[Owasp-leaders] Project Sponshorship, Support, and Finance

Tom Brennan - OWASP tomb at owasp.org
Mon Dec 25 03:22:58 UTC 2017


Encourage everyone to LISTEN to the “B-Side” and actual video/audio
recording of the Dec 17’ meeting themselves for context.

https://drive.google.com/open?id=1i2zdQ6QVFoWh06TBuJy2Zo5bvp9M50zJ

Prior there is also (12) month of related context from the public monthly
meetings, progress reports, recordings, and related from your elected board
representatives find it here:
https://www.owasp.org/index.php/Board#tab=How_Meetings_Operate

Be part of the live discussion in January, that is what communities do to
grow. Talk

Happy Holidays

</flame>



On Sun, Dec 24, 2017 at 10:29 AM Avi D (OWASP Israel) <avi.douglen at owasp.org>
wrote:

> Brian,
>
> Yes it does seem that there is something fundamentally broken, but not
> just with the accounting.
>
> It seems to be part of a strategic decision on the part of the new OWASP
> Leadership that community just doesn’t matter, except for where some cash
> can be squeezed out for the Foundation.
>
> See here:
> https://www.peerlyst.com/posts/owasp-you-keep-saying-that-word-i-do-not-think-it-means-what-you-think-it-means-avid
>
>
>
> Not optimistic about trust being re-established any time soon…
>
>
>
> Avi D
>
>
>
>
>
> *From:* owasp-leaders-bounces+avi.douglen=owasp.org at lists.owasp.org
> [mailto:owasp-leaders-bounces+avi.douglen=owasp.org at lists.owasp.org] *On
> Behalf Of *Brian Glas
> *Sent:* Thursday, December 14, 2017 15:51
> *To:* Tiffany Long <tiffany.long at owasp.org>
> *Cc:* owasp-leaders at lists.owasp.org
>
>
> *Subject:* Re: [Owasp-leaders] Project Sponshorship, Support, and Finance
>
>
>
> Tiffany,
>
> To be honest, if you have to ask me for the details of $15k of donations
> to two projects, this clearly indicates there is something fundamentally
> broken.
>
>
>
> This is not a new phenomenon, and has been ongoing for a while now.
>
>
>
> Can we please have a review/root cause analysis and a detailed explanation
> of what has been going wrong and what has been done/will be implemented to
> address?
>
>
>
> Problems like this have happened repeatedly to multiple projects/chapters
> and I don’t see any clear communication on what happened and how it will be
> prevented in the future.
>
>
>
> Here is a list of items that I was referencing:
>
> 1. Autodesk contributed $5k to Top 10 project in Oct. They received a
> confirmation that their money was accepted, but it has never be listed for
> the Top 10 budget.
>
> 2. OWASP NoVA contributed $5k to Top 10 project that was approved on
> 11/15, but it has never be listed for the Top 10 budget.
>
> 3. OWASP NoVA contributed $5k to SAMM project that was approved on 11/15,
> but it has never be listed for the SAMM budget.
>
>
>
> In addition, the Top 10 project was charged $880 for a press release that
> had been previously approved to be paid for from a project communications
> fund.
>
>
>
> Based on a number of emails to the leaders list over the last several
> months, I don’t think I’m alone in dealing with issues like this.
>
> Right now I have no reason to trust any of the numbers in the google
> sheets that are made available to the project/chapter leads.
>
> I’m hoping that something can be done to help re-establish some trust in
> the processes.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> On Dec 14, 2017, at 4:53 AM, Tiffany Long <tiffany.long at owasp.org> wrote:
>
>
>
> Brian, can you pinpoint the transactions it is missing for you?  Staff has
> been working with the accounting team to straighten this out, but it seems
> that each of us only have part of the answer.  We are trying to track down
> the issues and stamp them out one at a time.  Any specific information you
> have would be very helpful.
>
> [image: Image removed by sender.]
>
> Best,
>
> Tiffany
>
>
> Tiffany Long
>
> Community Manager
>
>
>
> On Wed, Dec 13, 2017 at 12:33 PM, Brian Glas <brian.glas at owasp.org> wrote:
>
> Appreciate that Colin, unfortunately it’s missing several Oct/Nov
> transactions, even with the date stamp of 11/30/17.
>
>
>
> Thanks,
>
> Brian
>
>
>
>
>
> On Dec 13, 2017, at 3:14 PM, Colin Watson <colin.watson at owasp.org> wrote:
>
>
>
> I stumbled across a document which lists financial transactions per
> project. Look for the two links under the heading 'Fund Details' on:
>
>
>
> https://www.owasp.org/index.php/Category:OWASP_Project
>
>
>
> Last updated 30 Nov 2017. I don't think this has been highlighted to
> project leaders though.
>
>
>
> Colin
>
>
>
>
>
> On 11 December 2017 at 19:47, Brian Glas <brian.glas at owasp.org> wrote:
>
> Steve,
>
> You aren’t alone.
>
>
>
> I had an OWASP Chapter generously donate to two projects that I’m a
> co-lead on, and I still can’t confirm that the money has been transferred,
> hence I can’t publicly say thank you.
>
> He informed me that it was done over three weeks ago and I’ve asked about
> it and was told to check the donation spreadsheet. As of last week it
> hadn’t been updated since late Oct. This week it shows that it was updated
> on Nov 30, but the amounts I’m expecting aren’t in either projects budget
> line item. I’m not sure what to do at this point as I have zero faith in
> the accuracy of the numbers in the donation scorecard, but I have no other
> system to turn to.
>
>
>
> Thanks,
>
> Brian
>
> On Dec 10, 2017, at 10:44 PM, Matt Tesauro <matt.tesauro at owasp.org> wrote:
>
>
>
> Steve,
>
>
>
> I'm no longer an OWASP employee but I have a pretty good understanding of
> how things work at OWASP so maybe I can help.
>
>
>
> First I need some info to help narrow down how this donation happened.
>
>
>
> (1) When you say:
>
> > The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses
>
> Do you mean PayPal?  If so, what form and importantly form variables did
> you use?  Look at this previous Leaders List post for more info on PayPal
> donations:
> http://lists.owasp.org/pipermail/owasp-leaders/2017-November/018762.html
>
>
>
> (2) When you say:
>
> > I immediately reached out to OWASP accounting and a few other
> individuals
>
> Are these direct emails?  For OWASP accounting, do you mean '
