Expired OWASP membership - no email reminder/notification issue

[Sam Stepanyan]

Hello OWASP Leaders,

If in 2019-2021 you had an issue of not getting email reminders when your OWASP membership expired can you please reply.

I am aware of at least 4 leaders (including myself) who had this problem in the past, just trying to identify if the problem was more widespread and to help OWASP Staff to fix this going forward.

Thanks and regards,

Sam

-- 
Sam Stepanyan
OWASP London Chapter Leader
OWASP Chapter Committee Chair
sam.st...@owasp.org
https://owasp.org/www-chapter-london/
Follow OWASP London Chapter on Twitter: @owasplondon
"Like" us on Facebook: https://www.facebook.com/OWASPLondon
Watch video recordings of our events on YouTube: https://www.youtube.com/OWASPLondon

Consider giving back and supporting the open community by becoming an OWASP member today! 

[Andrew van der Stock]

Hi Sam,

There's a motion coming up that will allow any member who had failed to be eligible for standing at the 2022 elections this coming June. The motion has passed, so the main detail here is not that folks weren't notified (there was a period during last year where it definitely did not work, but that was quickly resolved). We can tell if a message was delivered through Mail Chimp, if it was opened, and if the person clicked the links within. I will look into any reports of folks stating that they did not get messages in case our system has yet more faults, but the motion itself takes away any uncertainty that people will be ineligible to stand.

I must note that the bylaws require no such notifications on the Foundation's part. If anyone is likely wanting to stand for the Board, they need to maintain their membership in good standing. To take away uncertainty, please note the following:

* Lifetime and Two Year memberships are easily the safest way to maintain good standing

* Single Year memberships can be set up to auto-renew, so you do not need to watch out for notifications, as only Stripe needs to be functional and no other part of our systems. We will be adding two year auto-renew soon.

* Honorary and Complimentary memberships do not auto-renew and do not provide notifications. This is by design. You must manually re-apply annually, so please make sure you keep this in your diary. There are less than 20 individuals out of 4,000 who have complimentary membership, and all Honorary memberships will have expired by the end of July this year. If you are running for the Board, you cannot hold Honorary or Complimentary membership, it must be a paid one or two-year membership or lifetime membership. It's best to sort this out before the June election announcement.

thanks,

Andrew

--
You received this message because you are subscribed to the Google Groups "Leaders" group.
To unsubscribe from this group and stop receiving emails from it, send an email to leaders+u...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CACFzQp8QfimziUQ0suQMKq-DdZahmRQGx9bwONXhG%3DPs8dbqHA%40mail.gmail.com.

[W.Martín Villalba]

Hi @Andrew van der Stock and OWASP leaders,

> If you are running for the Board, you cannot hold Honorary or Complimentary membership, it must be a paid one or two-year membership or lifetime membership. It's best to sort this out before the June election announcement.

I find the statement above extremely disturbing.  After major discussions and roadblocks, I was finally granted honorary membership last year based on my work (many hundred hours) as the OWASP Santa Barbara chapter leader (~mid 2018 - Present) and as one of the key organizers for AppSec California 2019 & 2020.  I do not recall anyone telling me about any differences between the honorary and regular/paid memberships. I can confidently say that the restriction above was not mentioned to me at the time I was granted honorary membership, and I had no idea about it until now.

All the above is on top of a similar issue I had last year, where I wasn't able to run for the Board because I actually wasn't even an "OWASP member".  I had already spent a couple hundred hours on rebooting the Santa Barbara chapter and becoming a key organizer for AppSec Cali, but I was still not considered an OWASP member because I hadn't paid the $50 membership.  I had incorrectly assumed to be true something that IMO should have been common sense: if you're an official leader for OWASP, then you're an OWASP member.  

I cannot understand why the Foundation is obsessed about having leaders pay for their memberships. Donating time as leaders and doing great work for the cause is not enough?  Like that's not worth a lot more than the $50 paid membership?  As a leader who has spent a ton of time supporting the Foundation and our mission, I keep being extremely disappointed with this kind of decision and it just keeps driving me away. Needless to say, it's a matter of principles, not the $50.

Regards,

Martín

OWASP Santa Barbara Leader

AppSec California Organizer

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CADtrMx7zQ8MJZZp0%2BZUMtHr984FTm1ym0s3iiGJpFkd2eT-63A%40mail.gmail.com.

