[Owasp-leaders] Project Sponshorship, Support, and Finance

Ann Grove ann.grove at owasp.org
Mon Mar 12 17:03:36 UTC 2018

I am concerned that this issue of misdirected donations that Steve pointed
out ***in December*** is apparently still not resolved.  He has received
information that OWASP located the donation but he does not believe the
transaction has been applied to his project. I noticed his earlier thread
here in November, making sure his client was following the right processes.

What can be done to resolve this?

On Sun, Dec 10, 2017 at 1:10 PM, Steve Springett <steve.springett at owasp.org>

> One of the primary reasons why I choose to participate in OWASP projects
> as well as start my own is the support that the OWASP organization provides
> including the wiki, appsec activities, and project sponsorship.
> The decision to have donated multiple open source projects to OWASP has
> been tested over the past month without acceptable results.
> As many of you know, I have been heavily involved in Dependency-Check
> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
> released in Q1 2018) will be the result of an entire year of work which has
> resulted in the creation of several supporting and smaller projects and
> many enhancements to Dependency-Check along the way.
> One of those smaller supporting projects is actually a big deal to a
> specific vulnerability intelligence vendor. I am working to incorporate the
> service the vendor provides as an optional feature into both
> Dependency-Check and Dependency-Track in an effort to bring additional
> capabilities to these projects on par with their commercial counterparts.
> The vendor in turn, chose to sponsor Dependency-Track, an act that I
> thought was very kind and very much appreciated that would actually benefit
> both the Dependency-Check and Dependency-Track projects as a result.
> The vendor informed me on November 3rd they made the donation and I
> immediately reached out to OWASP accounting and a few other individuals
> throughout the course of November including communications on November 4th,
> November 8th, November 10th, and November 28th. My purpose for this email
> is NOT to point fingers at individuals. Relying on a single person in an
> organization instead of an agreed upon process supported by leadership
> makes OWASP no better than a recent CEO pointing fingers at a single person
> for not applying a patch. It’s absurd and laughable. If relying on a single
> person is strategic, that strategy is flawed and needs to be fixed.
> Five weeks after the vendor made the contribution to sponsor the project
> and I still have not heard any details from OWASP about the nature of the
> contribution - even though the vendor shared those details with me.
> Five weeks after the vendor made the contribution and I still am not able
> to publicly thank them for their contribution.
> Five weeks after the vendor made the contribution and I’m still not able
> to follow the guidelines outlined in https://www.owasp.org/index.
> php/Project_Sponsorship_Operational_Guidelines.
> Providing details on the contribution is required if OWASP expects to have
> project sponsorship. Even an answer that the contribution was made in error
> and was a general contribution instead would be an acceptable answer. No
> answer at all is not acceptable and I question OWASP’s ability to provide
> project sponsorship in the first place.
> The contribution was made using the same/similar mechanism the OWASP
> Defect Dojo project uses. I question if that project, or any other project
> using this method have received the support they deserve.
> If the donor didn’t inform me of their contribution, I would likely never
> know about this situation. This is not the type of organization I want to
> continue to be associated with.
> I am asking for a thorough review, not only on the Dependency-Track
> project, but on all projects that use this method of donation.
> I have not decided whether or not to continue donating my projects to
> OWASP or not. At risk for being pulled from OWASP are:
> Dependency-Check Jenkins plugin
> Dependency-Check SonarQube plugin
> Dependency-Track
> In all cases however, I will be removing the OWASP name from the above
> projects.
>> *Steve Springett*
> About:   https://about.me/stevespringett
> GitHub:   https://github.com/stevespringett
> Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180312/d6e89cdd/attachment-0001.html>

More information about the OWASP-Leaders mailing list