[Owasp-leaders] Project Sponshorship, Support, and Finance

Karen Staley karen.staley at owasp.org
Fri Jan 26 16:57:11 UTC 2018


Dear Brian, project leaders and OWASP community,

We apologise for the miscommunication and inaccurate communication on the
wiki regarding the projects and funding .  We obviously need to talk with
project leaders before we update or make changes, for this we apologise -
we need to improve sharing information and sharing our challenges with some
of the data before we make changes.
Brian may I call you to talk about this - there was no intent at all we are
just trying to update and sort out the information to help you.  Please
help us and work with us so that we can develop a strong relationship and
help to provide better information and accurate information.  Please just
speak with the staff at OWASP. We truly are doing our best with what we
have and know at this time.

Sometimes it may not be correct but we want to correct it as best we can.
There is no negative or untrustworthy  intent...clearly our internal system
is not working as well as we would like it to.

Thank you for your understanding and we welcome your support and help as we
work through developing better systems and procsses to help you, project
leaders and chapter leaders along with the community of OWASP.

Sincerely
Karen

On Fri, 26 Jan 2018 at 10:03, Martin Knobloch <martin.knobloch at owasp.org>
wrote:

> All,
>
> Karen and the board are very aware of this problems and working hard on
> solving related issues.
>
> Kind regards,
> -martin
>
> On Fri, Jan 26, 2018 at 3:43 PM, Larry Conklin <larry.conklin at owasp.org>
> wrote:
>
>> IMHO...This is a very serious. Even with staff leaving I can see a holdup
>> but not as long as Brian is talking about. We need our new ED Karen Staley
>> to take point on this issue. It's not just a money issue at the heart of
>> the issue is trust.
>>
>> Larry Conklin
>>
>>
>> On Fri, Jan 26, 2018 at 7:49 AM, Brian Glas <brian.glas at owasp.org> wrote:
>>
>>> Tiffany,
>>> Not sure you are the right person to address or not, if not, please
>>> forward to the appropriate staff member.
>>>
>>> I just checked the donation scorecard for the last time.
>>>
>>> It shows that it was updated on 12/31 and only one of my issues has been
>>> resolved in the last six weeks.
>>>
>>> While the Top 10 has now received the $5k donation from either AutoDesk
>>> or OWASP NOVA but the other $5k donation is *still* missing.
>>>
>>> The Top 10 project has still been charged $880 for a press release that
>>> had been previously approved to be paid for from a project communications
>>> fund.
>>>
>>> Also, the SAMM project is *still* missing the $5k that OWASP NOVA
>>> donated back in November 2017.
>>>
>>> I don’t understand why these issues have to be raised repeatedly, and
>>> problems like this are going to discourage future contributions and that is
>>> something that OWASP really doesn’t need.
>>>
>>> -Brian
>>>
>>>
>>> On Dec 14, 2017, at 8:51 AM, Brian Glas <brian.glas at owasp.org> wrote:
>>>
>>> Tiffany,
>>> To be honest, if you have to ask me for the details of $15k of donations
>>> to two projects, this clearly indicates there is something fundamentally
>>> broken.
>>>
>>> This is not a new phenomenon, and has been ongoing for a while now.
>>>
>>> Can we please have a review/root cause analysis and a detailed
>>> explanation of what has been going wrong and what has been done/will be
>>> implemented to address?
>>>
>>> Problems like this have happened repeatedly to multiple
>>> projects/chapters and I don’t see any clear communication on what happened
>>> and how it will be prevented in the future.
>>>
>>> Here is a list of items that I was referencing:
>>> 1. Autodesk contributed $5k to Top 10 project in Oct. They received a
>>> confirmation that their money was accepted, but it has never be listed for
>>> the Top 10 budget.
>>> 2. OWASP NoVA contributed $5k to Top 10 project that was approved on
>>> 11/15, but it has never be listed for the Top 10 budget.
>>> 3. OWASP NoVA contributed $5k to SAMM project that was approved on
>>> 11/15, but it has never be listed for the SAMM budget.
>>>
>>> In addition, the Top 10 project was charged $880 for a press release
>>> that had been previously approved to be paid for from a project
>>> communications fund.
>>>
>>> Based on a number of emails to the leaders list over the last several
>>> months, I don’t think I’m alone in dealing with issues like this.
>>> Right now I have no reason to trust any of the numbers in the google
>>> sheets that are made available to the project/chapter leads.
>>> I’m hoping that something can be done to help re-establish some trust in
