May 2021 Videoconference

Board Meeting Minutes

Meeting Details

Agenda

CALL TO ORDER

CHANGES TO THE AGENDA

APPROVAL OF MINUTES

Vote

  • Grant Ongers - Yes
  • Joubin Jabbari - Yes
  • Martin Knobloch - Yes
  • Bil Corry - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes

Passed: 6-0

REPORTS

Staff reports, including Executive Director and Finance can be found after the agenda.

Organizational KPIs

KPI May Delta
Members 3,899 19% YoY
Page views 4,180,000 changed measure
Meetings 76 36.38 above annual average
RSVPs 2,087 61.52% of annual average
OSD SLA 100% 4.21% above annual average
NSFR SLA met 97.8% 11.41% above annual avg
YTD net income (20,935) April 2021
Cash assets $USD 1,124,501 April 2021

KPI Summary

Finance Summary

NEW BUSINESS

Motion to approve the Events Committee - TABLED

NB: this may need to be tabled until June pending a status update from Owen Pendlebury.

Background: The Events Committee will assist leaders and participants to hold high quality local and regional activities and events. It will assist the Foundation with maintaining a program committee, and assist with sourcing and organizing volunteers and so on for global events. The Committee will also advise the Board on the Events and associated policies, along with maintaining Events in a Box, and improving virtual, local, and regional budget templates and processes. There are representatives from the Events Committee here today if you have any questions.

Motion: “Resolved, the Events Committee is approved with the above charter.”

  • Sponsor: Grant Ongers
  • Second: Sherif Mansour

Motion to approve the Foundation to apply for an EIDL loan of up to $150k USD

Background: The US Government’s Small Business Administration’s Economic Injury Disaster Loan program is a low cost loan facility for small businesses and non-profits. The purpose of applying for this loan type is to ensure that we have spare funds to ensure that we can weather the economy long enough to become profitable again in our own right. The loans are inexpensive, around $5500 per year in repayments over 30 years, and can be repaid early with no penalties. If we choose not to use the funds, we can simply pay the funds back. Below $150k, the EIDL compliance requirements are far less, and we envisage that this should be sufficient to see us through. We would use them on paying the large deposits and installments for AppSec Dublin 2022, AppSec San Francisco 2022, and LASCON 2021, all of which are due to be paid by May 2022. These deposits and installments far exceed the $150k of the loan, and the EIDL loan will ensure that these usually profitable events can take place, and smooth our cash flow during what is normally a very income sparse H1 2022. Assuming AppSec Dublin and AppSec San Francisco are profitable as per our global events typical profitability, we should be in a position to repay the loan partially or fully in late 2022, or early 2023.

Motion: “Resolved, the Foundation is permitted to apply for an EIDL loan, to the maximum value of $150k, to be paid back per the loan terms of up to 30 years at 2.7% APR. The loan shall be earmarked to pay for event expenses, primarily event location deposits and installments.”

  • Sponsor: Sherif Mansour
  • Second: Grant Ongers

Vote

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Joubin Jabbari - Yes
  • Bil Corry - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes

Passed: 6-0

Motion to approve the updated Conflict of Interest Policy

Background: The Conflicts of Interest Policy is a necessary element to provide integrity to many of OWASP’s policies and processes. The Conflict of Interest policy was written primarily by Schwabe lawyers, with a re-write of the frontispiece by Andrew van der Stock. So far, no comments have been received.

Motion: “Resolved, the Conflict of Interest Policy is approved.”

  • Sponsor: Grant Ongers
  • Second: Bil Corry

Vote

  • Martin Knobloch - Yes
  • Grant Ongers - Yes
  • Joubin Jabbari - Yes
  • Bil Corry - Yes
  • Vandana Verma - Yes
  • Sherif Mansour - Yes

Passed: 6-0

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

ADJOURNMENT

Adjournment motion

The next general Board meeting is on June 22, at 12 pm US Eastern Time.

