[Owasp-leaders] OWASP charitable status

Jim Manico jim.manico at owasp.org
Mon Oct 12 06:02:47 UTC 2015


Tin,

These discussions are important and you have the option to hit delete and move on.

Unfortunately sometimes the board has to discuss things that are not AppSec like funding, conflict resolution and other meta-topics. It's also important to hear folks out even when we disagree, another critical aspect to being a board member.

Respectfully,
--
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org
Join me in Rome for AppSecEU 2016!

> On Oct 12, 2015, at 7:07 AM, Tin Zaw <tin.zaw at owasp.org> wrote:
> 
> I think we should kill this discussion so that we can spend our time and energy on the real mission of OWASP -- making web applications more secure. 
> 
> 
> 
>> On Sun, Oct 11, 2015 at 3:40 PM, Jim Manico <jim.manico at owasp.org> wrote:
>> I feel the same way as well, Richard.  I have seen nothing to date that makes me think OWASP should be anything other than the charity that it is today and my votes reflect that. I am also opposed to being a charity •and• a trade association since I feel such a move would pollute the brand with no real benefit to our foundation. The Mozilla model seems worth exploring, but again from what I've read we do not have the same problems that Mozilla had.
>> 
>> However, my opinions aside, some very intelligent people have chimed in that there may be value to a different structure (especially Mike and Robert in this thread). I think it's my responsibility to hear them out and investigate this possibility.
>> 
>> I think the next step is to seek out a pro to answer a few questions. I'm happy to donate to this effort[1]. I don't want OWASP wasting money on this. Board members are supposed to heavily donate to our charity. I'm one for putting my money where my big mouth is.
>> 
>> [1] But I certainly would not donate to OWASP if it was a 501(c)6. •wink•
>> 
>> Aloha Nui Loa,
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org
>> Join me in Rome for AppSecEU 2016!
>> 
>>> On Oct 11, 2015, at 11:58 PM, Richard Greenberg <richard.greenberg at owasp.org> wrote:
>>> 
>>> I was very open to hearing what a change in our status could do for OWASP. I have reviewed both classifications, and really can find no benefit that we can achieve by spending a lot of time and money to switch our not-for-profit status. Please, let's focus on real achievements in software projects and move away from this effort. 
>>> 
>>> Also, keep in mind that several large corporations, such as Microsoft, have grant programs and free software donation to 501c3 organizations only.
>>> 
>>> Richard Greenberg, CISSP
>>> President, OWASP Los Angeles, www.owaspla.org
>>> ISSA Fellow
>>> President, ISSA Los Angeles, www.issa-la.org
>>> LinkedIn:  http://www.linkedin.com/in/richardagreenberg
>>> (424) 261-8111
>>> 
>>>> On Sun, Oct 11, 2015 at 2:46 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>> Hi all, 
>>>> 
>>>> thanks for this broad discussion and advise. And great know how from the community on how to proceed, if we would need to. And seems many on the leaders list are knowledgeable in this area and well aligned with the current spirit and status of our community. 
>>>> 
>>>> We know how we could handle things if we wanted to change them. 
>>>> But to the basic question: Do we need to change and why? 
>>>> What is actually the problem with the current situation? 
>>>> Maybe I missed that piece, but so far I can not recall reading about what exactly we would want to do that would require us to use a 501(c)6. As several pointed out on the list, changing org structure is quite expensive and there are good reasons for our 501(c)3, I think without a reason or real need. 
>>>> 
>>>> Best regards, Tobias
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> On 11/10/15 19:51, Mike Goodwin wrote:
>>>>> Jim - thanks for that info. Also, I hope you enjoy the baths. I started running today after very long layoff, so I could do with something similar myself!
>>>>> 
>>>>> I guess my main point is that if we were to look at any structure that had both a charity part and a non-charity part (of whatever type)  then I would want to see the charity part as the parent and in control, rather than vice-versa. That is the main aspect of the Mozilla model that I see as important. Presumably some or all of the OWASP (charity) board would also be on the board of the subsidiary to provide the governance to ensure the subsidiary was working solely to support the OWASP mission.
>>>>> 
>>>>> As to whether we should actually have that kind of two-level structure at all, I'm open minded. Things I would like to see in OWASP are:
>>>>> 
>>>>> OWASP employs people to work full time on key projects to give them dedicated focus and acceleration - think of how much support Joyent give to node.js, for example
>>>>> The most obvious candidates to be these key projects are our flasgship projects but it could include other early-stage projects that were judged to have the right potential
>>>>> The main website/wiki for OWASP and the key educational assets on it should also have a bigger full-time staff to make them genuinely world class. I'm thinking here of graphic designers, technical authors, web developers etc. to help get the most from the great content provided by all the subject matter expert contributors
