[Owasp-leaders] OWASP charitable status

Tin Zaw tin.zaw at owasp.org
Mon Oct 12 05:07:43 UTC 2015


I think we should kill this discussion so that we can spend our time and
energy on the real mission of OWASP -- making web applications more secure.



On Sun, Oct 11, 2015 at 3:40 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I feel the same way as well, Richard.  I have seen nothing to date that
> makes me think OWASP should be anything other than the charity that it is
> today and my votes reflect that. I am also opposed to being a charity •and•
> a trade association since I feel such a move would pollute the brand with
> no real benefit to our foundation. The Mozilla model seems worth exploring,
> but again from what I've read we do not have the same problems that Mozilla
> had.
>
> However, my opinions aside, some very intelligent people have chimed in
> that there may be value to a different structure (especially Mike and
> Robert in this thread). I think it's my responsibility to hear them out and
> investigate this possibility.
>
> I think the next step is to seek out a pro to answer a few questions. I'm
> happy to donate to this effort[1]. I don't want OWASP wasting money on
> this. Board members are supposed to heavily donate to our charity. I'm one
> for putting my money where my big mouth is.
>
> [1] But I certainly would not donate to OWASP if it was a 501(c)6. •wink•
>
> Aloha Nui Loa,
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org
> Join me in Rome for AppSecEU 2016!
>
> On Oct 11, 2015, at 11:58 PM, Richard Greenberg <
> richard.greenberg at owasp.org> wrote:
>
> I was very open to hearing what a change in our status could do for OWASP.
> I have reviewed both classifications, and really can find no benefit that
> we can achieve by spending a lot of time and money to switch our
> not-for-profit status. Please, let's focus on real achievements in software
> projects and move away from this effort.
>
> Also, keep in mind that several large corporations, such as Microsoft,
> have grant programs and free software donation to 501c3 organizations only.
>
> Richard Greenberg, CISSP
> President, OWASP Los Angeles, www.owaspla.org <http://www.appsecusa.org/>
> ISSA Fellow
> President, ISSA Los Angeles, www.issa-la.org <http://www.appsecusa.org/>
> LinkedIn:  http://www.linkedin.com/in/richardagreenberg
> (424) 261-8111
>
> On Sun, Oct 11, 2015 at 2:46 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>
>> Hi all,
>>
>> thanks for this broad discussion and advise. And great know how from the
>> community on how to proceed, if we would need to. And seems many on the
>> leaders list are knowledgeable in this area and well aligned with the
>> current spirit and status of our community.
>>
>> We know how we could handle things if we wanted to change them.
>> But to the basic question: Do we need to change and why?
>> What is actually the problem with the current situation?
>> Maybe I missed that piece, but so far I can not recall reading about what
>> exactly we would want to do that would require us to use a 501(c)6. As
>> several pointed out on the list, changing org structure is quite expensive
>> and there are good reasons for our 501(c)3, I think without a reason or
>> real need.
>>
>> Best regards, Tobias
>>
>>
>>
>>
>> On 11/10/15 19:51, Mike Goodwin wrote:
>>
>> Jim - thanks for that info. Also, I hope you enjoy the baths. I started
>> running today after very long layoff, so I could do with something similar
>> myself!
>>
>> I guess my main point is that if we were to look at any structure that
>> had both a charity part and a non-charity part (of whatever type)  then I
>> would want to see the charity part as the parent and in control, rather
>> than vice-versa. That is the main aspect of the Mozilla model that I see as
>> important. Presumably some or all of the OWASP (charity) board would also
>> be on the board of the subsidiary to provide the governance to ensure the
>> subsidiary was working solely to support the OWASP mission.
>>
>> As to whether we should actually *have *that kind of two-level structure
>> at all, I'm open minded. Things I would like to see in OWASP are:
>>
>>
>>    - OWASP employs people to work full time on key projects to give them
>>    dedicated focus and acceleration - think of how much support Joyent give to
>>    node.js, for example
>>    - The most obvious candidates to be these key projects are our
>>    flasgship projects but it could include other early-stage projects that
>>    were judged to have the right potential
>>    - The main website/wiki for OWASP and the key educational assets on
>>    it should also have a bigger full-time staff to make them genuinely world
>>    class. I'm thinking here of graphic designers, technical authors, web
>>    developers etc. to help get the most from the great content provided by all
>>    the subject matter expert contributors
>>    - All the above would probably need some more dedicated revenue
>>    raising effort to make it sustainable
>>
>> If we can do that without restructuring, then great, let's save the legal
>> costs. I'm genuinely open minded on it.
