[Owasp-leaders] Project Sponshorship, Support, and Finance
colin.watson at owasp.org
Wed Dec 13 20:14:57 UTC 2017
I stumbled across a document which lists financial transactions per
project. Look for the two links under the heading 'Fund Details' on:
Last updated 30 Nov 2017. I don't think this has been highlighted to
project leaders though.
On 11 December 2017 at 19:47, Brian Glas <brian.glas at owasp.org> wrote:
> You aren’t alone.
> I had an OWASP Chapter generously donate to two projects that I’m a
> co-lead on, and I still can’t confirm that the money has been transferred,
> hence I can’t publicly say thank you.
> He informed me that it was done over three weeks ago and I’ve asked about
> it and was told to check the donation spreadsheet. As of last week it
> hadn’t been updated since late Oct. This week it shows that it was updated
> on Nov 30, but the amounts I’m expecting aren’t in either projects budget
> line item. I’m not sure what to do at this point as I have zero faith in
> the accuracy of the numbers in the donation scorecard, but I have no other
> system to turn to.
> On Dec 10, 2017, at 10:44 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
> I'm no longer an OWASP employee but I have a pretty good understanding of
> how things work at OWASP so maybe I can help.
> First I need some info to help narrow down how this donation happened.
> (1) When you say:
> > The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses
> Do you mean PayPal? If so, what form and importantly form variables did
> you use? Look at this previous Leaders List post for more info on PayPal
> donations: http://lists.owasp.org/pipermail/owasp-leaders/
> (2) When you say:
> > I immediately reached out to OWASP accounting and a few other
> Are these direct emails? For OWASP accounting, do you mean '
> accounting at owasp.org'? Were any of these made to the Contact Us form at
> https://www.tfaforms.com/308703? Depending on how you reached out to
> OWASP, the visibility of that request may be restricted to a single
> person's inbox or co-mingled in a shared inbox used by the current
> accounting contractors. If there's a failure in a particular means to
> contact OWASP staff, they'd need to know exactly how you reached out so
> that leaky method can get shored up.
> (3) When you say:
> > even though the vendor shared those details with me.
> Were those details shared in the times you reached out to OWASP? One
> thing I learned while on staff is that things are more complex then I ever
> expected. Multiple bank accounts in various currencies, 2 primary OWASP
> charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite,
> Meetup, the new AMS - these are just a few the methods funds might come
> into OWASP. It's a consequence of rapid, organic growth and OWASP trying
> to meet the needs of a diverse community around the world. Yes, the org
> probably could have done a better job providing a 'paved road' for
> donations but it's rather tricky to find a single funding mechanism that
> works reliably world-wide and for any currency.
> I'm happy to have this conversation here or you can reply directly to me.
> -- Matt Tesauro
> OWASP AppSec Pipeline Lead
> OWASP WTE Project Lead
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <
> steve.springett at owasp.org> wrote:
>> One of the primary reasons why I choose to participate in OWASP projects
>> as well as start my own is the support that the OWASP organization provides
>> including the wiki, appsec activities, and project sponsorship.
>> The decision to have donated multiple open source projects to OWASP has
>> been tested over the past month without acceptable results.
>> As many of you know, I have been heavily involved in Dependency-Check
>> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
>> released in Q1 2018) will be the result of an entire year of work which has
>> resulted in the creation of several supporting and smaller projects and
>> many enhancements to Dependency-Check along the way.
>> One of those smaller supporting projects is actually a big deal to a
>> specific vulnerability intelligence vendor. I am working to incorporate the
>> service the vendor provides as an optional feature into both
>> Dependency-Check and Dependency-Track in an effort to bring additional
>> capabilities to these projects on par with their commercial counterparts.
>> The vendor in turn, chose to sponsor Dependency-Track, an act that I
>> thought was very kind and very much appreciated that would actually benefit
>> both the Dependency-Check and Dependency-Track projects as a result.
>> The vendor informed me on November 3rd they made the donation and I
>> immediately reached out to OWASP accounting and a few other individuals
>> throughout the course of November including communications on November 4th,
>> November 8th, November 10th, and November 28th. My purpose for this email
>> is NOT to point fingers at individuals. Relying on a single person in an
>> organization instead of an agreed upon process supported by leadership
>> makes OWASP no better than a recent CEO pointing fingers at a single person
>> for not applying a patch. It’s absurd and laughable. If relying on a single
>> person is strategic, that strategy is flawed and needs to be fixed.
>> Five weeks after the vendor made the contribution to sponsor the project
>> and I still have not heard any details from OWASP about the nature of the
>> contribution - even though the vendor shared those details with me.
>> Five weeks after the vendor made the contribution and I still am not able
>> to publicly thank them for their contribution.
>> Five weeks after the vendor made the contribution and I’m still not able
>> to follow the guidelines outlined in https://www.owasp.org/index.ph
>> Providing details on the contribution is required if OWASP expects to
>> have project sponsorship. Even an answer that the contribution was made in
>> error and was a general contribution instead would be an acceptable answer.
>> No answer at all is not acceptable and I question OWASP’s ability to
>> provide project sponsorship in the first place.
>> The contribution was made using the same/similar mechanism the OWASP
>> Defect Dojo project uses. I question if that project, or any other project
>> using this method have received the support they deserve.
>> If the donor didn’t inform me of their contribution, I would likely never
>> know about this situation. This is not the type of organization I want to
>> continue to be associated with.
>> I am asking for a thorough review, not only on the Dependency-Track
>> project, but on all projects that use this method of donation.
>> I have not decided whether or not to continue donating my projects to
>> OWASP or not. At risk for being pulled from OWASP are:
>> Dependency-Check Jenkins plugin
>> Dependency-Check SonarQube plugin
>> In all cases however, I will be removing the OWASP name from the above
>> *Steve Springett*
>> About: https://about.me/stevespringett
>> GitHub: https://github.com/stevespringett
>> Keybase: https://keybase.io/stevespringett <https://www.owasp.org/>
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders