[Owasp-leaders] OWASP Election

Andrew van der Stock vanderaj at owasp.org
Fri Oct 9 12:51:35 UTC 2015

As most of you know, I have been around OWASP since nearly the start. I was
not in Mark's apartment like so many claim, but I have been around an awful
long time. I say this not to blow my own horn, but to remind newer folks
that we've been here before, and it sucked. BIG TIME.

I don't know that many of you know why OWASP split into to two factions
back in the day when WASC was formed. Those scars from that split are just
about all healed up now, but we and all those who left lost way more from
the split than you can ever imagine. That split was over many reasons, but
one of the many concerns was if we were to be independent and vendor
neutral, or more about vendors using OWASP for commercial gains. WASC, and
more recently SAFEcode, were/are the vendor version of OWASP. They have
negligible mind share. We must learn from the past, and not repeat those

I personally believe that there is no, nada, zilch, reason to convert to a
(c)6 as we are not a guild or the CPA.

We have had excellent growth as a 501(c)3.
We have low membership fees, and as a consequence, we by design don't offer
a lot of immediate give backs or membership benefits
We don't require membership to participate. That has served us really well.
Some of our best leaders and best projects have come from outside OWASP
We have excellent relations with organisations, charities, corporates and
governments all over the world as an impartial setter of standards and an
oracle of high quality knowledge
We have excellent relations with vendors because we are not competing in
any way with them

I like the fact that we are not allowed to agitate for political parties or
positions. It means that the deep divisions seen recently in Twitter in
infosec peeps doesn't affect us
I like the fact that we are not allowed to donate to political parties. We
are a GLOBAL organisation, not a US organisation.
I like the fact that we have to spend our funds on primarily our mission,
which is outreach and getting outside the echo chamber. Membership fees
allows us to conduct that outreach
I like the fact that we have a vibrant chapter scene all over the world.
Changing to 503(c)6 doesn't change this at all. We are ALREADY doing great
things for our members

We are not the local Rotary or Lions club. They do great work, but they
aren't us.
We are not the auto club, we do not come and fix your computers.
We are not the CPA, we don't certify anyone. I don't think (c)3 stops us
doing this if we start in the future

Changing over will cost us thousands in legal fees, and open us up to all
sorts of partisan crap that we've only just managed to heal in the last 5
years. I welcome all of the folks from WASC and SAFEcode as they have
important contributions to make, and hope they will make them here at
OWASP. There is more alike between us than any of our differences.

I am not for this change, and as my term extends over the next year, I will
be voting against this change if it ever comes to a vote.

Let's stay impartial, let's build OWASP as a GLOBAL brand, renowned for our
openness, transparency and independence, and let's think about where we
really need to be instead of wasting member's funds on legal fees.


On Fri, Oct 9, 2015 at 10:27 PM, Mike Goodwin <mike.goodwin at owasp.org>

> I've spent quite a bit of time reading up on this stuff now, and my
> opinion is the same as Bev's - stay as 501(c)3 but consider a subsidiary
> body of another type.
> My reasons, partly taken from this as the source document
> <http://www.irs.gov/pub/irs-tege/eotopick03.pdf>:
>    - 501(c)6 is about running on behalf of members interests (page K-4 of
>    the source document). When I look at the attendees of my chapter and think
>    about the (intended) users of my project, many of them are not OWASP
>    members. While membership would be good, I want to continue to serve them
>    regardless of their membership status. 501(c)3 seems to be necessary for
>    this
>    - 501(c)6 appears to specifically require members to have a business
>    interest in common and excludes amateurs (pages K-9 and K-11). This would
>    seem to exclude current members who are hobbyists.
>    - I am an admirer of Mozilla. Their structure, if I understand it
>    properly, is a 501(c)3 parent (the Mozilla Foundation)
>    <https://www.mozilla.org/en-US/foundation/about/> that has a wholly
>    owned subsidiary (the Mozilla Corporation). In their case, the subsidiary
>    is a taxable corporation that serves the mission of the parent - I'm not
>    expert enough to know whether a 501(c)6 subsidiary would do the same job.
> On the last point, it seems to me that Mozilla have a lot of
> characteristics that I would like to see in OWASP:
>    - Their main web site is slick and great
>    - Firefox is a jewel in the open source crown
>    - The MDN website is a superb resource
>    - They indirectly support OWASP ZAP by employing Simon - I have heard
>    Simon say he would find it very difficult to maintain his current level of
>    effort on ZAP without the support of Mozilla (@Simon - please correct me if
>    I'm misrepresenting you)
>    - They achieve this with 10.5k (active) Mozillans compared to 42k
>    (active?) members of OWASP. Presumably though, they have many more
>    employees (of the wholly owned corporation?) than OWASP.
> Best regards,
> Mike
> On 8 October 2015 at 22:43, Bev Corwin <bev.corwin at owasp.org> wrote:
>> Chiming in here.....Having read through this discussion, going to bite
>> the bait and submit my 2 cents: I think that it is a mistake and a waste of
>> time and resources to convert OWASP Foundation from a 501(c)3 to a 501(c)6.
>> I'm not even sure if it would be allowable by IRS. I tend to think not, but
>> I'm not an expert by any means. However, regardless, I do think that Tom
>> brings other valuable leadership qualities to the table, commitment, and
>> enthusiasm, therefore, I believe that he would make a good board member,
>> but it is not a good plan to make a conversion, IMHO. I'd prefer to see the
>> new board authorize a committee to create a separate OWASP Professional
>> Association 501(c)6, an entirely new organization. Honestly, it will be
>> easier than trying to convert the existing organization, and will also
>> allow those who care more about the charitable nature of OWASP Foundation
>> 501(c)3 to continue our good work. I would also support the creation of a
>> new 501(c)6 OWASP Professional Association, and oppose this idea of
>> converting any organization from one type to another, in large part,
>> because most organizations typically fail at such efforts, and end up doing
>> more damage than good, completely destroying the organization. If you can
>> show me one successful conversion of a 501(c)3 to a 501(c)6 or vice verse,
>> I will happily reconsider my position. I would greatly prefer to see OWASP
>> Foundation 501(c)3 continue to operate as such, while continually improving
>> in the charitable organization space, and appropriately and legally support
>> the development of a new 501(c)6 OWASP Professional Association, external
>> and independent, with separate boards, staff, etc. Thank you. Best wishes,
>> Bev
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151009/38d2f8c2/attachment.html>

More information about the OWASP-Leaders mailing list