[Owasp-leaders] Project Sponshorship, Support, and Finance

Matt Tesauro matt.tesauro at owasp.org
Mon Dec 11 03:44:27 UTC 2017


Steve,

I'm no longer an OWASP employee but I have a pretty good understanding of
how things work at OWASP so maybe I can help.

First I need some info to help narrow down how this donation happened.

(1) When you say:
> The contribution was made using the same/similar mechanism the OWASP
Defect Dojo project uses
Do you mean PayPal?  If so, what form and importantly form variables did
you use?  Look at this previous Leaders List post for more info on PayPal
donations:
http://lists.owasp.org/pipermail/owasp-leaders/2017-November/018762.html

(2) When you say:
> I immediately reached out to OWASP accounting and a few other individuals
Are these direct emails?  For OWASP accounting, do you mean '
accounting at owasp.org'?  Were any of these made to the Contact Us form at
https://www.tfaforms.com/308703?  Depending on how you reached out to
OWASP, the visibility of that request may be restricted to a single
person's inbox or co-mingled in a shared inbox used by the current
accounting contractors.  If there's a failure in a particular means to
contact OWASP staff, they'd need to know exactly how you reached out so
that leaky method can get shored up.

(3) When you say:
> even though the vendor shared those details with me.
Were those details shared in the times you reached out to OWASP?  One thing
I learned while on staff is that things are more complex then I ever
expected.  Multiple bank accounts in various currencies, 2 primary OWASP
charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite,
Meetup, the new AMS - these are just a few the methods funds might come
into OWASP.  It's a consequence of rapid, organic growth and OWASP trying
to meet the needs of a diverse community around the world.  Yes, the org
probably could have done a better job providing a 'paved road' for
donations but it's rather tricky to find a single funding mechanism that
works reliably world-wide and for any currency.

I'm happy to have this conversation here or you can reply directly to me.

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site

On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <steve.springett at owasp.org
> wrote:

> One of the primary reasons why I choose to participate in OWASP projects
> as well as start my own is the support that the OWASP organization provides
> including the wiki, appsec activities, and project sponsorship.
>
> The decision to have donated multiple open source projects to OWASP has
> been tested over the past month without acceptable results.
>
> As many of you know, I have been heavily involved in Dependency-Check
> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
> released in Q1 2018) will be the result of an entire year of work which has
> resulted in the creation of several supporting and smaller projects and
> many enhancements to Dependency-Check along the way.
>
> One of those smaller supporting projects is actually a big deal to a
> specific vulnerability intelligence vendor. I am working to incorporate the
> service the vendor provides as an optional feature into both
> Dependency-Check and Dependency-Track in an effort to bring additional
> capabilities to these projects on par with their commercial counterparts.
> The vendor in turn, chose to sponsor Dependency-Track, an act that I
> thought was very kind and very much appreciated that would actually benefit
> both the Dependency-Check and Dependency-Track projects as a result.
>
> The vendor informed me on November 3rd they made the donation and I
> immediately reached out to OWASP accounting and a few other individuals
> throughout the course of November including communications on November 4th,
> November 8th, November 10th, and November 28th. My purpose for this email
> is NOT to point fingers at individuals. Relying on a single person in an
> organization instead of an agreed upon process supported by leadership
> makes OWASP no better than a recent CEO pointing fingers at a single person
> for not applying a patch. It’s absurd and laughable. If relying on a single
> person is strategic, that strategy is flawed and needs to be fixed.
>
> Five weeks after the vendor made the contribution to sponsor the project
> and I still have not heard any details from OWASP about the nature of the
> contribution - even though the vendor shared those details with me.
>
> Five weeks after the vendor made the contribution and I still am not able
> to publicly thank them for their contribution.
>
> Five weeks after the vendor made the contribution and I’m still not able
> to follow the guidelines outlined in https://www.owasp.org/index.
> php/Project_Sponsorship_Operational_Guidelines.
>
> Providing details on the contribution is required if OWASP expects to have
> project sponsorship. Even an answer that the contribution was made in error
> and was a general contribution instead would be an acceptable answer. No
> answer at all is not acceptable and I question OWASP’s ability to provide
> project sponsorship in the first place.
>
> The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses. I question if that project, or any other project
> using this method have received the support they deserve.
>
> If the donor didn’t inform me of their contribution, I would likely never
> know about this situation. This is not the type of organization I want to
> continue to be associated with.
>
> I am asking for a thorough review, not only on the Dependency-Track
> project, but on all projects that use this method of donation.
>
> I have not decided whether or not to continue donating my projects to
> OWASP or not. At risk for being pulled from OWASP are:
>
> Dependency-Check Jenkins plugin
> Dependency-Check SonarQube plugin
> Dependency-Track
>
> In all cases however, I will be removing the OWASP name from the above
> projects.
>
>
>
>> *Steve Springett*
> About:   https://about.me/stevespringett
> GitHub:   https://github.com/stevespringett
> Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171210/3e43174f/attachment.html>


More information about the OWASP-Leaders mailing list