Re: WTF

[Andrew van der Stock]

Martin,

This is a confidential HR matter. I am unable to respond to your email.

Thanks,

Andrew

On Fri, May 23, 2025 at 6:47 AM Martin Knobloch <martin....@owasp.org> wrote:

OWASP is a community of trust and value.  At least it has been.

How can a ED lay off a staff member in such way and on such terms?

A ED who OWASP stood up for and hired when he lost his job and was about to loose his greencard.

A staff member with 15 years of service, the week before a major conference. With no previous notice of misconduct. 

This is outrageous and OWASP unworthy. 

This is not the foundation I have known and volunteered at for almost two decades. 

-martin

_______________________

Martin Knobloch

OWASP Distinguished Lifetime Member

[Gustavo Nieves Arreaza]

Dear OWASP Community,

I have been an active member of this organization since 2018. I joined with enthusiasm, eager to contribute through one of the first OWASP chapters in South America. However, from the beginning, I faced a disappointing reality: I was subjected to bullying by another member for months—simply for leading a chapter that represented geographic diversity. OWASP took no action. The person was never removed. I thought it was an isolated case.

But it wasn’t.

Later, that same individual began offering courses under the OWASP name while evading taxes. I reported it, yet no effective disciplinary action was taken. Again, I believed it was a one-off situation. Until I invited a well-known expert to speak at our chapter. After all the publicity was in place, the guest withdrew disdainfully, stating our audio and visual setup was not “up to his level.” Latin American students, eager to learn, were left behind—disappointed. Such elitism should have no place in a community that promotes inclusion. OWASP has not sanctioned or reprimanded this behavior.

I’ve seen event reimbursements go unanswered. I’ve witnessed chapters led by individuals lacking the technical foundation required to represent OWASP’s mission. I’ve been present for public board resignations at OWASP AppSec conferences. I’ve heard from U.S.-based members that the leadership appears to operate as a closed circle, driven by favoritism. I’ve remained diplomatic—never publicly criticizing the organizations I serve—but I’ve participated in four global academic and educational institutions, and I can say: this situation is unique.

I’ve also seen non-technical books published by self-proclaimed OWASP leaders—books I’ve criticized not out of malice, but because they fail to meet the professional standard expected of someone who claims to represent OWASP. In other organizations, content like this would undergo peer review before being published under the brand.

I’ve seen the same speakers present the same material year after year. It’s always the same faces—often with little to no meaningful presence in public technical spaces such as YouTube, while others with tens of thousands of followers offering new ideas are overlooked.

More concerning still, I’ve noticed that some of my own talks—focused on open-source tools and topics that may challenge the interests of certain partners—have been excluded from the official OWASP YouTube playlists for conference days, making them harder to locate and access. That level of selective visibility contradicts our community’s values of openness and transparency.

I’ve witnessed chapters being shut down arbitrarily, while others—less active or impactful—continue without oversight. When I’ve proposed collaborations with other organizations, I’ve been told I didn’t submit the correct joint participation paperwork—yet I’ve seen others engage freely in far less formal activities.

Even more baffling, I’ve seen new chapters established in remote vineyard towns—places with more grapes than people—in times of online meetings. Are our limited resources really best spent launching chapters in places where there are no communities, no students, no professional base? Shouldn’t our presence and funding be prioritized to reach more people?

This email—now being circulated under the banner of a “confidential HR matter”—is only the latest in a string of uncoordinated decisions, fragmented records, and ambiguous communications. It exposes how outdated our internal processes have become, and how undefined our collective vision remains.

---

Proposal for Structural Reforms

If OWASP truly aims to remain a credible, global organization, I respectfully recommend the following:

1. Biannual Leadership Accountability Sessions

   • Two open community calls per year where board members and chapter leaders publicly report:

     • Activities and deliverables.

     • Verifiable technical contributions.

     • Community-building outcomes.

2. Modernized Governance Framework

   • A formal review of OWASP bylaws with global input.

   • A redefined Code of Conduct supported by an independent ethics committee.