[Jim Manico]

This is my personal opinion on the matter.

• One of the main roles of the board is fundraising and helping keep the finances of the foundation healthy.
• As you can imagine, OWASP has financial troubles due to a lack of conference income, and we need to take measures to ensure we can pay our overworked staff and similar. Board members need to help address this shortcoming in a big way.
  
• OWASP honorary and free memberships, in the past, have been given out frequently with less robustness as I have seen in other non profit organizations.
  

I think with these (and other considerations) in mind, it is very sensible to request that folks running for the board have paid memberships. It's not just the 50$ but it's also a clear sign that folks running for the board will take the financial responsibility of helping run OWASP seriously.

Like you, Martin, I have put countless hours into volunteering for the foundation and continue to do so. I was granted a complimentary membership in the past and rejected it and paid for a lifetime membership. I have also donated money to OWASP in the past (while I was a board member) outside of my membership fee and will do so again in the future.

I do not mean to diminish your opinion below, I understand you are very upset at this new policy. I just wanted to assert a counter-opinion regarding how I personally feel leaders should relate to OWASP financially.

Respectfully,

- Jim Manico

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAOXDvD-ucz%3Dxm0jw%3DgbVZ4L0sYA7kgK1s_fr%3DBqTRPsHGCvvcA%40mail.gmail.com.

-- 
Jim Manico
Manicode Security
https://www.manicode.com

[Azzeddine Ramrami]

Hello,

I agree with Jim. All volunteers for OWASP should pay membership fees to help foundation.

For me I will renew my membership and pay for a lifetime in September 2021.

Cordialement/Regards/Mit freundlichen Grüßen/Cordiali saluti/Saludos/تحية خالصة

Azzedine Ramrami OWASP Morocco Chapter OWASP AppSec Africa President IBM Security - Senior Security & Network Architect Data & Application Security, Cogntive Security, IoT/OT/ICS/SCADA Security & SIEM Certified Mile2 CPTE/CPTC/CDFE/CSWAE and EC-Council C|EH OWASP Morocco Leader/OWASP AppSec Africa President IBM Security Global Speaker

OWASP RAF Project Leader

OWASP CSRFGuard Project Leader

Consider giving back, and supporting the open source community by becoming a member or making a donation today! 

Join us at AppSec Morocco & Africa 2020 November 5/7 Casablanca/Morocco

Phone: +33 1 58 75 18 17 | Mobile: +33 6 65 48 90 04 / +33 6 10 25 93 15 E-mail:    azzedine...@fr.ibm.com      azzeddin...@gmail.com Skype: azzeddine.ramrami

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/9d35afdb-6cbc-9451-097d-6a7a6453c2ae%40manicode.com.

[Andrew van der Stock]

Martin,

I looked up the bylaws of our foundation to make sure what I said was correct, and it says this:

> At the time of their election, to qualify to stand, candidates must hold an Individual membership, Lifetime membership, or hold a valid Honorary Membership. This membership must have been in place for a 12 month period prior to the date of the election.

So I am somewhat incorrect, and also partially correct. As all honorary memberships created prior to the complimentary leadership bylaw change will have expired by the time of the election itself, any current honorary members who may wish to run for the Board will need to replace that honorary one year membership with an individual (one or two year), Lifetime, or have the Board vote on a Lifetime Honorary membership (the only sort on offer at the moment) by the time candidates are formally declared at the end of October, well past all current honorary membership's expiry dates. So I was both incorrect and technically correct at the same time.

The revamped Lifetime Honorary Membership type takes honorary memberships to where they should have been: a strong recognition of those who have done so much for OWASP, our mission, and for so many over a long period of time. Any future Honorary Lifetime members will be eligible to be candidates as long as they haven't failed any other qualification barrier, such as exceeding Board term limits.There are precisely zero of these members right now, so the 12 month good standing clause of the bylaw cannot apply to this year's election. Again, my initial statement was incorrect but also technically correct.

Complimentary membership is far easier to obtain, and for those who have no intention of running to the Board, complimentary membership is a good change. We had more folks accessing the complimentary membership benefit than Honorary members in the previous 12 months.