>>>>> All the above would probably need some more dedicated revenue raising effort to make it sustainable
>>>>> If we can do that without restructuring, then great, let's save the legal costs. I'm genuinely open minded on it.
>>>>> 
>>>>> Jim, I'm happy to join a call with some specialists - I'm not in a position to contribute to paying for it from my own funds though :o( Don't you think this should be something that this inquiry is something that should be funded from OWASP funds though? It seems to me like a reasonable use of such funds...
>>>>> 
>>>>> Mike
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> On 11 October 2015 at 12:16, Jim Manico           <jim.manico at owasp.org> wrote:
>>>>>> Mike,
>>>>>> 
>>>>>> I think the main reason for Mozilla's corporate structure is because back in the day, 90% of their revenue came from Google advertising royalties and the IRS conducted an audit because of so much revenue coming from one company as well as the type of income (not a donation).
>>>>>> 
>>>>>> So Mozilla set up a for-profit entity to collect these feels legally and then donated that profit back to the charity.
>>>>>> 
>>>>>> I'm inclined to call the IRS or a legal expert in this area and ask a few questions about what is best for OWASP. If you would care to join me let me know. I appreciate your concern and perspective over this issue.
>>>>>> 
>>>>>> And hello from Budapest, Hungry. Enough of this for one day, I'm off to the local thermal baths with my wife. Priorities, eye? Time to soak...
>>>>>> 
>>>>>> Aloha,
>>>>>> --
>>>>>> Jim Manico
>>>>>> Global Board Member
>>>>>> OWASP Foundation
>>>>>> https://www.owasp.org
>>>>>> Join me in Rome for AppSecEU 2016!
>>>>>> 
>>>>>> On Oct 11, 2015, at 11:41 AM, Mike Goodwin <mike.goodwin at owasp.org> wrote:
>>>>>> 
>>>>>>> If this is being investigated further,it would be worth considering having a 501(c)3 parent with a wholly owned corporation (i.e. not a trade association 501(c)6) as a subsidiary. This is the model that Mozilla has and to my non-legal mind, it makes more sense if we want to keep our charitable mission since the charity would be the sole shareholder of the corp and therefore control it and ensure it served the mission of the charity. Also it would remove any legal non-compete restrictions that Jim mentioned. Regardless of the exact nature of the trade associsation/corporation, I think the charity should be the parent and not the other way round.
>>>>>>> 
>>>>>>> Mike
>>>>>>> 
>>>>>>> On 11 October 2015 at 09:54, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>> Totally fair perspective, thanks for diving into this, Robert. If you would like to take me up on my offer to join me in researching this more with a professional in this area, let me know.
>>>>>>>> 
>>>>>>>> I'm extremely biased towards exclusively remaining a charity, but I'm happy to explore alternatives further.
>>>>>>>> 
>>>>>>>> Aloha,
>>>>>>>> --
>>>>>>>> Jim Manico
>>>>>>>> Global Board Member
>>>>>>>> OWASP Foundation
>>>>>>>> https://www.owasp.org
>>>>>>>> Join me in Rome for AppSecEU 2016!
>>>>>>>> 
>>>>>>>> On Oct 11, 2015, at 10:15 AM, Robert Shullich <robert.shullich at owasp.org> wrote:
>>>>>>>> 
>>>>>>>>> It was not my intention to say go this way, but switching the current organization to 501c6 exclusively doesn't have to be the only answer, I.e. Doing Both a 501c6 and a 501c3
>>>>>>>>> 
>>>>>>>>> As I said it will take a lot of resources, so I don't know if it would be quick. We would need to know the pros & cons. And yes, it looks like everyone else does it that way - but it doesn't mean that the configuration is right for us. Status quo may end up being the better way. 
>>>>>>>>> 
>>>>>>>>> Who knows - I don't 
>>>>>>>>> 
>>>>>>>>> Sent from my iPhone
>>>>>>>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>>>>>>>> Enterprise Security Architect
>>>>>>>>> Tower Group Companies
>>>>>>>>> Pro Box 026156
>>>>>>>>> Brooklyn NY 11202
>>>>>>>>> (201) 291-7432 (Direct)
>>>>>>>>> (201) 221-8767 (Fax)
>>>>>>>>> (908) 419-5417 (Mobile)
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Oct 11, 2015, at 3:12 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>>>>>>>> 
>>>>>>>>>> Robert "everyone is doing it" is a good reason to potentially research this more, but at the same time it's a bit creepy to hear that phrase uttered.
>>>>>>>>>> 
>>>>>>>>>> Another thing to consider is that trade associations cannot at all compete with it's members. Per my understanding we would have to at least drop conference training since it competes with its members.
>>>>>>>>>> 
>>>>>>>>>> While I think this is a horrifically bad idea, I am happy to facilitate looking more closely into this. If you would like we can call the IRS charity customer support or similar together and ask questions and report back to the community. And since I've been quite aggressive in this conversation I'd also be happy to hire a lawyer that specializes in this area (at my personal expense) so we can ask pointed questions.
>>>>>>>>>> 
>>>>>>>>>> Regards,