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Sherif Mansour Second: Vandana Verma


Staff Reports

Executive Director

This month has been a busy month, as always, but not necessarily on the next thing in our priority list. I appreciate the Community’s forebearance on the continuing Chapter Re-activation program, but this highlights in the most visible way the need to automate this process to BAU with inbuilt empathy.

The top of mind has been the Chapter Re-activation program, which has given life back to many, many chapters that were all but defunct. However, deeper inspection of many chapters highlighted there is a policy gap. We will continue to address our processes, in particular by:

a) automating detection of inactive chapters, with these results sent to the leaders of the relevant chapters b) automation detection of broken chapters (done) c) A way to ask for an extension if life happens d) Build a BAU inactive chapter tool to ensure that chapters are made inactivate based around the policy, but with plenty of advanced notice for leaders (up to 90 days) with the goal to replace inactive leaders, rather than shuttering the chapter e) Ensure that de-activated chapter pages are still visible on owasp.org, but their Meetup will be suspended. Our quarterly bill now approaches $11k, and suspending Meetup helps immeasurably. f) A retrospective to be held in June to discuss how to improve this process, which is due to be automated later this year

Progress has been made on the trademarks initiative, with applications for OWASP, our logo, AppSec Days, and Global AppSec being applied for under the Madrid protocol in 13 countries, and separately in Chile and Argentina. There is a 7 month period before they are likely to be fully registered, but we will have priority as of our filing date. I will continue to develop the trademark program in concert with an updated Corporate Membership program, which will incorporate a trademark license at most levels.

The Corporate Membership review has identified that we have lost sponsors due to the $25k limit, and it costs us a lot of goodwill when we are arguing about the company’s income, which for many organizations is difficult, especially those who are a part of large multi-nationals. I am strongly in favor of abandoning this in favor of a three tier system with different benefits. I will be presenting this at the June Board meeting. As this is operational, I will not require approval, but I would genuinely love to have Board feedback during the development of the Corporate Membership program.

The surprise announcement from the US Government Center for Disease Control on incentives for fully vaccinated individuals has been widely misinterpreted as “no masks for everyone.” It is not. Their actual message is “It is safe for vaccinated people who feel comfortable in not wearing a mask to do so, and they can return to normal life.”. This guidance specifically excludes unvaccinated and partially unvaccinated individuals. They specifically state that “You will still need to follow guidance at your workplace and local businesses.”, which means we can set our own masking policy, which as a global organization is good, because the situation in the USA is very different to most parts of the world. I am asking for community input into a revised in person meeting task, and will likely fall into “If permitted in your local area, and if you are vaccinated, and you feel comfortable returning to in person meetings, you can do so following local masking and PPE guidelines.”. However, the question of how do we know (or even if we should) validate vaccination status is an open and very thorny question, as we know some identify as vaccinated and are pugilistic about it. I don’t want OWASP to collect or process any health data. I am meeting with MeetUp this coming Wednesday to discuss a privacy respecting option that advises participants that they should only attend if fully vaccinated and they accept the risk of attending in person. For the time being, we must continue hybrid and online only meetings.

Action: - Andrew will get a quote from the lawyers on how much it will cost to update our bylaws.

Finance

Below is the PRELIMINARY write up for Apr 2021.

Attached, please find the preliminary OWASP Combined (converted to USD for all reports) financial pkg for Apr 2021 which represents financial performance through the 4th month of Fiscal year 2021. I have included the 2021 Approved budget which I have spread on a monthly basis.

I have also altered the Board summary to match the categories that the new FY 21 budget highlights.

As this is the April 2021 fin pkg, I have added Q2 2021 ( which is the month of April, actual vs bud and will continue this through the rest of Q2).

