[Owasp-leaders] Project Sponshorship, Support, and Finance

Tiffany Long tiffany.long at owasp.org
Thu Dec 14 10:16:02 UTC 2017


Agreed Bjoern.  Claudia, Tom and I have been trying to take them item by
item and look for patterns from what we find, and I am working my way
through reaching out to each chapter individually.  I should be done in 24
hours.

Tiffany Long
Community Manager

On Thu, Dec 14, 2017 at 2:13 AM, Bjoern Kimminich <
bjoern.kimminich at owasp.org> wrote:

> Hi Tiffany,
>
> I think what would really help in regards to transparency is OWASP's plan
> to avoid problems with donation earmarking in the future. Also if there's
> anything we as project/chapter leaders can do to help.
>
> I can of course bug you and the accounting team for donations *I know of*
> until you find and assign them to my budget. But that doesn't work for ones
> *I am not aware of*...
>
> Cheers,
> Björn
>
>
>
> Am 14. Dezember 2017 10:53:16 MEZ schrieb Tiffany Long <
> tiffany.long at owasp.org>:
>>
>> Brian, can you pinpoint the transactions it is missing for you?  Staff
>> has been working with the accounting team to straighten this out, but it
>> seems that each of us only have part of the answer.  We are trying to track
>> down the issues and stamp them out one at a time.  Any specific information
>> you have would be very helpful.
>> Best,
>> Tiffany
>>
>> Tiffany Long
>> Community Manager
>>
>> On Wed, Dec 13, 2017 at 12:33 PM, Brian Glas <brian.glas at owasp.org>
>> wrote:
>>
>>> Appreciate that Colin, unfortunately it’s missing several Oct/Nov
>>> transactions, even with the date stamp of 11/30/17.
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>> On Dec 13, 2017, at 3:14 PM, Colin Watson <colin.watson at owasp.org>
>>> wrote:
>>>
>>> I stumbled across a document which lists financial transactions per
>>> project. Look for the two links under the heading 'Fund Details' on:
>>>
>>> https://www.owasp.org/index.php/Category:OWASP_Project
>>>
>>> Last updated 30 Nov 2017. I don't think this has been highlighted to
>>> project leaders though.
>>>
>>> Colin
>>>
>>>
>>>
>>> On 11 December 2017 at 19:47, Brian Glas <brian.glas at owasp.org> wrote:
>>>
>>>> Steve,
>>>> You aren’t alone.
>>>>
>>>> I had an OWASP Chapter generously donate to two projects that I’m a
>>>> co-lead on, and I still can’t confirm that the money has been transferred,
>>>> hence I can’t publicly say thank you.
>>>> He informed me that it was done over three weeks ago and I’ve asked
>>>> about it and was told to check the donation spreadsheet. As of last week it
>>>> hadn’t been updated since late Oct. This week it shows that it was updated
>>>> on Nov 30, but the amounts I’m expecting aren’t in either projects budget
>>>> line item. I’m not sure what to do at this point as I have zero faith in
>>>> the accuracy of the numbers in the donation scorecard, but I have no other
>>>> system to turn to.
>>>>
>>>> Thanks,
>>>> Brian
>>>>
>>>>
>>>> On Dec 10, 2017, at 10:44 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>>> wrote:
>>>>
>>>> Steve,
>>>>
>>>> I'm no longer an OWASP employee but I have a pretty good understanding
>>>> of how things work at OWASP so maybe I can help.
>>>>
>>>> First I need some info to help narrow down how this donation happened.
>>>>
>>>> (1) When you say:
>>>> > The contribution was made using the same/similar mechanism the OWASP
>>>> Defect Dojo project uses
>>>> Do you mean PayPal?  If so, what form and importantly form variables
>>>> did you use?  Look at this previous Leaders List post for more info on
>>>> PayPal donations: http://lists.owasp.org/pipermail/owasp-leaders/20
>>>> 17-November/018762.html
>>>>
>>>> (2) When you say:
>>>> > I immediately reached out to OWASP accounting and a few other
>>>> individuals
>>>> Are these direct emails?  For OWASP accounting, do you mean '
>>>> accounting at owasp.org'?  Were any of these made to the Contact Us form
>>>> at https://www.tfaforms.com/308703?  Depending on how you reached out
>>>> to OWASP, the visibility of that request may be restricted to a single
>>>> person's inbox or co-mingled in a shared inbox used by the current
>>>> accounting contractors.  If there's a failure in a particular means to
>>>> contact OWASP staff, they'd need to know exactly how you reached out so
>>>> that leaky method can get shored up.
>>>>
>>>> (3) When you say:
>>>> > even though the vendor shared those details with me.
>>>> Were those details shared in the times you reached out to OWASP?  One
>>>> thing I learned while on staff is that things are more complex then I ever
>>>> expected.  Multiple bank accounts in various currencies, 2 primary OWASP
>>>> charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite,
>>>> Meetup, the new AMS - these are just a few the methods funds might come
>>>> into OWASP.  It's a consequence of rapid, organic growth and OWASP trying
>>>> to meet the needs of a diverse community around the world.  Yes, the org
>>>> probably could have done a better job providing a 'paved road' for