I'll inject my experience of being an ex-Board member, and now ED. US non-profit (and generally, worldwide too) Directors have a duty of loyalty. To comply with this, we have made decisions over the years from our inception as a Foundation to now to apply rules that prevent self-dealing, loans, or payments to directors. We adopted Robert's Rules of Order last year to assist Directors in understanding when the time is appropriate to recuse themselves from decision making. If a Director was inextricably bound up in complimentary or recurring honorary membership, a value of $50 per year, an argument can be made for de minimis (i.e. too small to matter), but it could be also argued that they would need to sit out discussions or votes around membership, which is also clearly inappropriate.

The three main functions of the Board: ensure that the Foundation is governed well and has decent financial oversight and controls, strategic direction to make sure that we evolve our mission and make an impact, such as creating new initiatives and by fundraising and grant-making, and being accountable for the bylaws and policies they make that help set our strategic direction. As membership and chapters are a core part of OWASP, it would be impractical for any Director to sit out discussions or not involve themselves in any membership improvements.

What does this mean for a non-profit membership organization? I'd strongly argue that Directors are expected to be members and are expected to fundraise for the foundation in an ethical way. I don't want to be a gatekeeper preventing hard-working and deserving folks from getting on the Board by requiring paid Lifetime membership, but I think it's telling that nearly all of our current Board (and I know I was as well) are Lifetime members. We believe in our mission, and we demonstrate that through the membership of our organization. I would like to think any member who wants to be a Director of a membership foundation would want to be a member in good standing. It's just easier if you're a long-term member (two year or Lifetime) as the current issues in the bylaws surrounding good standing just go away, and everyone including the Board, our community, and our staff can concentrate on doing our mission, fundraising, getting your initiatives through, and making our community better. As an example, I need to be working on other stuff right now, but instead I'm sure we'll be dealing with this some more over the next few months.

To me, worrying about $50 per year per Director is a waste of the Board's and the staff's time. I'd like to see it reformed so that it both supports the idea that Directors should be members, but the implementation of that by the individuals themselves as well as our operational assistance in maintaining good standing are improved. I would encourage anyone who is interested in this topic to come to this month's Board meeting, as I'm sure there will be a discussion on this topic. I will raise it as a discussion item with Sherif and Vandana at my meeting with them shortly.

thanks,

Andrew

[Timur X. kHrotko]

@Jim Manico @Azzeddine Ramrami I understand your approach. But imo insisting on the 50 as a mandatory contribution is only a matter of principle or a prescription of your ritual to others. If some leaders feel like they as performant leaders already deserve a membership -- that's also a valid point of view given their contribution is as significant as Martín's. My contribution to OWASP (beyond arguing with you guys all the way))) is negligible in comparison to you, Jim, and nothing close to what Martín and Azzeddine contribute (so I could accept this new requirement imposed on me actually). But subjectively I feel like if I devoted my significant time to OWASP that's hard cash (see opportunity cost) and this logic has also its reasonable grounds -- and I would feel more comfortable in OWASP if this approach was also respected. Wouldn't you find it beneficial if in exchange to my comfort I did better and more for the community?

If Foundation or any other mechanism in OWASP could measure not only basic formal/quantitative KPIs of a chapter/leaders (sometimes as ridiculous and nonsense as keeping your Holy Official chapter .md up-to-date even if practically *no one* in our audience uses it as a source of news) but also the quality of the meetups or any other professional metric then we could categorize leaders according to their yearly contribution and maybe accept that some level of contribution eliminates the requirement of the 50 usd contribution. But the Foundation does not have skills to understand what we do in terms of quality.

@Jim Manico If you refer to financial troubles in this context (which reasoning was an ace in many other discussions) I could say that the real significant governance/budgeting response could have been that OWASP outsources its community and technical administration to much much cheaper countries with a comparable level of workforce professionalism, like Eastern Europe probably. (I should stress that actually I'm absolutely against abandoning American workshops and outsource performance abroad when it damages an existing production culture. But my observation is that what the Foundation was as a service center for projects and chapters years ago, that culture is lost anyway.)

I see the 50 usd issue as a part of a deeper crisis in OWASP. The core of OWASP are leaders with all their diversity (the phenomenon which we are supposed to focus more nowadays). Instead the Foundation tries to push leaders into its simple concept of a well behaving leader. And as a result we errodated the very power of OWASP -- the spirit/enthusiasm of leaders. Cf Martín's case as a good illustration. And we also have other hidden conflicts eroding the core of the community which are leaders.

