[Owasp-leaders] [BCC AUDIT] Re: Project Sponshorship, Support, and Finance

Ann Grove ann.grove at owasp.org
Tue Mar 13 13:36:57 UTC 2018

Welcome, Harold! And thank you, Karen. Please, please see this through to
completion, since this has impacted Steve's relationship with his client
and thus his reputation. Thanks again!

On Mon, Mar 12, 2018 at 9:51 PM, Karen Staley <karen.staley at owasp.org>

> Dear Ann and Steve,
> First of all, let me thank you for your support and involvement of OWASP.
> Your participation in the foundation and the projects is valuable to us.
> Please accept our sincerest apologies regarding the donation process and
> reporting.  I apparently the system is not working in the way expected.
> Please allow me to bring this   to the attention of the team and see why
> the system is not reporting or communicating back to the projects on their
> donations.   We have actually  been actively working the donation system
> lately and have reviewed donations for several of the projects and shared
> the details with  the appropriate project leaders for comment and review.
> Unfortunately some of the projects have not been addressed and we realize
> that the donation system is not working correctly.
> I might also suggest that arrange for a project  team conference call to
> discuss the challenges of projects and their leaders and review the process
> to find a more acceptable system that meets with the expectations of the
> project leaders and those donating.
> However, if you will, please allow me to address the direct concerns of
> Steve to review the donations of the projects he has mentioned to find out
> what is not working why the process has left him disappointed.
> Secondly once we have these issues resolved we can as a group review the
> process to find more acceptable method of tracking and communicating
> project donations.
> I have included in our conversation Harold Blankenship, our new Director
> of Technology and Projects.  I can assure you that the concerns raised by
> you and Steve  are very important to us as we too want the find more
> funding for projects and are dedicated to finding the best possible way to
> support and facilitate the success of projects.
> Thank you for bringing this to our attention.  Can we agree to work
> together to find a suitable and agreeable solution to the ensuring that
> projects receive the funding designated for them and to report this
> information to the leaders as well as thank those that are donating to the
> projects.
> Sincerely,
> Karen Staley
> On Mon, Mar 12, 2018 at 11:03 AM, Ann Grove <ann.grove at owasp.org> wrote:
>> I am concerned that this issue of misdirected donations that Steve
>> pointed out ***in December*** is apparently still not resolved.  He has
>> received information that OWASP located the donation but he does not
>> believe the transaction has been applied to his project. I noticed his
>> earlier thread here in November, making sure his client was following the
>> right processes.
>> What can be done to resolve this?
>> On Sun, Dec 10, 2017 at 1:10 PM, Steve Springett <
>> steve.springett at owasp.org> wrote:
>>> One of the primary reasons why I choose to participate in OWASP projects
>>> as well as start my own is the support that the OWASP organization provides
>>> including the wiki, appsec activities, and project sponsorship.
>>> The decision to have donated multiple open source projects to OWASP has
>>> been tested over the past month without acceptable results.
>>> As many of you know, I have been heavily involved in Dependency-Check
>>> since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be
>>> released in Q1 2018) will be the result of an entire year of work which has
>>> resulted in the creation of several supporting and smaller projects and
>>> many enhancements to Dependency-Check along the way.
>>> One of those smaller supporting projects is actually a big deal to a
>>> specific vulnerability intelligence vendor. I am working to incorporate the
>>> service the vendor provides as an optional feature into both
>>> Dependency-Check and Dependency-Track in an effort to bring additional
>>> capabilities to these projects on par with their commercial counterparts.
>>> The vendor in turn, chose to sponsor Dependency-Track, an act that I
>>> thought was very kind and very much appreciated that would actually benefit
>>> both the Dependency-Check and Dependency-Track projects as a result.
>>> The vendor informed me on November 3rd they made the donation and I
>>> immediately reached out to OWASP accounting and a few other individuals
>>> throughout the course of November including communications on November 4th,
>>> November 8th, November 10th, and November 28th. My purpose for this email
>>> is NOT to point fingers at individuals. Relying on a single person in an
>>> organization instead of an agreed upon process supported by leadership
>>> makes OWASP no better than a recent CEO pointing fingers at a single person
>>> for not applying a patch. It’s absurd and laughable. If relying on a single
>>> person is strategic, that strategy is flawed and needs to be fixed.
>>> Five weeks after the vendor made the contribution to sponsor the project
>>> and I still have not heard any details from OWASP about the nature of the
>>> contribution - even though the vendor shared those details with me.
>>> Five weeks after the vendor made the contribution and I still am not
>>> able to publicly thank them for their contribution.
>>> Five weeks after the vendor made the contribution and I’m still not able
>>> to follow the guidelines outlined in https://www.owasp.org/index.ph
>>> p/Project_Sponsorship_Operational_Guidelines.
>>> Providing details on the contribution is required if OWASP expects to
>>> have project sponsorship. Even an answer that the contribution was made in
>>> error and was a general contribution instead would be an acceptable answer.
>>> No answer at all is not acceptable and I question OWASP’s ability to
>>> provide project sponsorship in the first place.
>>> The contribution was made using the same/similar mechanism the OWASP
>>> Defect Dojo project uses. I question if that project, or any other project
>>> using this method have received the support they deserve.
>>> If the donor didn’t inform me of their contribution, I would likely
>>> never know about this situation. This is not the type of organization I
>>> want to continue to be associated with.
>>> I am asking for a thorough review, not only on the Dependency-Track
>>> project, but on all projects that use this method of donation.
>>> I have not decided whether or not to continue donating my projects to
>>> OWASP or not. At risk for being pulled from OWASP are:
>>> Dependency-Check Jenkins plugin
>>> Dependency-Check SonarQube plugin
>>> Dependency-Track
>>> In all cases however, I will be removing the OWASP name from the above
>>> projects.
>>>>>> *Steve Springett*
>>> About:   https://about.me/stevespringett
>>> GitHub:   https://github.com/stevespringett
>>> Keybase:   https://keybase.io/stevespringett   <https://www.owasp.org>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> *OWASP Foundation*
> Karen Staley
> Executive Director
> karen.staley at owasp.org <kelly.santalucia at owasp.org>
> Direct: +1 240.446.2951 <(240)%20446-2951>
> *Consider giving back, and supporting the open source community by
> becoming a member <https://www.owasp.org/index.php/Membership> or making
> a donation <https://www.owasp.org/index.php/Donate> today! *
> *Join us at AppSec Eu 2018 <https://2018.appsec.eu/> 2-6 July in London,
> UK and at AppSec USA 2018 <https://2018.appsecusa.org/> 8-12 October in San
> Jose, CA!*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20180313/58266621/attachment-0001.html>

More information about the OWASP-Leaders mailing list