3. Transparent and Inclusive Speaker Selection

   • Limit repetitive speaker rotations.

   • Elevate underrepresented regional voices through technical merit and community engagement.

   • Base speaker selection on verifiable contribution, not internal favoritism.

4. Peer Review for OWASP-Branded Publications

   • Require that any training content, books, or educational material bearing the OWASP name undergo technical peer review and meet documented quality standards.

5. Clear and Traceable Disciplinary Procedures

   • Standardize the handling of disputes, removals, and ethical concerns.

   • Document all actions with full transparency—not hidden behind blanket “confidentiality.”

---

After seven years in this community, I must ask:

Are the rules the problem—or has the leadership lost its vision?

I say this not as an outsider, but as someone who has lived and worked in four countries and who recognizes the signs of an open community slowly closing in on itself—afraid to define what it is becoming. And sometimes, it seems we’re becoming a private club of favoritism.

I write not to offend, but to awaken awareness. Believe me—what I’ve witnessed, many others have seen too. And we know it. The difference is that while some endure it, others simply enjoy watching it unfold. OWASP can still change course, but only if we move beyond this culture of silence and complicity, and finally embrace transparency and accountability.

I’m not an idealist. I’m practical. And the truth is—month after month—I hear less and less about OWASP. This is bad for  our organization and business.

It will only change by redefining the vision. That means the change must be deep.

Regards.

--
You received this message because you are subscribed to the Google Groups "Leaders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CADtrMx7-QR%3D7fQXBo-45u5sTy0RfC8VngquUCK%3DRiCzQH%3D-8zQ%40mail.gmail.com.

--

Gustavo Arreaza

OWASP Leader 

IEEE Paris Author 

 EC-Council Courses Creator

Co-Author and peer review in the Cloud Security Alliance.

Speaker in 4 Continents about Cybersecurity

[Bil Corry]

This has splintered from the original thread, but I'll offer some thoughts:

1. Biannual Leadership Accountability Sessions

• Two open community calls per year where board members and chapter leaders publicly report:

• Activities and deliverables.

• Verifiable technical contributions.

• Community-building outcomes.

Andrew has done townhalls in the past, I agree this seems like a good idea.

1. Modernized Governance Framework

• A formal review of OWASP bylaws with global input.

• A redefined Code of Conduct supported by an independent ethics committee.

We had the bylaws reviewed by our attorney and updated them not too long ago.  You can, at any time, propose a change to the bylaws and ask the Board to discuss and vote on it.  Note that any bylaw change has to adhere to US and Delaware law, so some changes are not possible.  I suggest sending your proposal to this Leaders list first to refine it based on community feedback.

Likewise, you can propose a change to the Code of Conduct.  Send your proposed change to Andrew and ask it to go through the policy review process.  There's a policy review team made up of members that reviews changes and votes on them to send on to the Board.

As for the "independent ethics committee", we already have an independent team of compliance officers (OWASP members, not Board members) that oversee violations of the code of conduct:

https://owasp.org/www-policy/operational/whistleblower

1. Transparent and Inclusive Speaker Selection

• Limit repetitive speaker rotations.

• Elevate underrepresented regional voices through technical merit and community engagement.

• Base speaker selection on verifiable contribution, not internal favoritism.

Speakers are selected using a blind process where volunteers of the Conference Committee rate the proposed talks based on the submitted abstracts without knowing who the speakers are.  The talks that get the most votes are generally invited to speak at the conference.

As far as I know, we do not prohibit speakers from submitting again the following year.  You could suggest this to the Conference Committee, which is responsible for the rules around this.  I do think we try to limit speakers to just a single talk per conference, as some speakers submit multiple talks.

For underrepresentative voices, OWASP would love more speakers, especially first time speakers.  If you have ideas, please send them to the Conference Committee.  One thought I had was to offer a free speaker training that helps people refine their proposal.

