine
>>> a reasonable solution.  If it requires a policy change by the Board, then
>>> we can vote on that, but asking the Board to take action just perpetuates
>>> the oligarchy that you mention in your e-mail.  Instead of pushing these
>>> issues up to the Board for action, let's have the community DECIDE what
>>> they want and have the Board change the compass needle via bylaws,
>>> policies, and staff discussions, accordingly.  At least, that's my vision
>>> for OWASP.  Is that something that you can get on board with?
>>> ~josh
>>> On Mon, Aug 17, 2015 at 8:11 AM, johanna curiel curiel <
>>> <johanna.curiel at owasp.org>johanna.curiel at owasp.org> wrote:
>>>> Members of the board,
>>>> With the recent issue regarding David Rook, and my latest experience
>>>> with red-tape, I'm proposing the following.
>>>> My goals is to call your attention to these issues which I have been
>>>> observing for a years and not as a critique to your work, but I think if
>>>> you do not pay attention to these issues and DO something about them, OWASP
>>>> will loose valuable community participation.
>>>>    - When an initiative is proposed or launched by a member of the
>>>>    board, this should be followed up by a survey where the community can
>>>>    vote.Wether is a rule or money, these decisions should be taken based on
>>>>    collected data and proper substantiation to avoid oligarchy
>>>>    - When an initiative is launched by a member of the community,
>>>>    especially when this initiative cost more than 10k, it should be
>>>>    substantiated with data how this initiative will benefit the community.
>>>>    Also should be followed by a survey
>>>>    - Staff should help creating the survey and analyse the votes
>>>>    - *In other words: do more survey to find out what the community
>>>>    needs and wants.*
>>>> My observations and where I think you need to give more attention:
>>>>    - Board/Executive director should work closer with the staff for
>>>>    guidance and empowering their role. I have the feeling that the staff is
>>>>    paralysed waiting for instructions or following strict rules. The staff
>>>>    should be motivated to take initiative and implement projects on their own
>>>>    that can help the community. They should not be too dependent on an
>>>>    Executive director or member of the board for this part
>>>> As I see it ,OWASP is known for his Projects & Chapter leaders which as
>>>> volunteers have contributed the most to set OWASP on the spotlight.
>>>> Therefore:
>>>>    - You should determine and implement better ways  to provide better
>>>>    funding schemas for projects . This is something a volunteer cannot do. And
>>>>    *nothing* has been done to help  solve this issue
>>>>    - There is an unfair inequality in the way chapters can generate
>>>>    funds vs Projects.
>>>>    - Money is locked down in the chapters budget
>>>>    - Chapters outside US & EU have more struggles to find support. You
>>>>    should consider a way to support better these ones since their countries
>>>>    are not developed in the area of security as countries in EU and US.
>>>>    - Follow up: when issues like David Rook or a volunteer rants(like
>>>>    me or others ) out of frustation, take action. Put it in the agenda and try
>>>>    to solve and discuss the issues to improve the actual problems. So far I
>>>>    have seen very little follow up on major issues and discussions raised in
>>>>    the mailing lists
>>>>    - Way to much attention to rules, *events* and bylaws etc. Time to
>>>>    take action and take decisions and propose plans for improvements of the
>>>>    actual situation above mentioned
>>>> Being that said, and with all due respect to you, I hope that you can
>>>> take actions and *execute* improvements that have been an issue since
>>>> I joined OWASP 3 years ago.
>>>> Regards
>>>> Johanna
>>>> _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>> --
>> You received this message because you are subscribed to the Google Groups
>> "OWASP Projects Task Force" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to projects-task-force+unsubscribe at owasp.org.
>> To post to this group, send email to <projects-task-force at owasp.org>
>> projects-task-force at owasp.org.
>> To view this discussion on the web visit
>> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com?utm_medium=email&utm_source=footer>
>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/CACxry_0p_kEGLn%3DCK38cQf%3Dv0gKoVB0R82Y10U1VmKvu_vm32Q%40mail.gmail.com
>> .
>> --
>> You received this message because you are subscribed to the Google Groups
>> "OWASP Projects Task Force" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to projects-task-force+unsubscribe at owasp.org.
>> To post to this group, send email to projects-task-force at owasp.org.
>> To view this discussion on the web visit
>> <https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org?utm_medium=email&utm_source=footer>
>> https://groups.google.com/a/owasp.org/d/msgid/projects-task-force/9E03385F-18C6-4C6E-A8D6-F0B2D08100E7%40owasp.org
>> .
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>> WARNING: E-mail transmission cannot be guaranteed to be secure or
>> error-free as information could be intercepted, corrupted, lost, destroyed,
>> arrive late or incomplete, or contain viruses. The sender therefore does
>> not accept liability for any errors or omissions in the contents of this
>> message, which arise as a result of e-mail transmission. No employee or
>> agent is authorized to conclude any binding agreement on behalf of
>> ProactiveRISK with another party by email.
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150820/26863f08/attachment-0001.html>

More information about the OWASP-Leaders mailing list