<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Appreciate that Colin, unfortunately it’s missing several Oct/Nov transactions, even with the date stamp of 11/30/17.<div class=""><br class=""></div><div class="">Thanks,</div><div class="">Brian<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Dec 13, 2017, at 3:14 PM, Colin Watson <<a href="mailto:colin.watson@owasp.org" class="">colin.watson@owasp.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">I stumbled across a document which lists financial transactions per project. Look for the two links under the heading 'Fund Details' on:<div class=""><br class=""></div><div class=""><a href="https://www.owasp.org/index.php/Category:OWASP_Project" class="">https://www.owasp.org/index.php/Category:OWASP_Project</a><br class=""></div><div class=""><br class=""></div><div class="">Last updated 30 Nov 2017. I don't think this has been highlighted to project leaders though.</div><div class=""><br class=""></div><div class="">Colin</div><div class=""><br class=""></div><div class=""><br class=""></div></div><div class="gmail_extra"><br class=""><div class="gmail_quote">On 11 December 2017 at 19:47, Brian Glas <span dir="ltr" class=""><<a href="mailto:brian.glas@owasp.org" target="_blank" class="">brian.glas@owasp.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word;line-break:after-white-space" class="">Steve,<div class="">You aren’t alone.</div><div class=""><br class=""></div><div class="">I had an OWASP Chapter generously donate to two projects that I’m a co-lead on, and I still can’t confirm that the money has been transferred, hence I can’t publicly say thank you.</div><div class="">He informed me that it was done over three weeks ago and I’ve asked about it and was told to check the donation spreadsheet. As of last week it hadn’t been updated since late Oct. This week it shows that it was updated on Nov 30, but the amounts I’m expecting aren’t in either projects budget line item. I’m not sure what to do at this point as I have zero faith in the accuracy of the numbers in the donation scorecard, but I have no other system to turn to.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Brian</div><div class=""><div class="h5"><div class=""><br class=""><div class=""><br class=""><blockquote type="cite" class=""><div class="">On Dec 10, 2017, at 10:44 PM, Matt Tesauro <<a href="mailto:matt.tesauro@owasp.org" target="_blank" class="">matt.tesauro@owasp.org</a>> wrote:</div><br class="m_5073709872575886972Apple-interchange-newline"><div class=""><div dir="ltr" class="">Steve, <div class=""><br class=""></div><div class="">I'm no longer an OWASP employee but I have a pretty good understanding of how things work at OWASP so maybe I can help.</div><div class=""><br class=""></div><div class="">First I need some info to help narrow down how this donation happened.</div><div class=""><br class=""></div><div class="">(1) When you say:</div><div class="">> <span style="font-family:Helvetica,Arial;font-size:13px" class="">The contribution was made using the same/similar mechanism the OWASP Defect Dojo project uses</span></div><div class=""><span style="font-family:Helvetica,Arial;font-size:13px" class="">Do you mean PayPal?  If so, what form and importantly form variables did you use?  Look at this previous Leaders List post for more info on PayPal donations: </span><font face="Helvetica, Arial" class=""><a href="http://lists.owasp.org/pipermail/owasp-leaders/2017-November/018762.html" target="_blank" class="">http://lists.owasp.<wbr class="">org/pipermail/owasp-leaders/<wbr class="">2017-November/018762.html</a></font></div><div class=""><font face="Helvetica, Arial" class=""><br class=""></font></div><div class=""><font face="Helvetica, Arial" class="">(2) When you say:</font></div><div class=""><font face="Helvetica, Arial" class="">> </font><span style="font-family:Helvetica,Arial;font-size:13px" class="">I immediately reached out to OWASP accounting and a few other individuals</span><span style="font-family:Helvetica,Arial;font-size:13px" class=""> </span></div><div class=""><span style="font-family:Helvetica,Arial;font-size:13px" class="">Are these direct emails?  For OWASP accounting, do you mean '<a href="mailto:accounting@owasp.org" target="_blank" class="">accounting@owasp.org</a>'?  Were any of these made to the Contact Us form at </span><font face="Helvetica, Arial" class=""><a href="https://www.tfaforms.com/308703" target="_blank" class="">https://www.tfaforms.com/<wbr class="">308703</a>?  Depending on how you reached out to OWASP, the visibility of that request may be restricted to a single person's inbox or co-mingled in a shared inbox used by the current accounting contractors.  If there's a failure in a particular means to contact OWASP staff, they'd need to know exactly how you reached out so that leaky method can get shored up.</font></div><div class=""><font face="Helvetica, Arial" class=""><br class=""></font></div><div class=""><font face="Helvetica, Arial" class="">(3) When you say:</font></div><div class=""><font face="Helvetica, Arial" class="">> </font><span style="font-family:Helvetica,Arial;font-size:13px" class="">even though the vendor shared those details with me.</span></div><div class=""><span style="font-family:Helvetica,Arial;font-size:13px" class="">Were those details shared in the times you reached out to OWASP?  One thing I learned while on staff is that things are more complex then I ever expected.  Multiple bank accounts in various currencies, 2 primary OWASP charities (OWASP Foundation and OWASP EU), PayPal, RegOnline, EventBrite, Meetup, the new AMS - these are just a few the methods funds might come into OWASP.  It's a consequence of rapid, organic growth and OWASP trying to meet the needs of a diverse community around the world.  Yes, the org probably could have done a better job providing a 'paved road' for donations but it's rather tricky to find a single funding mechanism that works reliably world-wide and for any currency.  </span></div><div class=""><font face="Helvetica, Arial" class=""><br class=""></font></div><div class=""><font face="Helvetica, Arial" class="">I'm happy to have this conversation here or you can reply </font><span style="font-family:Helvetica,Arial" class="">directly</span><span style="font-family:Helvetica,Arial" class=""> to me.</span></div><div class=""><font face="Helvetica, Arial" class=""><br class=""></font></div><div class=""><font face="Helvetica, Arial" class="">Cheers!