[Owasp-leaders] OWASP charitable status

Richard Greenberg richard.greenberg at owasp.org
Sun Oct 11 21:58:09 UTC 2015


I was very open to hearing what a change in our status could do for OWASP.
I have reviewed both classifications, and really can find no benefit that
we can achieve by spending a lot of time and money to switch our
not-for-profit status. Please, let's focus on real achievements in software
projects and move away from this effort.

Also, keep in mind that several large corporations, such as Microsoft, have
grant programs and free software donation to 501c3 organizations only.

Richard Greenberg, CISSP
President, OWASP Los Angeles, www.owaspla.org <http://www.appsecusa.org/>
ISSA Fellow
President, ISSA Los Angeles, www.issa-la.org <http://www.appsecusa.org/>
LinkedIn:  http://www.linkedin.com/in/richardagreenberg
(424) 261-8111

On Sun, Oct 11, 2015 at 2:46 PM, Tobias <tobias.gondrom at owasp.org> wrote:

> Hi all,
>
> thanks for this broad discussion and advise. And great know how from the
> community on how to proceed, if we would need to. And seems many on the
> leaders list are knowledgeable in this area and well aligned with the
> current spirit and status of our community.
>
> We know how we could handle things if we wanted to change them.
> But to the basic question: Do we need to change and why?
> What is actually the problem with the current situation?
> Maybe I missed that piece, but so far I can not recall reading about what
> exactly we would want to do that would require us to use a 501(c)6. As
> several pointed out on the list, changing org structure is quite expensive
> and there are good reasons for our 501(c)3, I think without a reason or
> real need.
>
> Best regards, Tobias
>
>
>
>
> On 11/10/15 19:51, Mike Goodwin wrote:
>
> Jim - thanks for that info. Also, I hope you enjoy the baths. I started
> running today after very long layoff, so I could do with something similar
> myself!
>
> I guess my main point is that if we were to look at any structure that had
> both a charity part and a non-charity part (of whatever type)  then I would
> want to see the charity part as the parent and in control, rather than
> vice-versa. That is the main aspect of the Mozilla model that I see as
> important. Presumably some or all of the OWASP (charity) board would also
> be on the board of the subsidiary to provide the governance to ensure the
> subsidiary was working solely to support the OWASP mission.
>
> As to whether we should actually *have *that kind of two-level structure
> at all, I'm open minded. Things I would like to see in OWASP are:
>
>
>    - OWASP employs people to work full time on key projects to give them
>    dedicated focus and acceleration - think of how much support Joyent give to
>    node.js, for example
>    - The most obvious candidates to be these key projects are our
>    flasgship projects but it could include other early-stage projects that
>    were judged to have the right potential
>    - The main website/wiki for OWASP and the key educational assets on it
>    should also have a bigger full-time staff to make them genuinely world
>    class. I'm thinking here of graphic designers, technical authors, web
>    developers etc. to help get the most from the great content provided by all
>    the subject matter expert contributors
>    - All the above would probably need some more dedicated revenue
>    raising effort to make it sustainable
>
> If we can do that without restructuring, then great, let's save the legal
> costs. I'm genuinely open minded on it.
>
> Jim, I'm happy to join a call with some specialists - I'm not in a
> position to contribute to paying for it from my own funds though :o( Don't
> you think this should be something that this inquiry is something that
> should be funded from OWASP funds though? It seems to me like a reasonable
> use of such funds...
>
> Mike
>
>
>
>
>
>
> On 11 October 2015 at 12:16, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Mike,
>>
>> I think the main reason for Mozilla's corporate structure is because back
>> in the day, 90% of their revenue came from Google advertising royalties and