You mentioned favoritism for speakers, but as mentioned above, speaker selection is a blind process, it's not based on favoritism nor contributions.  What you're seeing is the effect of some people submitting multiple talk proposals for every conference and their proposal is well done (since they have been selected in the past and know what to do to get accepted).  One idea floated is to carve out a few speaking slots for newer speakers, but any other ideas you have should be sent to the Conference Committee.

1. Peer Review for OWASP-Branded Publications

• Require that any training content, books, or educational material bearing the OWASP name undergo technical peer review and meet documented quality standards.

I don't know the process for this, but you should send this suggestion to the Project Committee.  

1. Clear and Traceable Disciplinary Procedures

• Standardize the handling of disputes, removals, and ethical concerns.

• Document all actions with full transparency—not hidden behind blanket “confidentiality.”

Handling of disputes is governed by a few policies, depending on the nature of the dispute; e.g. Code of Conduct, BoD Code of Conduct, Conflict Resolution, Conflict of Interest, and Whistleblower Policy.  If you think something is missing or they should be revised, you should propose a change and send it to Andrew to have it go through the review process.

Full transparency isn't possible in some cases where it's illegal, otherwise it's up to the discretion of the Board.  But speaking as a former Board member and former Compliance Officer, I wouldn't be in favor of it because it would cause reporters to second guess reporting offenses if they know their name and complaint will be made public.  And since every one of these could result in a lawsuit, generally it's a bad idea anyway.  I do understand the motivation though in wanting to ensure a fair process, but you'll have to trust the people you elected to the board.

In the case of a Foundation employee (which is what this thread is about), Andrew is correct in that it's a HR issue and he cannot legally share any details publicly.

- Bil

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3DzyFZwt1pOsie5OD%2BA%3Dcy66sUT4%3D_RNBx%3DU_Kgr2E8O2Mw%40mail.gmail.com.

[Takaharu Ogasa]

Hi leaders,

Is anyone out here that explain what is happening in plain and understandable short language? I simply love people involving in this community and want to do so.

Takaharu Ogasa 

--
Takaharu Ogasa (@takaharuogasa)
OWASP Sendai Local Chapter Leader
https://www.owasp.org/index.php/Sendai

2025年5月24日(土) 0:07 Bil Corry <bil....@owasp.org>:

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CACtAMnOc%3D0iNOdz_%2BWfRrFPuzmkZ2iXVokMzajQHCStOt8ZhQA%40mail.gmail.com.

[Gustavo Nieves Arreaza]

Hi Takaharu, and fellow leaders,

Thank you for your thoughtful question, Takaharu — and for bringing this conversation back to what really matters: clarity, fairness, and accountability.

To summarize:

1. This thread began when a long-time OWASP leader publicly raised concerns about the dismissal of a staff member. In doing so, they disclosed sensitive personal information about another leader — a possible violation of OWASP’s Code of Conduct, particularly regarding confidentiality and professional respect.

2. The response came — not through internal channels — but via a message sent to the entire Leaders list, reframing the issue as a confidential HR matter. That action bypassed protocol and transformed a legitimate community concern into a procedural deflection.

3. My email followed — not to escalate, but to show that this is not new. Back in 2018, I reported serious misconduct: OWASP-branded training sold without tax compliance, documented bullying, and abuse of leadership. These reports were ignored. That silence pointed to a deeper, long standing issue:

4. Selective enforcement and institutional favoritism within OWASP — alongside other recurring structural problems.

Ironically, the leader who replied to my message — Bill — inadvertently validated that point by displaying partiality: affirming leadership behavior while minimizing longstanding concerns, and advising me to “open a ticket,” as if this were a routine case.

Yet both leaders involved in the original incident bypassed that very process and addressed the full community directly.

That alone reveals how OWASP governance is applied inconsistently — depending on who is speaking.

And frankly, this felt less like a fair engagement and more like an amateur political maneuver — an attempt at distraction or damage control after the window had already closed.

For the record, the most serious cases I referenced were reported through the appropriate channels at the time — including during your tenure, Bill — but no action was taken, as I mentioned in my earlier message.

