[Owasp-leaders] OWASP Election

Josh Sokol josh.sokol at owasp.org
Fri Oct 9 22:20:46 UTC 2015

I'm late to the party, but I couldn't agree more with what Andrew says
here.  I think we have little to gain (only vendors) from this proposed
change and everything to lose.  I would much rather focus our limited time
and attention on furthering OWASP's mission as a charity making application
security visible.  If this comes to a vote during my tenure on the Board, I
intend to vote "no".


On Fri, Oct 9, 2015 at 7:51 AM, Andrew van der Stock <vanderaj at owasp.org>

> As most of you know, I have been around OWASP since nearly the start. I
> was not in Mark's apartment like so many claim, but I have been around an
> awful long time. I say this not to blow my own horn, but to remind newer
> folks that we've been here before, and it sucked. BIG TIME.
> I don't know that many of you know why OWASP split into to two factions
> back in the day when WASC was formed. Those scars from that split are just
> about all healed up now, but we and all those who left lost way more from
> the split than you can ever imagine. That split was over many reasons, but
> one of the many concerns was if we were to be independent and vendor
> neutral, or more about vendors using OWASP for commercial gains. WASC, and
> more recently SAFEcode, were/are the vendor version of OWASP. They have
> negligible mind share. We must learn from the past, and not repeat those
> mistakes.
> I personally believe that there is no, nada, zilch, reason to convert to a
> (c)6 as we are not a guild or the CPA.
> We have had excellent growth as a 501(c)3.
> We have low membership fees, and as a consequence, we by design don't
> offer a lot of immediate give backs or membership benefits
> We don't require membership to participate. That has served us really
> well. Some of our best leaders and best projects have come from outside
> We have excellent relations with organisations, charities, corporates and
> governments all over the world as an impartial setter of standards and an
> oracle of high quality knowledge
> We have excellent relations with vendors because we are not competing in
> any way with them
> I like the fact that we are not allowed to agitate for political parties
> or positions. It means that the deep divisions seen recently in Twitter in
> infosec peeps doesn't affect us
> I like the fact that we are not allowed to donate to political parties. We
> are a GLOBAL organisation, not a US organisation.
> I like the fact that we have to spend our funds on primarily our mission,
> which is outreach and getting outside the echo chamber. Membership fees
> allows us to conduct that outreach
> I like the fact that we have a vibrant chapter scene all over the world.
> Changing to 503(c)6 doesn't change this at all. We are ALREADY doing great
> things for our members
> We are not the local Rotary or Lions club. They do great work, but they
> aren't us.
> We are not the auto club, we do not come and fix your computers.
> We are not the CPA, we don't certify anyone. I don't think (c)3 stops us
> doing this if we start in the future
> Changing over will cost us thousands in legal fees, and open us up to all
> sorts of partisan crap that we've only just managed to heal in the last 5
> years. I welcome all of the folks from WASC and SAFEcode as they have
> important contributions to make, and hope they will make them here at
> OWASP. There is more alike between us than any of our differences.
> I am not for this change, and as my term extends over the next year, I
> will be voting against this change if it ever comes to a vote.
> Let's stay impartial, let's build OWASP as a GLOBAL brand, renowned for
> our openness, transparency and independence, and let's think about where we
> really need to be instead of wasting member's funds on legal fees.
> thanks,
> Andrew
> On Fri, Oct 9, 2015 at 10:27 PM, Mike Goodwin <mike.goodwin at owasp.org>
> wrote:
>> I've spent quite a bit of time reading up on this stuff now, and my
>> opinion is the same as Bev's - stay as 501(c)3 but consider a subsidiary
>> body of another type.
>> My reasons, partly taken from this as the source document
>> <http://www.irs.gov/pub/irs-tege/eotopick03.pdf>:
>>    - 501(c)6 is about running on behalf of members interests (page K-4
>>    of the source document). When I look at the attendees of my chapter and
>>    think about the (intended) users of my project, many of them are not OWASP
>>    members. While membership would be good, I want to continue to serve them
>>    regardless of their membership status. 501(c)3 seems to be necessary for
>>    this
>>    - 501(c)6 appears to specifically require members to have a business
>>    interest in common and excludes amateurs (pages K-9 and K-11). This would
>>    seem to exclude current members who are hobbyists.
>>    - I am an admirer of Mozilla. Their structure, if I understand it
>>    properly, is a 501(c)3 parent (the Mozilla Foundation)
>>    <https://www.mozilla.org/en-US/foundation/about/> that has a wholly
>>    owned subsidiary (the Mozilla Corporation). In their case, the subsidiary
>>    is a taxable corporation that serves the mission of the parent - I'm not
>>    expert enough to know whether a 501(c)6 subsidiary would do the same job.
>> On the last point, it seems to me that Mozilla have a lot of
>> characteristics that I would like to see in OWASP:
>>    - Their main web site is slick and great
>>    - Firefox is a jewel in the open source crown
>>    - The MDN website is a superb resource
>>    - They indirectly support OWASP ZAP by employing Simon - I have heard
>>    Simon say he would find it very difficult to maintain his current level of
>>    effort on ZAP without the support of Mozilla (@Simon - please correct me if
>>    I'm misrepresenting you)
>>    - They achieve this with 10.5k (active) Mozillans compared to 42k
>>    (active?) members of OWASP. Presumably though, they have many more
>>    employees (of the wholly owned corporation?) than OWASP.
>> Best regards,
>> Mike
>> On 8 October 2015 at 22:43, Bev Corwin <bev.corwin at owasp.org> wrote:
>>> Chiming in here.....Having read through this discussion, going to bite
>>> the bait and submit my 2 cents: I think that it is a mistake and a waste of
>>> time and resources to convert OWASP Foundation from a 501(c)3 to a 501(c)6.
>>> I'm not even sure if it would be allowable by IRS. I tend to think not, but
>>> I'm not an expert by any means. However, regardless, I do think that Tom
>>> brings other valuable leadership qualities to the table, commitment, and
>>> enthusiasm, therefore, I believe that he would make a good board member,
>>> but it is not a good plan to make a conversion, IMHO. I'd prefer to see the
>>> new board authorize a committee to create a separate OWASP Professional
>>> Association 501(c)6, an entirely new organization. Honestly, it will be
>>> easier than trying to convert the existing organization, and will also
>>> allow those who care more about the charitable nature of OWASP Foundation
>>> 501(c)3 to continue our good work. I would also support the creation of a
>>> new 501(c)6 OWASP Professional Association, and oppose this idea of
>>> converting any organization from one type to another, in large part,
>>> because most organizations typically fail at such efforts, and end up doing
>>> more damage than good, completely destroying the organization. If you can
>>> show me one successful conversion of a 501(c)3 to a 501(c)6 or vice verse,
>>> I will happily reconsider my position. I would greatly prefer to see OWASP
>>> Foundation 501(c)3 continue to operate as such, while continually improving
>>> in the charitable organization space, and appropriately and legally support
>>> the development of a new 501(c)6 OWASP Professional Association, external
>>> and independent, with separate boards, staff, etc. Thank you. Best wishes,
>>> Bev
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151009/4d31f0a4/attachment-0001.html>

More information about the OWASP-Leaders mailing list