> accounting at owasp.org'?  Were any of these made to the Contact Us form at
> https://www.tfaforms.com/308703?  Depending on how you reached out to
> OWASP, the visibility of that request may be restricted to a single
> person's inbox or co-mingled in a shared inbox used by the current
> accounting contractors.  If there's a failure in a particular means to
> contact OWASP staff, they'd need to know exactly how you reached out so
> that leaky method can get shored up.
>
>
>
> (3) When you say:
>
> > even though the vendor shared those details with me.
>
> Were those details shared in the times you reached out to OWASP?  One
> thing I learned while on staff is that things are more complex then I ever
> expected.  Multiple bank accounts in various currencies, 2 primary OWASP
> charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite,
> Meetup, the new AMS - these are just a few the methods funds might come
> into OWASP.  It's a consequence of rapid, organic growth and OWASP trying
> to meet the needs of a diverse community around the world.  Yes, the org
> probably could have done a better job providing a 'paved road' for
> donations but it's rather tricky to find a single funding mechanism that
> works reliably world-wide and for any currency.
>
>
>
> I'm happy to have this conversation here or you can reply directly to me.
>
>
>
> Cheers!
>
>
> --
> -- Matt Tesauro
>
> OWASP AppSec Pipeline Lead
>
> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>
> OWASP WTE Project Lead
> https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
> http://AppSecLive.org <http://appseclive.org/> - Community and Download
> site
>
>
>
> On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <
> steve.springett at owasp.org> wrote:
>
> One of the primary reasons why I choose to participate in OWASP projects
> as well as start my own is the support that the OWASP organization provides
> including the wiki, appsec activities, and project sponsorship.
>
>
>
> The decision to have donated multiple open source projects to OWASP has
> been tested over the past month without acceptable results.
>
>
>
> As many of you know, I have been heavily involved in Dependency-Check
> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
> released in Q1 2018) will be the result of an entire year of work which has
> resulted in the creation of several supporting and smaller projects and
> many enhancements to Dependency-Check along the way.
>
>
>
> One of those smaller supporting projects is actually a big deal to a
> specific vulnerability intelligence vendor. I am working to incorporate the
> service the vendor provides as an optional feature into both
> Dependency-Check and Dependency-Track in an effort to bring additional
> capabilities to these projects on par with their commercial counterparts.
> The vendor in turn, chose to sponsor Dependency-Track, an act that I
> thought was very kind and very much appreciated that would actually benefit
> both the Dependency-Check and Dependency-Track projects as a result.
>
>
>
> The vendor informed me on November 3rd they made the donation and I
> immediately reached out to OWASP accounting and a few other individuals
> throughout the course of November including communications on November 4th,
> November 8th, November 10th, and November 28th. My purpose for this email
> is NOT to point fingers at individuals. Relying on a single person in an
> organization instead of an agreed upon process supported by leadership
> makes OWASP no better than a recent CEO pointing fingers at a single person
> for not applying a patch. It’s absurd and laughable. If relying on a single
> person is strategic, that strategy is flawed and needs to be fixed.
>
>
>
> Five weeks after the vendor made the contribution to sponsor the project
> and I still have not heard any details from OWASP about the nature of the
> contribution - even though the vendor shared those details with me.
>
>
>
> Five weeks after the vendor made the contribution and I still am not able
> to publicly thank them for their contribution.
>
>
>
> Five weeks after the vendor made the contribution and I’m still not able
> to follow the guidelines outlined in
> https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines
> .
>
>
>
> Providing details on the contribution is required if OWASP expects to have
> project sponsorship. Even an answer that the contribution was made in error
> and was a general contribution instead would be an acceptable answer. No
> answer at all is not acceptable and I question OWASP’s ability to provide
> project sponsorship in the first place.
>
>
>
> The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses. I question if that project, or any other project
> using this method have received the support they deserve.
>
>
>
> If the donor didn’t inform me of their contribution, I would likely never
> know about this situation. This is not the type of organization I want to
> continue to be associated with.
>
>
>
> I am asking for a thorough review, not only on the Dependency-Track
> project, but on all projects that use this method of donation.
>
>
>
> I have not decided whether or not to continue donating my projects to
> OWASP or not. At risk for being pulled from OWASP are:
>
>
>
> Dependency-Check Jenkins plugin
>
> Dependency-Check SonarQube plugin
>
> Dependency-Track
>
>
>
> In all cases however, I will be removing the OWASP name from the above
> projects.
>
>
>
>
>
>
>
>>
> *Steve Springett*
>
> About:
>
>
>
> https://about.me/stevespringett
>
> GitHub:
>
>
>
> https://github.com/stevespringett
>
> Keybase:
>
>
>
> https://keybase.io/stevespringett
>
>
>
> *Error! Filename not specified.* <https://www.owasp.org/>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
-- 
*Tom Brennan*
*Proactive RISK*
www.proactiverisk.com
Mobile: 973-202-0122 | Schedule a Meeting
<https://secure.scheduleonce.com/proactiverisk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171225/8d63c196/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 332 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20171225/8d63c196/attachment-0001.jpg>


More information about the OWASP-Leaders mailing list