Income Statement

  • Revenue: On an accrual basis, total revenue, YTD was $308.5K as compared to the budget of $238.8K. The results are Better by $69.7K, with Conference, Donations and being over budget by $25.1K and $38.2K and $29.5K, respectively. While Merchandise, and Trademark income were a combined <$23.2K> below budget YTD. On a quarterly basis combined Actual was better than budget by $6.3K with only Merch and Trademarks under budget.
  • Expenses: Total spending YTD 2021 is $342.8K which is LESS than they YTD Expense budget of $391.8K by $49K due to Chapters , Outreach and Project expenses are UNDER budget by $61K offsetting EDU, WIA, Events, Fundraising and G&A ( the majority of the overage is Legal expenses), which combined is over $12K ( individual accounts have minimal overages). On a quarterly basis Actual expenses were $15.8K UNDER Budget as all depts were under budget except for minimal overages in Events, WIA EDU and Fundraising most likely due to the allocation of Staff time for the qtr todate.
  • Net Income/Loss: YTD 2021 Net income, on a combined Accrual basis is Negative $34.3K which is Better than the YTD 2021 APPROVED budget of negative <$152.9K> by $118.6K . On a quarterly basis the Actual Net Income was Negative $20.9K which was better than the Budgeted Negative $43.1K by $22.2K.

Chapter Funds: US bal is $855.64 flat to 3.21 Bal EU Ch bal is $64.6K (up 4K, from 3.21 bal due to conversion rate). US Proj bal is $219.K (Flat to 3.21 bal). EU Proj bal is $-9K

POINTS of NOTE:

Continuing the narrative theme from previous months, as of 4.30.21 our cash position was $1, 124.5K which is DOWN $15.7K from 3.31.21 cash bal of $1,140.2K. Our avg monthly spend for operations is roughly $82K including all payroll, which is still roughly about 11 months of reserve, which is very good in the current environment. If we remove AP and the PPP loan ( $112.7K of PPP is in the process of being forgiven, however I will keep it here until it is) which totals $134.3K ( down $13.9K from 3.21 bal)and is just over 1.6 months of reserve taking, us to an estimated 9.5 months of Oper. reserve, again a good number. Now the concern is the $1,130.1 (up$ 3.4K, from the 3.21 bal) of Ch/Proj balances. On a good note, Deferred revenue, is starting to build up again at $122.3K, which is a little over one month of reserve. The open AR balance is $107.2K which is down $24K from 3.21 Bal due to collection efforts. Through Apr 2021 we are tracking a bit better than budget and we need to keep working on revenue while keeping costs down, while we are still in this no travel environment.

Chapters and Membership

Chapters Status

Chapter re-activation program is in full swing. AJV has allocated Dawn to assist Lisa in getting it back into BAU by the end of May. We have to draw a line under re-activations. Many high profile chapters were re-activated, including Gothenberg and others, which has led to changes in the way we are processing re-activations. AJV continues to meet with affected invididuals to get them over the line. Nearly all have been re-activated.

  • 354 Total chapters in database
  • 135 inactive (so far)
  • 33 re-activated
  • 187 still to review (in progress)

Events and Corporate Support

Operations

  • We will be changing the OWASP mailing address to Virtual’s address
  • We are currently setting up a Business Continuity Plan
  • Meetup - cleaning up groups, so cost will be reduced
  • Chapters - helping Chapters to reactivate their Chapter pages

Projects and Technology

Projects:

Projects Status

  • 220 Projects
  • 8 New projects in the last 60 days
  • Project Committee is continuing its work on the Project Graduation procedures, Project Policy, and Contribution policies for projects.

Technology:

  • Email for members/leaders cleanup testing near completion; awaiting some housekeeping on chapters to finalize. Will begin communications notifying the community of this process starting the week of 5/24.
  • Membership Portal (members.owasp.org) in testing; limited feedback thus far. Expectation is to rollout by 6/1.

Action - Harold will send plenty of notice (social media, email, etc.) to community regarding the cleanup of OWASP email address.