>>
>> Jim, I'm happy to join a call with some specialists - I'm not in a
>> position to contribute to paying for it from my own funds though :o( Don't
>> you think this should be something that this inquiry is something that
>> should be funded from OWASP funds though? It seems to me like a reasonable
>> use of such funds...
>>
>> Mike
>>
>>
>>
>>
>>
>>
>> On 11 October 2015 at 12:16, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Mike,
>>>
>>> I think the main reason for Mozilla's corporate structure is because
>>> back in the day, 90% of their revenue came from Google advertising
>>> royalties and the IRS conducted an audit because of so much revenue coming
>>> from one company as well as the type of income (not a donation).
>>>
>>> So Mozilla set up a for-profit entity to collect these feels legally and
>>> then donated that profit back to the charity.
>>>
>>> I'm inclined to call the IRS or a legal expert in this area and ask a
>>> few questions about what is best for OWASP. If you would care to join me
>>> let me know. I appreciate your concern and perspective over this issue.
>>>
>>> And hello from Budapest, Hungry. Enough of this for one day, I'm off to
>>> the local thermal baths with my wife. Priorities, eye? Time to soak...
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> On Oct 11, 2015, at 11:41 AM, Mike Goodwin <mike.goodwin at owasp.org>
>>> wrote:
>>>
>>> If this is being investigated further,it would be worth considering
>>> having a 501(c)3 parent with a wholly owned corporation (i.e. not a trade
>>> association 501(c)6) as a subsidiary. This is the model that Mozilla has
>>> and to my non-legal mind, it makes more sense if we want to keep our
>>> charitable mission since the charity would be the sole shareholder of the
>>> corp and therefore control it and ensure it served the mission of the
>>> charity. Also it would remove any legal non-compete restrictions that Jim
>>> mentioned. Regardless of the exact nature of the trade
>>> associsation/corporation, I think the charity should be the parent and not
>>> the other way round.
>>>
>>> Mike
>>>
>>> On 11 October 2015 at 09:54, Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>> Totally fair perspective, thanks for diving into this, Robert. If you
>>>> would like to take me up on my offer to join me in researching this more
>>>> with a professional in this area, let me know.
>>>>
>>>> I'm extremely biased towards exclusively remaining a charity, but I'm
>>>> happy to explore alternatives further.
>>>>
>>>> Aloha,
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> On Oct 11, 2015, at 10:15 AM, Robert Shullich <
>>>> robert.shullich at owasp.org> wrote:
>>>>
>>>> It was not my intention to say go this way, but switching the current
>>>> organization to 501c6 exclusively doesn't have to be the only answer, I.e.
>>>> Doing Both a 501c6 and a 501c3
>>>>
>>>> As I said it will take a lot of resources, so I don't know if it would
>>>> be quick. We would need to know the pros & cons. And yes, it looks like
>>>> everyone else does it that way - but it doesn't mean that the configuration
>>>> is right for us. Status quo may end up being the better way.
>>>>
>>>> Who knows - I don't
>>>>
>>>> Sent from my iPhone
>>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>>> Enterprise Security Architect
>>>> Tower Group Companies
>>>> Pro Box 026156
>>>> Brooklyn NY 11202
>>>> (201) 291-7432 <%28201%29%20291-7432> (Direct)
>>>> (201) 221-8767 <%28201%29%20221-8767> (Fax)
>>>> (908) 419-5417 <%28908%29%20419-5417> (Mobile)
>>>>
>>>>
>>>> On Oct 11, 2015, at 3:12 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>
>>>> Robert "everyone is doing it" is a good reason to potentially research
>>>> this more, but at the same time it's a bit creepy to hear that phrase
>>>> uttered.
>>>>
>>>> Another thing to consider is that trade associations cannot at all
>>>> compete with it's members. Per my understanding we would have to at least
>>>> drop conference training since it competes with its members.
>>>>
>>>> While I think this is a horrifically bad idea, I am happy to facilitate
>>>> looking more closely into this. If you would like we can call the IRS
>>>> charity customer support or similar together and ask questions and report
>>>> back to the community. And since I've been quite aggressive in this
>>>> conversation I'd also be happy to hire a lawyer that specializes in this
>>>> area (at my personal expense) so we can ask pointed questions.
>>>>
>>>> Regards,
>>>> Jim
>>>>
>>>> •••••
>>>>
>>>> Profits
>>>>
>>>> Unlike 501(c)(3) charities, which can operate ancillary activities such
>>>> as festivals or bake sales for profit, a 501(c)(6) organization may not
>>>> oversee any profit-generating enterprises. The organization is also
>>>> prohibited from offering the same type of services or products sold by its
>>>> membership. For example, an association of optometrists may only work to
>>>> improve the industry as a whole. If the organization examines patients or
>>>> sells eyeglasses, it may lose its 501(c)(6) tax exemption.