>>> the processes.
>>>
>>> Thanks,
>>> Brian
>>>
>>>
>>> On Dec 14, 2017, at 4:53 AM, Tiffany Long <tiffany.long at owasp.org>
>>> wrote:
>>>
>>> Brian, can you pinpoint the transactions it is missing for you?  Staff
>>> has been working with the accounting team to straighten this out, but it
>>> seems that each of us only have part of the answer.  We are trying to track
>>> down the issues and stamp them out one at a time.  Any specific information
>>> you have would be very helpful.
>>> Best,
>>> Tiffany
>>>
>>>
>>> Tiffany Long
>>> Community Manager
>>>
>>> On Wed, Dec 13, 2017 at 12:33 PM, Brian Glas <brian.glas at owasp.org>
>>> wrote:
>>>
>>> Appreciate that Colin, unfortunately it’s missing several Oct/Nov
>>>> transactions, even with the date stamp of 11/30/17.
>>>>
>>>> Thanks,
>>>>
>>> Brian
>>>>
>>>>
>>>> On Dec 13, 2017, at 3:14 PM, Colin Watson <colin.watson at owasp.org>
>>>> wrote:
>>>>
>>>> I stumbled across a document which lists financial transactions per
>>>> project. Look for the two links under the heading 'Fund Details' on:
>>>>
>>>> https://www.owasp.org/index.php/Category:OWASP_Project
>>>>
>>>> Last updated 30 Nov 2017. I don't think this has been highlighted to
>>>> project leaders though.
>>>>
>>>> Colin
>>>>
>>>>
>>>> On 11 December 2017 at 19:47, Brian Glas <brian.glas at owasp.org> wrote:
>>>>
>>>> Steve,
>>>>> You aren’t alone.
>>>>>
>>>>> I had an OWASP Chapter generously donate to two projects that I’m a
>>>>> co-lead on, and I still can’t confirm that the money has been transferred,
>>>>> hence I can’t publicly say thank you.
>>>>> He informed me that it was done over three weeks ago and I’ve asked
>>>>> about it and was told to check the donation spreadsheet. As of last week it
>>>>> hadn’t been updated since late Oct. This week it shows that it was updated
>>>>> on Nov 30, but the amounts I’m expecting aren’t in either projects budget
>>>>> line item. I’m not sure what to do at this point as I have zero faith in
>>>>> the accuracy of the numbers in the donation scorecard, but I have no other
>>>>> system to turn to.
>>>>>
>>>>> Thanks,
>>>>> Brian
>>>>>
>>>> On Dec 10, 2017, at 10:44 PM, Matt Tesauro <matt.tesauro at owasp.org>
>>>>> wrote:
>>>>>
>>>>> Steve,
>>>>>
>>>>> I'm no longer an OWASP employee but I have a pretty good understanding
>>>>> of how things work at OWASP so maybe I can help.
>>>>>
>>>>> First I need some info to help narrow down how this donation happened.
>>>>>
>>>>> (1) When you say:
>>>>> > The contribution was made using the same/similar mechanism the
>>>>> OWASP Defect Dojo project uses
>>>>> Do you mean PayPal?  If so, what form and importantly form variables
>>>>> did you use?  Look at this previous Leaders List post for more info on
>>>>> PayPal donations:
>>>>> http://lists.owasp.org/pipermail/owasp-leaders/2017-November/018762.html
>>>>>
>>>>> (2) When you say:
>>>>> > I immediately reached out to OWASP accounting and a few other
>>>>> individuals
>>>>> Are these direct emails?  For OWASP accounting, do you mean '
>>>>> accounting at owasp.org'?  Were any of these made to the Contact Us form
>>>>> at https://www.tfaforms.com/308703?  Depending on how you reached out
>>>>> to OWASP, the visibility of that request may be restricted to a single
>>>>> person's inbox or co-mingled in a shared inbox used by the current
>>>>> accounting contractors.  If there's a failure in a particular means to
>>>>> contact OWASP staff, they'd need to know exactly how you reached out so
>>>>> that leaky method can get shored up.
>>>>>
>>>>> (3) When you say:
>>>>> > even though the vendor shared those details with me.
>>>>> Were those details shared in the times you reached out to OWASP?  One
>>>>> thing I learned while on staff is that things are more complex then I ever
>>>>> expected.  Multiple bank accounts in various currencies, 2 primary OWASP
>>>>> charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite,
>>>>> Meetup, the new AMS - these are just a few the methods funds might come
>>>>> into OWASP.  It's a consequence of rapid, organic growth and OWASP trying
>>>>> to meet the needs of a diverse community around the world.  Yes, the org
>>>>> probably could have done a better job providing a 'paved road' for
>>>>> donations but it's rather tricky to find a single funding mechanism that
>>>>> works reliably world-wide and for any currency.
>>>>>
>>>>> I'm happy to have this conversation here or you can reply directly to
>>>>> me.
>>>>>
>>>>> Cheers!
>>>>>
>>>>>
>>>>> --
>>>>> -- Matt Tesauro
>>>>> OWASP AppSec Pipeline Lead
>>>>> https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
>>>>> OWASP WTE Project Lead
>>>>> *https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