If you’d like to review those reports again, I’m happy to forward the original emails.

Which raises a difficult but necessary question, Bill:

Will these violations of OWASP’s Code of Conduct — including your own potential breach of impartiality — be reviewed under the same rules we’re all expected to follow?

---

5) Returning to the main point:

If we truly respect OWASP’s governance model, we must also expect meaningful change — not just recycled names.

This is not about personal conflict.

It’s about whether OWASP is still capable of evolving into the open, transparent, and technically respected foundation it was meant to be — at least as described in its own Code of Conduct.

Because frankly, it doesn’t even seem like some of you are able to work together constructively anymore — let alone lead a global community.

I say this with full awareness and experience — after 7 years in OWASP, having contributed across multiple levels.

And I can say with certainty:

This isn’t new. It keeps happening at every layer of the organization.

And if after all this time — with all the reports, experiences, and reform proposals — situations like the one I mentioned still represent the current state of affairs,

then it’s clear that what has been done so far has not been enough.

Warm regards,

Gustavo Arreaza

OWASP Leader | IEEE Paris Contributor |

CSA Co-Author & Peer Reviewer | EC-Council Content Creator

--

Gustavo Arreaza

Engineer 

IEEE  Researcher 

Cloud Security Alliance Co-Autor 

OWASP Leader 

Founder, AppSecCL INC, Inc registered in Delaware since 2021

[ti...@owasp.org]

Hello! I hardly can associate Martin with ‘they’ 😂 and also a concentrated use of normative words like fairness and inclusivity doesn’t help in enhancing practicality. Traumas older than circumstances we can reconstruct neither help in a pragmatic discourse. I can understand the disappointment caused by multiple cases but that does not prove the point about systemic decline. We might afford having chapters in vineyards or even advertise those if on the other hand the practical/performance numbers are good in terms of delivering our mission. I tend to trust Bil in that the existing framework as a system is sufficient for handling mentioned issues so let’s review the live problematic cases case by case. Martin brought up a case, I trust him in designating it as an extraordinary one. If a person was mistreated then let’s first fix that individual pain. If it’s confidential then let the representatives of the conflicting views Andrew and Martin work on it together in their black box and report us later in terms which are public.

Cheerz,

Timur

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3Dzyi8p_H83JnRjXQyH2DcgKxUu3Gz67SrnvGkH8tpRkwzw%40mail.gmail.com.

[Bil Corry]

I've had a hard week, and so I don't have the energy to have yet one more difficult conversation.  Some thoughts then I'll dip out.  If there's interest in discussing it further, let's schedule a call in a few weeks after the OWASP conference in Barcelona is over as I suspect we're misunderstanding each other and a conversation will be more productive than this.

1. My comments were only regarding your "Proposal for Structural Reforms".  I purposely did not address the other items.  You asked for structural changes, I told you how to get them.
2. I don't understand your claim that I'm "affirming leadership behavior" by telling you how to achieve your structural reforms.  Can you be more specific?
3. I also don't understand the "open a ticket" comment, that's the process to make your Structural Reforms a reality.  If you think there's a better way to do it, propose that.  Or if you think some other action should be taken, then describe it and build momentum.
4. If you think a violation of the code of conduct has taken place, I encourage you to file a complaint.
5. I don't understand how I breached "impartiality" by describing the existing processes for you to achieve what you said you wanted.  I am helping you, 90% of my message was factual in nature and the rest were my thoughts (which I am entitled to have, just like you).  It's weird you are calling me out as somehow maligning you.
6. You wrote (in bold): "Will these violations of OWASP’s Code of Conduct — including your own potential breach of impartiality — be reviewed under the same rules we’re all expected to follow?"  The words that preceded this sentence did not draw a line to me violating the code of conduct or at least I don't see it, but would like to understand.  Can you quote from my first email the sentences that you think show impartiality?  And the answer to your question is "yes", everyone follows the same rules.  File a complaint if you think it's warranted.