</font></div></div><div class="gmail_extra"><br clear="all" class=""><div class=""><div class="m_5073709872575886972gmail_signature" data-smartmail="gmail_signature"><div dir="ltr" class=""><div class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class=""><div dir="ltr" class="">--<br class="">-- Matt Tesauro</div><div dir="ltr" class="">OWASP AppSec Pipeline Lead</div><div dir="ltr" class=""><a href="https://www.owasp.org/index.php/OWASP_AppSec_Pipeline" style="font-size:12.8px" target="_blank" class="">https://www.owasp.org/index.<wbr class="">php/OWASP_AppSec_Pipeline</a><span style="font-size:12.8px" class=""> </span><br style="font-size:12.8px" class=""><div style="font-size:12.8px" class="">OWASP WTE Project Lead<br class=""><u class=""><a href="https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project" target="_blank" class="">https://www.owasp.org/index.<wbr class="">php/OWASP_Web_Testing_<wbr class="">Environment_Project</a></u><br class=""><a href="http://appseclive.org/" target="_blank" class="">http://AppSecLive.org</a> - Community and Download site</div></div></div></div></div></div></div></div></div></div></div></div></div>
<br class=""><div class="gmail_quote">On Sun, Dec 10, 2017 at 12:10 PM, Steve Springett <span dir="ltr" class=""><<a href="mailto:steve.springett@owasp.org" target="_blank" class="">steve.springett@owasp.org</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class=""><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px;margin:0px" class=""><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">One of the primary reasons why I choose to participate in OWASP projects as well as start my own is the support that the OWASP organization provides including the wiki, appsec activities, and project sponsorship.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">The decision to have donated multiple open source projects to OWASP has been tested over the past month without acceptable results.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">As many of you know, I have been heavily involved in Dependency-Check since 2012 and started Dependency-Track in 2013. Dependency-Track v3 (to be released in Q1 2018) will be the result of an entire year of work which has resulted in the creation of several supporting and smaller projects and many enhancements to Dependency-Check along the way.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">One of those smaller supporting projects is actually a big deal to a specific vulnerability intelligence vendor. I am working to incorporate the service the vendor provides as an optional feature into both Dependency-Check and Dependency-Track in an effort to bring additional capabilities to these projects on par with their commercial counterparts. The vendor in turn, chose to sponsor Dependency-Track, an act that I thought was very kind and very much appreciated that would actually benefit both the Dependency-Check and Dependency-Track projects as a result.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">The vendor informed me on November 3rd they made the donation and I immediately reached out to OWASP accounting and a few other individuals throughout the course of November including communications on November 4th, November 8th, November 10th, and November 28th. My purpose for this email is NOT to point fingers at individuals. Relying on a single person in an organization instead of an agreed upon process supported by leadership makes OWASP no better than a recent CEO pointing fingers at a single person for not applying a patch. It’s absurd and laughable. If relying on a single person is strategic, that strategy is flawed and needs to be fixed.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Five weeks after the vendor made the contribution to sponsor the project and I still have not heard any details from OWASP about the nature of the contribution - even though the vendor shared those details with me.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Five weeks after the vendor made the contribution and I still am not able to publicly thank them for their contribution.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Five weeks after the vendor made the contribution and I’m still not able to follow the guidelines outlined in <a href="https://www.owasp.org/index.php/Project_Sponsorship_Operational_Guidelines" target="_blank" class="">https://www.owasp.org/index.ph<wbr class="">p/Project_Sponsorship_Operatio<wbr class="">nal_Guidelines</a>. </div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Providing details on the contribution is required if OWASP expects to have project sponsorship. Even an answer that the contribution was made in error and was a general contribution instead would be an acceptable answer. No answer at all is not acceptable and I question OWASP’s ability to provide project sponsorship in the first place. </div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">The contribution was made using the same/similar mechanism the OWASP Defect Dojo project uses. I question if that project, or any other project using this method have received the support they deserve.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">If the donor didn’t inform me of their contribution, I would likely never know about this situation. This is not the type of organization I want to continue to be associated with.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">I am asking for a thorough review, not only on the Dependency-Track project, but on all projects that use this method of donation.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">I have not decided whether or not to continue donating my projects to OWASP or not. At risk for being pulled from OWASP are:</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Dependency-Check Jenkins plugin</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Dependency-Check SonarQube plugin</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">Dependency-Track</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class="">In all cases however, I will be removing the OWASP name from the above projects.</div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div><div id="m_5073709872575886972m_3051510102670520147bloop_customfont" style="margin:0px" class=""><br class=""></div></div></div><br class=""><div id="m_5073709872575886972m_3051510102670520147bloop_sign_1512924062505039104" class="m_5073709872575886972m_3051510102670520147bloop_sign">—





