[Owasp-leaders] Project Sponshorship, Support, and Finance

Bjoern Kimminich bjoern.kimminich at owasp.org
Thu Dec 14 10:13:50 UTC 2017


Hi Tiffany,

I think what would really help in regards to transparency is OWASP's plan to avoid problems with donation earmarking in the future. Also if there's anything we as project/chapter leaders can do to help.

I can of course bug you and the accounting team for donations *I know of* until you find and assign them to my budget. But that doesn't work for ones *I am not aware of*...

Cheers, 
Björn 



Am 14. Dezember 2017 10:53:16 MEZ schrieb Tiffany Long <tiffany.long at owasp.org>:
>Brian, can you pinpoint the transactions it is missing for you?  Staff
>has
>been working with the accounting team to straighten this out, but it
>seems
>that each of us only have part of the answer.  We are trying to track
>down
>the issues and stamp them out one at a time.  Any specific information
>you
>have would be very helpful.
>Best,
>Tiffany
>
>Tiffany Long
>Community Manager
>
>On Wed, Dec 13, 2017 at 12:33 PM, Brian Glas <brian.glas at owasp.org>
>wrote:
>
>> Appreciate that Colin, unfortunately it’s missing several Oct/Nov
>> transactions, even with the date stamp of 11/30/17.
>>
>> Thanks,
>> Brian
>>
>>
>> On Dec 13, 2017, at 3:14 PM, Colin Watson <colin.watson at owasp.org>
>wrote:
>>
>> I stumbled across a document which lists financial transactions per
>> project. Look for the two links under the heading 'Fund Details' on:
>>
>> https://www.owasp.org/index.php/Category:OWASP_Project
>>
>> Last updated 30 Nov 2017. I don't think this has been highlighted to
>> project leaders though.
>>
>> Colin
>>
>>
>>
>> On 11 December 2017 at 19:47, Brian Glas <brian.glas at owasp.org>
>wrote:
>>
>>> Steve,
>>> You aren’t alone.
>>>
>>> I had an OWASP Chapter generously donate to two projects that I’m a
>>> co-lead on, and I still can’t confirm that the money has been
>transferred,
>>> hence I can’t publicly say thank you.
>>> He informed me that it was done over three weeks ago and I’ve asked
>about
>>> it and was told to check the donation spreadsheet. As of last week
>it
>>> hadn’t been updated since late Oct. This week it shows that it was
>updated
>>> on Nov 30, but the amounts I’m expecting aren’t in either projects
>budget
>>> line item. I’m not sure what to do at this point as I have zero
>faith in
>>> the accuracy of the numbers in the donation scorecard, but I have no
>other
>>> system to turn to.
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>> On Dec 10, 2017, at 10:44 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>> wrote:
>>>
>>> Steve,
>>>
>>> I'm no longer an OWASP employee but I have a pretty good
>understanding of
>>> how things work at OWASP so maybe I can help.
>>>
>>> First I need some info to help narrow down how this donation
>happened.
>>>
>>> (1) When you say:
>>> > The contribution was made using the same/similar mechanism the
>OWASP
>>> Defect Dojo project uses
>>> Do you mean PayPal?  If so, what form and importantly form variables
>did
>>> you use?  Look at this previous Leaders List post for more info on
>PayPal
>>> donations: http://lists.owasp.org/pipermail/owasp-leaders/20
>>> 17-November/018762.html
>>>
>>> (2) When you say:
>>> > I immediately reached out to OWASP accounting and a few other
>>> individuals
>>> Are these direct emails?  For OWASP accounting, do you mean '
>>> accounting at owasp.org'?  Were any of these made to the Contact Us
>form at
>>> https://www.tfaforms.com/308703?  Depending on how you reached out
>to
>>> OWASP, the visibility of that request may be restricted to a single
>>> person's inbox or co-mingled in a shared inbox used by the current
>>> accounting contractors.  If there's a failure in a particular means
>to
>>> contact OWASP staff, they'd need to know exactly how you reached out
>so
>>> that leaky method can get shored up.
>>>
>>> (3) When you say:
>>> > even though the vendor shared those details with me.
>>> Were those details shared in the times you reached out to OWASP? 
>One
>>> thing I learned while on staff is that things are more complex then
>I ever
>>> expected.  Multiple bank accounts in various currencies, 2 primary
>OWASP
>>> charities (OWASP Foundation and OWASP EU), PayPal, RegOnline,
>EventBrite,
>>> Meetup, the new AMS - these are just a few the methods funds might
>come
>>> into OWASP.  It's a consequence of rapid, organic growth and OWASP
>trying
>>> to meet the needs of a diverse community around the world.  Yes, the
>org
>>> probably could have done a better job providing a 'paved road' for
>>> donations but it's rather tricky to find a single funding mechanism
>that
>>> works reliably world-wide and for any currency.
>>>
>>> I'm happy to have this conversation here or you can reply directly