Now, all that said, if you thought I was commenting on what Martin and Andrew were discussing or your comments about it, I was not.  Re-read my message, I only addressed the Structural Reforms.  My comments were only about the Structural Reforms.

Have a great weekend,

- Bil

[Christian Folini]

Dear all,

Thank you for your sensible and passionate takes at this.

Back in the day, we used to have long, strenous, sometimes idiotic, often
emotional but always passionate and strongly invested discussions on this
mailing list.

At a given moment, and during a particularly hard quarrel, the list was put
on "moderate" and this pretty much killed it.

From my perspective, this also killed the community feeling around
OWASP (leaders). And the leaders Slack channel certainly never obtained
a similar value.

OWASP has wonderful sides to it and it can also be a pretty dark place some
of the time. I am confident we all want to bring it forward, but there are
so many structural challenges that makes this very hard.

I think the bylaws are all sound and written in good faith. There is a lot of
governance and due process. Yet sometimes, tickets is not what brings you
forward. You have to talk to people to feel their needs and their position.
You need to reach out and hear what the wider audience (beyond the tickets)
have to say. I really like the townhalls in this regard.

It is also important to have a valve somehow where people can let of steam
to a wider audience and be heard with their concerns. Maybe we overdid this
in the past on this list. But we have certainly stayed too low in this regard
in recent years. For if you do not have such a valve, people carry their
grudge, poison their projects with it or pull out of the organization.

So whatever you state, whatever you claim: I welcome the discussion about
OWASP and about dreams and the goals we share for OWASP.

Best regards,

Christian Folini

On Fri, May 23, 2025 at 03:07:24PM -0700, Bil Corry wrote:
> This has splintered from the original thread, but I'll offer some thoughts:
>
>

> 1.
>
> *Biannual Leadership Accountability Sessions*
>
> -

>
> Two open community calls per year where board members and chapter
> leaders publicly report:
>

> -
>
> Activities and deliverables.
> -
>
> Verifiable technical contributions.
> -

>
> Community-building outcomes.
>
>
> Andrew has done townhalls in the past, I agree this seems like a good idea.
>
>
>

> 1.
>
> *Modernized Governance Framework*
>
> -

>
> A formal review of OWASP bylaws with global input.

> -

>
> A redefined Code of Conduct supported by an independent ethics
> committee.
>
>
> We had the bylaws reviewed by our attorney and updated them not too long
> ago. You can, at any time, propose a change to the bylaws and ask
> the Board to discuss and vote on it. Note that any bylaw change has to
> adhere to US and Delaware law, so some changes are not possible. I suggest
> sending your proposal to this Leaders list first to refine it based on
> community feedback.
>
> Likewise, you can propose a change to the Code of Conduct. Send your
> proposed change to Andrew and ask it to go through the policy review
> process. There's a policy review team made up of members that reviews
> changes and votes on them to send on to the Board.
>
> As for the "independent ethics committee", we already have an independent
> team of compliance officers (OWASP members, not Board members) that oversee
> violations of the code of conduct:
>
> https://owasp.org/www-policy/operational/whistleblower
>
>
>
>

> 1.
>
> *Transparent and Inclusive Speaker Selection*
>
> -
>
> Limit repetitive speaker rotations.
> -

>
> Elevate underrepresented regional voices through technical merit and
> community engagement.

> -

>
> Base speaker selection on verifiable contribution, not internal
> favoritism.
>
>
> Speakers are selected using a blind process where volunteers of the
> Conference Committee rate the proposed talks based on the submitted
> abstracts without knowing who the speakers are. The talks that get the
> most votes are generally invited to speak at the conference.
>
> As far as I know, we do not prohibit speakers from submitting again the
> following year. You could suggest this to the Conference Committee, which
> is responsible for the rules around this. I do think we try to limit
> speakers to just a single talk per conference, as some speakers submit
> multiple talks.
>
> For underrepresentative voices, OWASP would love more speakers, especially
> first time speakers. If you have ideas, please send them to the Conference
> Committee. One thought I had was to offer a free speaker training that
> helps people refine their proposal.
>
> You mentioned favoritism for speakers, but as mentioned above, speaker
> selection is a blind process, it's not based on favoritism nor
> contributions. What you're seeing is the effect of some people submitting
> multiple talk proposals for every conference and their proposal is well
> done (since they have been selected in the past and know what to do to get
> accepted). One idea floated is to carve out a few speaking slots for newer
> speakers, but any other ideas you have should be sent to the Conference
> Committee.
>
>
>