     
        
     
     
        <table cellpadding="0" cellspacing="0" border="0" class="">
<tbody class="">
                <tr class="">
                    <td class="">
                        <table cellpadding="0" cellspacing="0" border="0" class="">
<tbody class="">
                                <tr class="">
                                    <td colspan="3" style="font-size:13px" class="">
                                        <strong class="">Steve Springett</strong>
                                    </td>
                                     
</tr>
                                <tr class="">
                                    <td nowrap="" style="white-space:nowrap;font-size:13px" class="">About: </td>
                                    <td width="10" class="">  </td>
                                    <td nowrap="" style="white-space:nowrap;font-size:12px" class="">
                                        <a href="https://about.me/stevespringett" target="_blank" class="">https://about.me/stevespringet<wbr class="">t</a>
                                    </td>
                                     
</tr>
                                <tr class="">
                                    <td nowrap="" style="white-space:nowrap;font-size:13px" class="">GitHub: </td>
                                    <td width="10" class="">  </td>
                                    <td nowrap="" style="white-space:nowrap;font-size:12px" class="">
                                        <a href="https://github.com/stevespringett" target="_blank" class="">https://github.com/stevespring<wbr class="">ett</a>
                                    </td>
                                     
</tr>
                                <tr class="">
                                    <td nowrap="" style="white-space:nowrap;font-size:13px" class="">Keybase: </td>
                                    <td width="10" class="">  </td>
                                    <td nowrap="" style="white-space:nowrap;font-size:12px" class="">
                                        <a href="https://keybase.io/stevespringett" target="_blank" class="">https://keybase.io/stevespring<wbr class="">ett</a>
                                    </td>
                                     
</tr>
                            </tbody>
                        </table>
                    </td>
                    <td width="20" class="">  </td>
                    <td class="">
                        <a href="https://www.owasp.org/" target="_blank" class="">
                            <img width="150" height="54" class="">
                        </a>
                    </td>
                     
</tr>
            </tbody>
        </table>
     
</div></div>
<br class="">______________________________<wbr class="">_________________<br class="">
OWASP-Leaders mailing list<br class="">
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank" class="">OWASP-Leaders@lists.owasp.org</a><br class="">
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank" class="">https://lists.owasp.org/mailma<wbr class="">n/listinfo/owasp-leaders</a><br class="">
<br class=""></blockquote></div><br class=""></div>
______________________________<wbr class="">_________________<br class="">OWASP-Leaders mailing list<br class=""><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank" class="">OWASP-Leaders@lists.owasp.org</a><br class=""><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank" class="">https://lists.owasp.org/<wbr class="">mailman/listinfo/owasp-leaders</a><br class=""></div></blockquote></div><br class=""></div></div></div></div><br class="">______________________________<wbr class="">_________________<br class="">
OWASP-Leaders mailing list<br class="">
<a href="mailto:OWASP-Leaders@lists.owasp.org" class="">OWASP-Leaders@lists.owasp.org</a><br class="">
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank" class="">https://lists.owasp.org/<wbr class="">mailman/listinfo/owasp-leaders</a><br class="">
<br class=""></blockquote></div><br class=""></div>
</div></blockquote></div><br class=""></div></body></html>