>>>> donations but it's rather tricky to find a single funding mechanism that
>>>> works reliably world-wide and for any currency.
>>>>
>>>> I'm happy to have this conversation here or you can reply directly to
>>>> me.
>>>>
>>>> Cheers!
>>>>
>>>> --
>>>> -- Matt Tesauro
>>>> OWASP AppSec Pipeline Lead
>>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>>> OWASP WTE Project Lead
>>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>>> http://AppSecLive.org <http://appseclive.org/> - Community and
>>>> Download site
>>>>
>>>> On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <
>>>> steve.springett at owasp.org> wrote:
>>>>
>>>>> One of the primary reasons why I choose to participate in OWASP
>>>>> projects as well as start my own is the support that the OWASP organization
>>>>> provides including the wiki, appsec activities, and project sponsorship.
>>>>>
>>>>> The decision to have donated multiple open source projects to OWASP
>>>>> has been tested over the past month without acceptable results.
>>>>>
>>>>> As many of you know, I have been heavily involved in Dependency-Check
>>>>> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
>>>>> released in Q1 2018) will be the result of an entire year of work which has
>>>>> resulted in the creation of several supporting and smaller projects and
>>>>> many enhancements to Dependency-Check along the way.
>>>>>
>>>>> One of those smaller supporting projects is actually a big deal to a
>>>>> specific vulnerability intelligence vendor. I am working to incorporate the
>>>>> service the vendor provides as an optional feature into both
>>>>> Dependency-Check and Dependency-Track in an effort to bring additional
>>>>> capabilities to these projects on par with their commercial counterparts.
>>>>> The vendor in turn, chose to sponsor Dependency-Track, an act that I
>>>>> thought was very kind and very much appreciated that would actually benefit
>>>>> both the Dependency-Check and Dependency-Track projects as a result.
>>>>>
>>>>> The vendor informed me on November 3rd they made the donation and I
>>>>> immediately reached out to OWASP accounting and a few other individuals
>>>>> throughout the course of November including communications on November 4th,
>>>>> November 8th, November 10th, and November 28th. My purpose for this email
>>>>> is NOT to point fingers at individuals. Relying on a single person in an
>>>>> organization instead of an agreed upon process supported by leadership
>>>>> makes OWASP no better than a recent CEO pointing fingers at a single person
>>>>> for not applying a patch. It’s absurd and laughable. If relying on a single
>>>>> person is strategic, that strategy is flawed and needs to be fixed.
>>>>>
>>>>> Five weeks after the vendor made the contribution to sponsor the
>>>>> project and I still have not heard any details from OWASP about the nature
>>>>> of the contribution - even though the vendor shared those details with me.
>>>>>
>>>>> Five weeks after the vendor made the contribution and I still am not
>>>>> able to publicly thank them for their contribution.
>>>>>
>>>>> Five weeks after the vendor made the contribution and I’m still not
>>>>> able to follow the guidelines outlined in
>>>>> https://www.owasp.org/index.php/Project_Sponsorship_Operatio
>>>>> nal_Guidelines.
>>>>>
>>>>> Providing details on the contribution is required if OWASP expects to
>>>>> have project sponsorship. Even an answer that the contribution was made in
>>>>> error and was a general contribution instead would be an acceptable answer.
>>>>> No answer at all is not acceptable and I question OWASP’s ability to
>>>>> provide project sponsorship in the first place.
>>>>>
>>>>> The contribution was made using the same/similar mechanism the OWASP
>>>>> Defect Dojo project uses. I question if that project, or any other project
>>>>> using this method have received the support they deserve.
>>>>>
>>>>> If the donor didn’t inform me of their contribution, I would likely
>>>>> never know about this situation. This is not the type of organization I
>>>>> want to continue to be associated with.
>>>>>
>>>>> I am asking for a thorough review, not only on the Dependency-Track
>>>>> project, but on all projects that use this method of donation.
>>>>>
>>>>> I have not decided whether or not to continue donating my projects to
>>>>> OWASP or not. At risk for being pulled from OWASP are:
>>>>>
>>>>> Dependency-Check Jenkins plugin
>>>>> Dependency-Check SonarQube plugin
>>>>> Dependency-Track
>>>>>
>>>>> In all cases however, I will be removing the OWASP name from the above
>>>>> projects.
>>>>>
>>>>>
>>>>>
>>>>>>>>>> *Steve Springett*
>>>>> About:   https://about.me/stevespringett
>>>>> GitHub:   https://github.com/stevespringett
>>>>> Keybase:   https://keybase.io/stevespringett
>>>>> <https://www.owasp.org/>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171214/3b1376bc/attachment-0001.html>


More information about the OWASP-Leaders mailing list