> 1.
>
> *Peer Review for OWASP-Branded Publications*
>
> -

>
> Require that any training content, books, or educational material
> bearing the OWASP name undergo technical peer review and meet documented
> quality standards.
>
> I don't know the process for this, but you should send this suggestion to
> the Project Committee.
>
>
>

> 1.
>
> *Clear and Traceable Disciplinary Procedures*
>
> -

>
> Standardize the handling of disputes, removals, and ethical concerns.

> -

> > ------------------------------
> >
> > *Proposal for Structural Reforms*

> >
> > If OWASP truly aims to remain a credible, global organization, I
> > respectfully recommend the following:
> >
> >

> > 1.
> >
> > *Biannual Leadership Accountability Sessions*
> >
> > -

> >
> > Two open community calls per year where board members and chapter
> > leaders publicly report:
> >

> > -
> >
> > Activities and deliverables.
> > -
> >
> > Verifiable technical contributions.
> > -
> >
> > Community-building outcomes.
> >
> > 2.
> >
> > *Modernized Governance Framework*
> >
> > -

> >
> > A formal review of OWASP bylaws with global input.

> > -

> >
> > A redefined Code of Conduct supported by an independent ethics
> > committee.
> >

> > 3.
> >
> > *Transparent and Inclusive Speaker Selection*
> >
> > -
> >
> > Limit repetitive speaker rotations.
> > -

> >
> > Elevate underrepresented regional voices through technical merit
> > and community engagement.

> > -

> >
> > Base speaker selection on verifiable contribution, not internal
> > favoritism.
> >

> > 4.
> >
> > *Peer Review for OWASP-Branded Publications*
> >
> > -

> >
> > Require that any training content, books, or educational material
> > bearing the OWASP name undergo technical peer review and meet documented
> > quality standards.
> >

> > 5.
> >
> > *Clear and Traceable Disciplinary Procedures*
> >
> > -

> >
> > Standardize the handling of disputes, removals, and ethical
> > concerns.

> > -

> >
> > Document all actions with full transparency—not hidden behind
> > blanket “confidentiality.”
> >
> >

> > ------------------------------

> >
> > After seven years in this community, I must ask:
> >

> > *Are the rules the problem—or has the leadership lost its vision?*

> >
> > I say this not as an outsider, but as someone who has lived and worked in
> > four countries and who recognizes the signs of an open community slowly
> > closing in on itself—afraid to define what it is becoming. And sometimes,
> > it seems we’re becoming a private club of favoritism.
> >
> > I write not to offend, but to awaken awareness. Believe me—what I’ve

> > witnessed, many others have seen too. *And we know it.* The difference is

> > that while some endure it, others simply enjoy watching it unfold. OWASP
> > can still change course, but only if we move beyond this culture of silence
> > and complicity, and finally embrace transparency and accountability.
> >

> > *I’m not an idealist. I’m practical. And the truth is—month after month—I

> > hear less and less about OWASP. This is bad for our organization and

> > business.*
> >
> > *It will only change by redefining the vision. That means the change must
> > be deep.*

> >> <https://groups.google.com/a/owasp.org/d/msgid/leaders/CADtrMx7-QR%3D7fQXBo-45u5sTy0RfC8VngquUCK%3DRiCzQH%3D-8zQ%40mail.gmail.com?utm_medium=email&utm_source=footer>
> >> .
> >>
> >
> >
> > --
> >
> > *Gustavo Arreaza*