>> the IRS conducted an audit because of so much revenue coming from one
>> company as well as the type of income (not a donation).
>>
>> So Mozilla set up a for-profit entity to collect these feels legally and
>> then donated that profit back to the charity.
>>
>> I'm inclined to call the IRS or a legal expert in this area and ask a few
>> questions about what is best for OWASP. If you would care to join me let me
>> know. I appreciate your concern and perspective over this issue.
>>
>> And hello from Budapest, Hungry. Enough of this for one day, I'm off to
>> the local thermal baths with my wife. Priorities, eye? Time to soak...
>>
>> Aloha,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>>
>> On Oct 11, 2015, at 11:41 AM, Mike Goodwin <mike.goodwin at owasp.org>
>> wrote:
>>
>> If this is being investigated further,it would be worth considering
>> having a 501(c)3 parent with a wholly owned corporation (i.e. not a trade
>> association 501(c)6) as a subsidiary. This is the model that Mozilla has
>> and to my non-legal mind, it makes more sense if we want to keep our
>> charitable mission since the charity would be the sole shareholder of the
>> corp and therefore control it and ensure it served the mission of the
>> charity. Also it would remove any legal non-compete restrictions that Jim
>> mentioned. Regardless of the exact nature of the trade
>> associsation/corporation, I think the charity should be the parent and not
>> the other way round.
>>
>> Mike
>>
>> On 11 October 2015 at 09:54, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Totally fair perspective, thanks for diving into this, Robert. If you
>>> would like to take me up on my offer to join me in researching this more
>>> with a professional in this area, let me know.
>>>
>>> I'm extremely biased towards exclusively remaining a charity, but I'm
>>> happy to explore alternatives further.
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> On Oct 11, 2015, at 10:15 AM, Robert Shullich <robert.shullich at owasp.org>
>>> wrote:
>>>
>>> It was not my intention to say go this way, but switching the current
>>> organization to 501c6 exclusively doesn't have to be the only answer, I.e.
>>> Doing Both a 501c6 and a 501c3
>>>
>>> As I said it will take a lot of resources, so I don't know if it would
>>> be quick. We would need to know the pros & cons. And yes, it looks like
>>> everyone else does it that way - but it doesn't mean that the configuration
>>> is right for us. Status quo may end up being the better way.
>>>
>>> Who knows - I don't
>>>
>>> Sent from my iPhone
>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>> Enterprise Security Architect
>>> Tower Group Companies
>>> Pro Box 026156
>>> Brooklyn NY 11202
>>> (201) 291-7432 <%28201%29%20291-7432> (Direct)
>>> (201) 221-8767 <%28201%29%20221-8767> (Fax)
>>> (908) 419-5417 <%28908%29%20419-5417> (Mobile)
>>>
>>>
>>> On Oct 11, 2015, at 3:12 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>> Robert "everyone is doing it" is a good reason to potentially research
>>> this more, but at the same time it's a bit creepy to hear that phrase
>>> uttered.
>>>
>>> Another thing to consider is that trade associations cannot at all
>>> compete with it's members. Per my understanding we would have to at least
>>> drop conference training since it competes with its members.
>>>
>>> While I think this is a horrifically bad idea, I am happy to facilitate
>>> looking more closely into this. If you would like we can call the IRS
>>> charity customer support or similar together and ask questions and report
>>> back to the community. And since I've been quite aggressive in this
>>> conversation I'd also be happy to hire a lawyer that specializes in this
>>> area (at my personal expense) so we can ask pointed questions.
>>>
>>> Regards,
>>> Jim
>>>
>>> •••••
>>>
>>> Profits
>>>
>>> Unlike 501(c)(3) charities, which can operate ancillary activities such
>>> as festivals or bake sales for profit, a 501(c)(6) organization may not
>>> oversee any profit-generating enterprises. The organization is also
>>> prohibited from offering the same type of services or products sold by its