>to me.
>>>
>>> Cheers!
>>>
>>> --
>>> -- Matt Tesauro
>>> OWASP AppSec Pipeline Lead
>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>> OWASP WTE Project Lead
>>>
>*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>>
><https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>> http://AppSecLive.org <http://appseclive.org/> - Community and
>Download
>>> site
>>>
>>> On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <
>>> steve.springett at owasp.org> wrote:
>>>
>>>> One of the primary reasons why I choose to participate in OWASP
>projects
>>>> as well as start my own is the support that the OWASP organization
>provides
>>>> including the wiki, appsec activities, and project sponsorship.
>>>>
>>>> The decision to have donated multiple open source projects to OWASP
>has
>>>> been tested over the past month without acceptable results.
>>>>
>>>> As many of you know, I have been heavily involved in
>Dependency-Check
>>>> since 2012 and started Dependency-Track in 2013. Dependency-Track
>v3 (to be
>>>> released in Q1 2018) will be the result of an entire year of work
>which has
>>>> resulted in the creation of several supporting and smaller projects
>and
>>>> many enhancements to Dependency-Check along the way.
>>>>
>>>> One of those smaller supporting projects is actually a big deal to
>a
>>>> specific vulnerability intelligence vendor. I am working to
>incorporate the
>>>> service the vendor provides as an optional feature into both
>>>> Dependency-Check and Dependency-Track in an effort to bring
>additional
>>>> capabilities to these projects on par with their commercial
>counterparts.
>>>> The vendor in turn, chose to sponsor Dependency-Track, an act that
>I
>>>> thought was very kind and very much appreciated that would actually
>benefit
>>>> both the Dependency-Check and Dependency-Track projects as a
>result.
>>>>
>>>> The vendor informed me on November 3rd they made the donation and I
>>>> immediately reached out to OWASP accounting and a few other
>individuals
>>>> throughout the course of November including communications on
>November 4th,
>>>> November 8th, November 10th, and November 28th. My purpose for this
>email
>>>> is NOT to point fingers at individuals. Relying on a single person
>in an
>>>> organization instead of an agreed upon process supported by
>leadership
>>>> makes OWASP no better than a recent CEO pointing fingers at a
>single person
>>>> for not applying a patch. It’s absurd and laughable. If relying on
>a single
>>>> person is strategic, that strategy is flawed and needs to be fixed.
>>>>
>>>> Five weeks after the vendor made the contribution to sponsor the
>project
>>>> and I still have not heard any details from OWASP about the nature
>of the
>>>> contribution - even though the vendor shared those details with me.
>>>>
>>>> Five weeks after the vendor made the contribution and I still am
>not
>>>> able to publicly thank them for their contribution.
>>>>
>>>> Five weeks after the vendor made the contribution and I’m still not
>able
>>>> to follow the guidelines outlined in https://www.owasp.org/index.ph
>>>> p/Project_Sponsorship_Operational_Guidelines.
>>>>
>>>> Providing details on the contribution is required if OWASP expects
>to
>>>> have project sponsorship. Even an answer that the contribution was
>made in
>>>> error and was a general contribution instead would be an acceptable
>answer.
>>>> No answer at all is not acceptable and I question OWASP’s ability
>to
>>>> provide project sponsorship in the first place.
>>>>
>>>> The contribution was made using the same/similar mechanism the
>OWASP
>>>> Defect Dojo project uses. I question if that project, or any other
>project
>>>> using this method have received the support they deserve.
>>>>
>>>> If the donor didn’t inform me of their contribution, I would likely
>>>> never know about this situation. This is not the type of
>organization I
>>>> want to continue to be associated with.
>>>>
>>>> I am asking for a thorough review, not only on the Dependency-Track
>>>> project, but on all projects that use this method of donation.
>>>>
>>>> I have not decided whether or not to continue donating my projects
>to
>>>> OWASP or not. At risk for being pulled from OWASP are:
>>>>
>>>> Dependency-Check Jenkins plugin
>>>> Dependency-Check SonarQube plugin
>>>> Dependency-Track
>>>>
>>>> In all cases however, I will be removing the OWASP name from the
>above
>>>> projects.
>>>>
>>>>
>>>>
>>>>>>>> *Steve Springett*
>>>> About:   https://about.me/stevespringett
>>>> GitHub:   https://github.com/stevespringett
>>>> Keybase:   https://keybase.io/stevespringett  
><https://www.owasp.org/>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171214/d89d1f49/attachment-0001.html>


More information about the OWASP-Leaders mailing list