> >
> > OWASP Leader
> >
> > IEEE Paris Author
> >
> > EC-Council Courses Creator
> >
> > Co-Author and peer review in the Cloud Security Alliance.
> >
> > Speaker in 4 Continents about Cybersecurity
> >
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Leaders" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to leaders+u...@owasp.org.
> > To view this discussion visit
> > https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3DzyFZwt1pOsie5OD%2BA%3Dcy66sUT4%3D_RNBx%3DU_Kgr2E8O2Mw%40mail.gmail.com

> > <https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3DzyFZwt1pOsie5OD%2BA%3Dcy66sUT4%3D_RNBx%3DU_Kgr2E8O2Mw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> > .

> >
>
> --
> You received this message because you are subscribed to the Google Groups "Leaders" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.

> To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CACtAMnOc%3D0iNOdz_%2BWfRrFPuzmkZ2iXVokMzajQHCStOt8ZhQA%40mail.gmail.com.

[Jim Manico]

Gustavo,

Thanks for taking the time to share your frustrations and proposals. It’s clear that your commitment to OWASP runs deep, and I believe passionate people like you are the lifeblood of the organization.

I want to acknowledge the pain that can come from working hard in a mission-driven community and feeling unheard or unsupported. Your voice matters, and I’m grateful you’ve chosen to speak up.

Let me offer a bit of perspective.

As a former board member and long-time volunteer, I’ve seen (over 20 years) that OWASP isn’t a corporation with a rigid hierarchy or professional infrastructure. At its core, it’s a charity powered by volunteers - people who give their time out of passion for security, education, and community. That includes chapter leaders, board members, project contributors, and more.

Because of this structure, progress at OWASP can sometimes be very messy. Mistakes happen. Processes stall. People fall short. And yes - favoritism, poor communication, and inaction can show up and frustrate us all. But in most cases, these aren’t signs of malice or corruption - they’re the realities of a small nonprofit trying to serve a global mission with limited resources and mostly unpaid labor.

That said, your calls for more transparency, better content quality, and inclusive leadership are absolutely valid. Many of us agree and are working - slowly and sometimes imperfectly - toward the same goals. Bil Cory, who in my opinion is one of the most mature leaders that we have today, was very insightful in his response and described how to go about effecting positive change.

Still, I believe the tone of reform matters just as much as the reforms themselves. OWASP doesn’t need stricter punishments or more bureaucracy. It needs more compassion. More mentoring. More open invitations to contribute. The same volunteers we may be frustrated with are often the ones quietly holding the community together - day after day, often without recognition.

If OWASP is drifting, it won’t be saved by shame or mandates. It’ll be saved by a return to our core values: openness, technical excellence, humility, and collaboration. The best way to change the organization is continue to help lead it.

I’ll be honest - I've struggled with people, and people have struggled with me. But someone once gave me a piece of advice that stuck with me: “Put people in a place where you can love them.” That’s how I try to approach OWASP. I avoid the parts that burn me out and stay close to the parts where I still feel excited to contribute - just like I did 20 years ago.

Thanks again for your passion and service to the community.

With respect and appreciation,
Jim Manico
Former OWASP Board Member
Founder, Manicode Security

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3DzyFZwt1pOsie5OD%2BA%3Dcy66sUT4%3D_RNBx%3DU_Kgr2E8O2Mw%40mail.gmail.com.

-- 
Jim Manico
Founder, Manicode Security
LinkedIn: https://www.linkedin.com/in/jmanico
Shoot me an email: j...@manicode.com
Give me a ring: +1 (808) 652-3805
Let's set a date: calendly.com/manicode
Passion: Secure Coding Education

[Gustavo Nieves Arreaza]

Hi Community.

Bill, I’d like to propose sending you the complete version of the structural proposal by email next Tuesday. Additionally, it would be valuable to create a dedicated channel where others can share their ideas and proposals for your review(no  the tickets system please). From there, we could seek support within the community to move it forward through online sessions, voting, and, if feasible, by coordinating volunteer hours to assist with the review process. If approved, this could represent a meaningful improvement for OWASP.