>>>>>>>>>> Jim
>>>>>>>>>> 
>>>>>>>>>> •••••
>>>>>>>>>> 
>>>>>>>>>> Profits
>>>>>>>>>> Unlike 501(c)(3) charities, which can operate ancillary activities such as festivals or bake sales for profit, a 501(c)(6) organization may not oversee any profit-generating enterprises. The organization is also prohibited from offering the same type of services or products sold by its membership. For example, an association of optometrists may only work to improve the industry as a whole. If the organization examines patients or sells eyeglasses, it may lose its 501(c)(6) tax exemption.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> --
>>>>>>>>>> Jim Manico
>>>>>>>>>> Global Board Member
>>>>>>>>>> OWASP Foundation
>>>>>>>>>> https://www.owasp.org
>>>>>>>>>> Join me in Rome for AppSecEU 2016!
>>>>>>>>>> 
>>>>>>>>>> On Oct 11, 2015, at 5:55 AM, Robert Shullich <robert.shullich at owasp.org> wrote:
>>>>>>>>>> 
>>>>>>>>>>> In the USA "anyone" is not true.
>>>>>>>>>>> 
>>>>>>>>>>> As a 501 c(3) anyone donating, may be eligible to deduct - within certain limits and thresholds - under a Schedule A under charitable donations, which means you also need to itemize your 1040.
>>>>>>>>>>> 
>>>>>>>>>>> Corporate sponsors on the other hand would not be doing this. They would most likely be deducting sponsorships as business expenses.
>>>>>>>>>>> 
>>>>>>>>>>> Also, individuals - even if not a 501 c(3) - can deduct dues and probably some donations as business expenses, which requires a Schedule C (if they run a business) or as an individual, itemize on a schedule A but is subject to anything over 2% 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> So in the USA I don't see corporate sponsorship being affected. I have no idea why we would lose 25% of membership, 
>>>>>>>>>>> 
>>>>>>>>>>> As I said before, and no one seemed to have any opinion or comment -
>>>>>>>>>>> 
>>>>>>>>>>> Is to consider making a 501c6 organization for OWASP for the membership and keep the OWASP foundation mainly for receiving and managing donations
>>>>>>>>>>> 
>>>>>>>>>>> The concept of having the membership as a 501c6 and a side foundation as a 501c3 is the current structure of ASIS, (ISC)2, and ISACA,                                                 to name a few. I don't see converting OWASP  to this model as impossible, but will take a lot of work, budget, and filing new corporate papers as well as new tax determination letters.
>>>>>>>>>>> 
>>>>>>>>>>> As a 501c6 - OWASP would still be tax exempt non profit, but not a charitable organization. The foundation would remain a charitable non-profit and still collect donations, and should be able to pass most of those donations over to the 501c6.
>>>>>>>>>>> 
>>>>>>>>>>> I don't know what the advantages of doing this, but almost everyone else is doing this, even universities, so there must be some benefit.
>>>>>>>>>>> 
>>>>>>>>>>> Sent from my iPhone
>>>>>>>>>>> Robert Shullich, CPP, CISSP, CISM, GSEC, CIPP/US
>>>>>>>>>>> Enterprise Security Architect
>>>>>>>>>>> Tower Group Companies
>>>>>>>>>>> Pro Box 026156
>>>>>>>>>>> Brooklyn NY 11202
>>>>>>>>>>> (201) 291-7432 (Direct)
>>>>>>>>>>> (201) 221-8767 (Fax)
>>>>>>>>>>> (908) 419-5417 (Mobile)
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>>> On Oct 10, 2015, at 8:40 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>>>>>>>>>>>> On Thu, Oct 8, 2015 at 2:36 PM, Jim Manico <jim.manico at owasp.org> wrote
>>>>>>>>>>>>> Larry Conklin wrote:
>>>>>>>>>>>>>> Hey Jim can you please list what we would loose (we don't really gain
>>>>>>>>>>>>>> anything but we lose a lot.) if we moved to a 501(c)(6) organization?
>>>>>>>>>>>>> OWASP would lose 25% of of it's active membership, including myself, if it
>>>>>>>>>>>>> stopped being a charity. Also, anyone donating money to OWASP would lose the
>>>>>>>>>>>>> ability to deduct those funds. Trade                                                     associations are mostly vendor run and
>>>>>>>>>>>>> self funded. This is the exact opposite direction I think OWASP should be
>>>>>>>>>>>>> going in, IMO.
>>>>>>>>>>>> Apologies for joining this thread late; I'm way behind on personal emails.
>>>>>>>>>>>> If it's true that "anyone donating money to OWASP would lose the
>>>>>>>>>>>> ability to deduct those funds", then my speculation is that OWASP would
>>>>>>>>>>>> loose a significant portion of its corporate sponsored funding. At least
>>>>>>>>>>>> that seems the logical conclusion if Jim's statement is true.
>>>>>>>>>>>> It seems that this is one part of the decision that hasn't been
>>>>>>>>>>>> mentioned though.
>>>>>>>>>>>> -kevin
>>>>>>>>>>>> --
>>>>>>>>>>>> Blog: http://off-the-wall-security.blogspot.com/
>>>>>>>>>>>> NSA: All your crypto bit are belong to us.
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> OWASP-Leaders mailing list
>>>>>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Leaders mailing list
>>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> -- 
> Tin Zaw, CISSP 
> OWASP Volunteer
> Google Voice: (213) 973-9295
> LinkedIn: http://www.linkedin.com/in/tinzaw
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20151012/bd41167e/attachment-0001.html>


More information about the OWASP-Leaders mailing list