@W.Martín Villalba The story doesn't start here imo. This bright new parental / repressive approach has been established a couple of years now and we silently collectively accepted it. And it has to do with the bright managerial idea that OWASP was a too silly organization and it needed a shape compatible with the serious corporate world. Also I guess this coincided with many leaders becoming more mature and wanting the organization to be mature. At the same time Foundation employees started to parent leaders. Chapters are now handled as provincial branches of the metropolitan Foundation. I understand that I expose the story in a distorted way but imo the result we can observe now: a flipped OWASP with the Foundation becoming headquarters instead of the service center for chapters and projects as it used to be. (If we interpret it in the framework of organizational studies then nothing special is happening, any institution is prone to foster it's self-importance leaving behind its original purpose.)

There was also a probably verbalized theory that leaders exploit their leadership in order to expand their professional self-importance. (Which is true but that's the essence of the deal imo, we invest our time and probably talents into the common good and get professional persona/career benefits as a calculated side effect.)

Or maybe I as a security person am just paranoid or the excessive years of keeping my leadership position distorted my understanding. 🤣 (Actually I'm leaving my position soon.)

So yes $50 is a serious thing, keeping your Official chapter .md is a super decisive thing. But since the Foundation has no means to meter the professional performance of a chapter and your recent contribution they rely on phenomena observable for them. Bureaucracy won over common sense.

When I refer to 'repressive' above I also refer to the recent suggestion that denounced leaders will lose their @owasp email with freaking 7 days if they do not pay 50. Letting it be like a 3 months deadline would not hurt the OWASP budgets but be a kind of respectful to leaders. Just because leaders are the core of OWASP in the first place and not freeriders of the free leadership benefits (and not reporting to clerks in the Foundation).

Regards,

Timur 

To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/leaders/CAL4seLGn5-XhMCaVe2jEaUqT17w%2BMgG%2BPMQ2DeeG3Sb-tthAkQ%40mail.gmail.com.

--

OWASP, chapter leader, Hungary

+36-309225777, timur@owasp.org

[W.Martín Villalba]

Hi OWASP Leaders,

I wanted to send a quick update after a good meeting I just had with @Andrew van der Stock.  After our conversation, Andrew and I seemed to be in agreement on the topic of memberships and where we should go with it.  The following is my personal understanding from my discussion with Andrew.

- Requiring a paid membership is part of the Foundation's bylaws right now but is not a good approach. It's prohibitive for some people / regions (e.g. some European countries and Latin America).  Paying for a membership doesn't mean you're a great member doing great things for the Foundation and our mission.

- While it's true that nearly all current Board members have lifetime memberships, that doesn't mean that they're doing great work as Board members. We all know that some Board members haven't been very active (some not active at all) and that there are other people in the community -- with / without memberships -- who have done a lot more work with much better tangible results.  So the concept of being a great board member with legit commitment to the Foundation should be decoupled from lifetime memberships.

- Since late last year we have complimentary membership which is different from honorary membership. Honorary membership is exactly the same as a paid membership, without having to pay.  Complimentary membership is the same as a paid membership with the following exceptions (a) you don't have to pay, (b) you have to be a Leader, (c) you cannot run for the board.  I personally think it makes sense to differentiate between someone who's earned honorary membership due to hard work over the years vs. someone who just became a leader, but this also comes with extra overhead for the Foundation (see below).

- Overall, the membership structure seems to be too complex now and it seems to have way too much overhead for both members and the Foundation. Andrew and other Board members are working on simplifying this structure and possibly/hopefully removing some of the many restrictions related to memberships / running for the Board.  There will be some discussions around this in May's Board meeting.

- For my particular case and anyone else in a similar situation: if you have an honorary membership that will expire late June, you can still run for the Board if (a) the bylaws are changed during the Board meeting in May, or (b) you just pay for a regular membership early June, before your honorary (or regular for that matter) membership expires.

I hope this info is useful for the rest of the community, and look forward to the next steps to improve this aspect of the Foundation.

Cheers,

Martín

https://twitter.com/act1vand0

https://www.linkedin.com/in/wmvillalba/

OWASP Santa Barbara Leader

AppSec California Organizer