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> On Oct 11, 2015, at 5:55 AM, Robert Shullich <robert.shullich at owasp.org>
>>>> wrote:
>>>>
>>>> In the USA "anyone" is not true.
>>>>
>>>> As a 501 c(3) anyone donating, may be eligible to deduct - within
>>>> certain limits and thresholds - under a Schedule A under charitable
>>>> donations, which means you also need to itemize your 1040.
>>>>
>>>> Corporate sponsors on the other hand would not be doing this. They
>>>> would most likely be deducting sponsorships as business expenses.
>>>>
>>>> Also, individuals - even if not a 501 c(3) - can deduct dues and
>>>> probably some donations as business expenses, which requires a Schedule C
>>>> (if they run a business) or as an individual, itemize on a schedule A but
>>>> is subject to anything over 2%
>>>>
>>>>
>>>> So in the USA I don't see corporate sponsorship being affected. I have
>>>> no idea why we would lose 25% of membership,
>>>>
>>>> As I said before, and no one seemed to have any opinion or comment -
>>>>
>>>> Is to consider making a 501c6 organization for OWASP for the membership
>>>> and keep the OWASP foundation mainly for receiving and managing donations
>>>>
>>>> The concept of having the membership as a 501c6 and a side foundation
>>>> as a 501c3 is the current structure of ASIS, (ISC)2, and ISACA, to name a
>>>> few. I don't see converting OWASP  to this model as impossible, but will
>>>> take a lot of work, budget, and filing new corporate papers as well as new
>>>> tax determination letters.
>>>>
>>>> As a 501c6 - OWASP would still be tax exempt non profit, but not a
>>>> charitable organization. The foundation would remain a charitable
>>>> non-profit and still collect donations, and should be able to pass most of
>>>> those donations over to the 501c6.
>>>>
>>>> I don't know what the advantages of doing this, but almost everyone
>>>> else is doing this, even universities, so there must be some benefit.
>>>>
>>>> Sent from my iPhone
>>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>>> Enterprise Security Architect
>>>> Tower Group Companies
>>>> Pro Box 026156
>>>> Brooklyn NY 11202
>>>> (201) 291-7432 <%28201%29%20291-7432> (Direct)
>>>> (201) 221-8767 <%28201%29%20221-8767> (Fax)
>>>> (908) 419-5417 <%28908%29%20419-5417> (Mobile)
>>>>
>>>>
>>>> On Oct 10, 2015, at 8:40 PM, Kevin W. Wall <kevin.w.wall at gmail.com>
>>>> wrote:
>>>>
>>>>
>>>> On Thu, Oct 8, 2015 at 2:36 PM, Jim Manico <jim.manico at owasp.org> wrote
>>>>
>>>> Larry Conklin wrote:
>>>>
>>>> Hey Jim can you please list what we would loose (we don't really gain
>>>>
>>>> anything but we lose a lot.) if we moved to a 501(c)(6) organization?
>>>>
>>>>
>>>> OWASP would lose 25% of of it's active membership, including myself, if
>>>> it
>>>>
>>>> stopped being a charity. Also, anyone donating money to OWASP would
>>>> lose the
>>>>
>>>> ability to deduct those funds. Trade associations are mostly vendor run
>>>> and
>>>>
>>>> self funded. This is the exact opposite direction I think OWASP should
>>>> be
>>>>
>>>> going in, IMO.
>>>>
>>>>
>>>> Apologies for joining this thread late; I'm way behind on personal
>>>> emails.
>>>>
>>>>
>>>> If it's true that "anyone donating money to OWASP would lose the
>>>>
>>>> ability to deduct those funds", then my speculation is that OWASP would
>>>>
>>>> loose a significant portion of its corporate sponsored funding. At least
>>>>
>>>> that seems the logical conclusion if Jim's statement is true.
>>>>
>>>>
>>>> It seems that this is one part of the decision that hasn't been
>>>>
>>>> mentioned though.
>>>>
>>>>
>>>> -kevin
>>>>
>>>> --
>>>>
>>>> Blog: http://off-the-wall-security.blogspot.com/
>>>>
>>>> NSA: All your crypto bit are belong to us.
>>>>
>>>> _______________________________________________
>>>>
>>>> OWASP-Leaders mailing list
>>>>
>>>> OWASP-Leaders at lists.owasp.org
>>>>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Tin Zaw, CISSP
OWASP Volunteer
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151011/60957513/attachment-0001.html>


More information about the OWASP-Leaders mailing list