Let me be clear: I have nothing personal against you. In fact, I appreciate the effort you’re putting into leading an event of this scale with a limited team, and that you’re also taking time to address structural matters.

My point — which perhaps wasn’t clearly understood — is that you referenced individuals who defined certain processes. That is valid and necessary, but only so long as previous emails don’t also depict those same leaders engaging in exchanges that contradict the very principles we promote. In that context, citing their names as examples of best practices can lead to confusion. That’s how I interpreted it.

I use bold text only to highlight key ideas visually — not as a critique of your conduct, which I am not calling into question about you is about the context and the moment.

Folini is right in pointing out that the ticketing system is not functioning properly — not in terms of the technology itself, but in the resolution process behind it. The channel exists, yes, but the way responses are managed, followed up on, and resolved has not produced the level of meaningful feedback expected in a community committed to continuous improvement. My intent is not to discredit it, but rather to recommend revisiting the governance model that supports it.

Regarding both public perception and internal culture, it’s important to recognize that even informal or private exchanges between leaders can project an image inconsistent with OWASP’s values. Digital dynamics are not immune to scrutiny, and it’s essential we maintain alignment with our community principles.

I once witnessed a leadership meeting in which inappropriate content was drawn during a screen share. While isolated, that incident underscored the need to strengthen institutional maturity across all levels.

Furthermore, when certain topics are proposed to be resolved non-transparently or through side channels, while using language that can be interpreted as inappropriate, it’s worth asking whether such attitudes align with the OWASP Code of Conduct. These types of incidents must be assessed objectively — not just based on their immediate impact, but for what they represent in terms of our organizational culture, especially when they originate from the co-leadership of OWASP Hungary.

It’s also important to acknowledge that incidents of this nature — even when shared in smaller or private settings — tend to surface eventually. Denying that they represent signs of cultural decline is not only short-sighted, but also shows a lack of academic and structural understanding of how governance dynamics work in collaborative environments.

Hungary and the global OWASP community deserve an environment that consistently reflects the values we publicly uphold.

Takaharu — I love Asia. I’ve yet to give a talk there, but I’m absolutely open and available when the opportunity arises.

When the time comes, I’ll bring the Sapporos… or the Ichibans — your choice!

As for John Mancini,

In past meetings, I noticed a strong technical posture, which is valuable in demanding environments. I also recognize your recent public openness, which is a positive step. That said, receiving an image like the one shared today to me, prompts a valid question:

Let’s ask ourselves: this constitutes a violation of the OWASP Code of Conduct — or at the very least, reflects poor timing and judgment given the current context.

Let me remind everyone that this thread began because all leaders were copied in an email thread raising concerns about the leadership structure.

And it has continued here because, as Fabio rightly pointed out, this has been the most effective channel we’ve had for enacting real change. While other tools may be more advanced technologically, it is in this space that genuine impact and meaningful discussion happen.

Also, I’d like to highlight that the previous email — the one Bill responded to in this email thread  — did not only expose problematic situations or governance concerns. It also presented five concrete short-term improvement proposals, which anyone is welcome to review and discuss further.

Enjoy your weekend.

[ti...@owasp.org]

Gustavo, hi, you clearly hijacked this thread, fled it with tons of paragraphs, many offensive statements, references to traumatic experiences. First of all why do you feel like you are representing a meaningful reform movement in improving OWASP?

The practice you try to force on us doesn’t seem to me as academically sound it rather has a generative flavour.

PS. In order to give more input for generating passages reflecting on my comments and questions please consider using the fact that I’m a Russian citizen. 🙀🙀🙀 (And that the chapter didn’t fulfil the 3-4 meetings requirement last year.)

Cheerz,

Timur

To view this discussion visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAGTm%3Dzy%2BMxXeXZDquONwpg%3DiBdABsmio19NpjSiS3d7DoUmE4Q%40mail.gmail.com.

[Gustavo Nieves Arreaza]