>>> membership. For example, an association of optometrists may only work to
>>> improve the industry as a whole. If the organization examines patients or
>>> sells eyeglasses, it may lose its 501(c)(6) tax exemption.
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> On Oct 11, 2015, at 5:55 AM, Robert Shullich <robert.shullich at owasp.org>
>>> wrote:
>>>
>>> In the USA "anyone" is not true.
>>>
>>> As a 501 c(3) anyone donating, may be eligible to deduct - within
>>> certain limits and thresholds - under a Schedule A under charitable
>>> donations, which means you also need to itemize your 1040.
>>>
>>> Corporate sponsors on the other hand would not be doing this. They would
>>> most likely be deducting sponsorships as business expenses.
>>>
>>> Also, individuals - even if not a 501 c(3) - can deduct dues and
>>> probably some donations as business expenses, which requires a Schedule C
>>> (if they run a business) or as an individual, itemize on a schedule A but
>>> is subject to anything over 2%
>>>
>>>
>>> So in the USA I don't see corporate sponsorship being affected. I have
>>> no idea why we would lose 25% of membership,
>>>
>>> As I said before, and no one seemed to have any opinion or comment -
>>>
>>> Is to consider making a 501c6 organization for OWASP for the membership
>>> and keep the OWASP foundation mainly for receiving and managing donations
>>>
>>> The concept of having the membership as a 501c6 and a side foundation as
>>> a 501c3 is the current structure of ASIS, (ISC)2, and ISACA, to name a few.
>>> I don't see converting OWASP  to this model as impossible, but will take a
>>> lot of work, budget, and filing new corporate papers as well as new tax
>>> determination letters.
>>>
>>> As a 501c6 - OWASP would still be tax exempt non profit, but not a
>>> charitable organization. The foundation would remain a charitable
>>> non-profit and still collect donations, and should be able to pass most of
>>> those donations over to the 501c6.
>>>
>>> I don't know what the advantages of doing this, but almost everyone else
>>> is doing this, even universities, so there must be some benefit.
>>>
>>> Sent from my iPhone
>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>> Enterprise Security Architect
>>> Tower Group Companies
>>> Pro Box 026156
>>> Brooklyn NY 11202
>>> (201) 291-7432 <%28201%29%20291-7432> (Direct)
>>> (201) 221-8767 <%28201%29%20221-8767> (Fax)
>>> (908) 419-5417 <%28908%29%20419-5417> (Mobile)
>>>
>>>
>>> On Oct 10, 2015, at 8:40 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>> wrote:
>>>
>>>
>>> On Thu, Oct 8, 2015 at 2:36 PM, Jim Manico <jim.manico at owasp.org> wrote
>>>
>>> Larry Conklin wrote:
>>>
>>> Hey Jim can you please list what we would loose (we don't really gain
>>>
>>> anything but we lose a lot.) if we moved to a 501(c)(6) organization?
>>>
>>>
>>> OWASP would lose 25% of of it's active membership, including myself, if
>>> it
>>>
>>> stopped being a charity. Also, anyone donating money to OWASP would lose
>>> the
>>>
>>> ability to deduct those funds. Trade associations are mostly vendor run
>>> and
>>>
>>> self funded. This is the exact opposite direction I think OWASP should be
>>>
>>> going in, IMO.
>>>
>>>
>>> Apologies for joining this thread late; I'm way behind on personal
>>> emails.
>>>
>>>
>>> If it's true that "anyone donating money to OWASP would lose the
>>>
>>> ability to deduct those funds", then my speculation is that OWASP would
>>>
>>> loose a significant portion of its corporate sponsored funding. At least
>>>
>>> that seems the logical conclusion if Jim's statement is true.
>>>
>>>
>>> It seems that this is one part of the decision that hasn't been
>>>
>>> mentioned though.
>>>
>>>
>>> -kevin
>>>
>>> --
>>>
>>> Blog: http://off-the-wall-security.blogspot.com/
>>>
>>> NSA: All your crypto bit are belong to us.
>>>
>>> _______________________________________________
>>>
>>> OWASP-Leaders mailing list
>>>
>>> OWASP-Leaders at lists.owasp.org
>>>
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/7143737a/attachment-0001.html>


More information about the OWASP-Leaders mailing list