>>>>> <https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
>>>>> http://AppSecLive.org <http://appseclive.org/> - Community and
>>>>> Download site
>>>>>
>>>>> On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <
>>>>> steve.springett at owasp.org> wrote:
>>>>>
>>>>> One of the primary reasons why I choose to participate in OWASP
>>>>>> projects as well as start my own is the support that the OWASP organization
>>>>>> provides including the wiki, appsec activities, and project sponsorship.
>>>>>>
>>>>>> The decision to have donated multiple open source projects to OWASP
>>>>>> has been tested over the past month without acceptable results.
>>>>>>
>>>>>> As many of you know, I have been heavily involved in Dependency-Check
>>>>>> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
>>>>>> released in Q1 2018) will be the result of an entire year of work which has
>>>>>> resulted in the creation of several supporting and smaller projects and
>>>>>> many enhancements to Dependency-Check along the way.
>>>>>>
>>>>>> One of those smaller supporting projects is actually a big deal to a
>>>>>> specific vulnerability intelligence vendor. I am working to incorporate the
>>>>>> service the vendor provides as an optional feature into both
>>>>>> Dependency-Check and Dependency-Track in an effort to bring additional
>>>>>> capabilities to these projects on par with their commercial counterparts.
>>>>>> The vendor in turn, chose to sponsor Dependency-Track, an act that I
>>>>>> thought was very kind and very much appreciated that would actually benefit
>>>>>> both the Dependency-Check and Dependency-Track projects as a result.
>>>>>>
>>>>>> The vendor informed me on November 3rd they made the donation and I
>>>>>> immediately reached out to OWASP accounting and a few other individuals
>>>>>> throughout the course of November including communications on November 4th,
>>>>>> November 8th, November 10th, and November 28th. My purpose for this email
>>>>>> is NOT to point fingers at individuals. Relying on a single person in an
>>>>>> organization instead of an agreed upon process supported by leadership
>>>>>> makes OWASP no better than a recent CEO pointing fingers at a single person
>>>>>> for not applying a patch. It’s absurd and laughable. If relying on a single
>>>>>> person is strategic, that strategy is flawed and needs to be fixed.
>>>>>>
>>>>>> Five weeks after the vendor made the contribution to sponsor the
>>>>>> project and I still have not heard any details from OWASP about the nature
>>>>>> of the contribution - even though the vendor shared those details with me.
>>>>>>
>>>>>> Five weeks after the vendor made the contribution and I still am not
>>>>>> able to publicly thank them for their contribution.
>>>>>>
>>>>>> Five weeks after the vendor made the contribution and I’m still not
>>>>>> able to follow the guidelines outlined in
>>>>>> https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines
>>>>>> .
>>>>>>
>>>>>> Providing details on the contribution is required if OWASP expects to
>>>>>> have project sponsorship. Even an answer that the contribution was made in
>>>>>> error and was a general contribution instead would be an acceptable answer.
>>>>>> No answer at all is not acceptable and I question OWASP’s ability to
>>>>>> provide project sponsorship in the first place.
>>>>>>
>>>>>> The contribution was made using the same/similar mechanism the OWASP
>>>>>> Defect Dojo project uses. I question if that project, or any other project
>>>>>> using this method have received the support they deserve.
>>>>>>
>>>>>> If the donor didn’t inform me of their contribution, I would likely
>>>>>> never know about this situation. This is not the type of organization I
>>>>>> want to continue to be associated with.
>>>>>>
>>>>>> I am asking for a thorough review, not only on the Dependency-Track
>>>>>> project, but on all projects that use this method of donation.
>>>>>>
>>>>>> I have not decided whether or not to continue donating my projects to
>>>>>> OWASP or not. At risk for being pulled from OWASP are:
>>>>>>
>>>>>> Dependency-Check Jenkins plugin
>>>>>> Dependency-Check SonarQube plugin
>>>>>> Dependency-Track
>>>>>>
>>>>>> In all cases however, I will be removing the OWASP name from the
>>>>>> above projects.
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>>>>> *Steve Springett*
>>>>>> About:   https://about.me/stevespringett
>>>>>> GitHub:   https://github.com/stevespringett
>>>>>> Keybase:   https://keybase.io/stevespringett
>>>>>> <https://www.owasp.org/>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180126/94966c51/attachment-0001.html>


More information about the OWASP-Leaders mailing list