Conference Profit Sharing Split Rationale

In 2010 after the establishment of the membership split between the OWASP Foundation and OWASP chapters questions began to arise regarding a potential split of OWASP event profits with local chapters. Prior to 2011 (with the exception of AppSec EU 2010, which was a pilot case for sharing, and AppSec DC, LASCON and AppSec USA 2010, which received retroactive payments due to some inconsistencies in communications for the OWASP Operations Director) the conferences committee was not sharing any conference revenues with the local chapters who host the events. The following chart (current as of June 1st 2011) shows the actual distribution of funds to chapters as a result of conference revenues. The AppSec EU 2010 event, which was the pilot for sharing, was governed by the membership split percentage, 60% to the foundation 40% to the local chapter. AppDec DC, LASCON and AppSec USA 2010 were governed by the currently enacted policy.

As you can see AppSec EU had a very significant profit for the local chapter. The conferences committee took this under advisement when debating it’s final policy on the matter. It is important to note that the revenues that OWASP makes from conferences that allow the foundation to fund all aspects of it’s operations, projects, chapters as well as some of our most successful outreach activities such as the summit. Last year conference income accounted for 77% of OWASP's annual income and brought in a total profit of $240,399.71. To provide some perspective, OWASP's overall net income in 2010 was $4,972.63, so without significant conference revenues the OWASP foundation would be in position of significant financial loss and would not have the resources available to fund it’s operations or any other strategic initiatives.

The OWASP foundation does not make a significant amount of money, yet it still manages to do some very big and important projects/events. The heart of the matter here is who within OWASP should be the primary allocator of the limited funds OWASP has, the foundation or chapters. As an example Take the 2011 Global summit, arguably the most successful summit OWASP has had and it was funded almost completely by the foundation. The Summit was a huge success, and arguably everyone in OWASP supported the event, however the costs for the summit were not as equally shared.

The total cost for the summit was $198,620.74. The OWASP foundation did not have sufficient funds to cover all the costs of this event, and as a result turned to chapters (and in a very limited way, sponsors) for help in paying the costs to put on the summit. Of the call for assistance to chapters a full 41% of chapters did not even respond to the request (by not responding, they forfeited their entire budgets for a total of $7,999.71), 28% responded but provided $0 funding to assist the effort. In the end only 35 chapters, 29%, decided that they would help support this audacious occasion and provided a total of $10,387.57 to support the overall effort. As a result the OWASP foundation provided $180,343.46 while chapters provided $18,387.28 (44% of which was forfitature). It was clear however that chapters did think that the Summit was a worthwhile and important event, this was made clear by the $26,068.31 they spend sending members of local chapters to the event. A full 142% more than they were willing to donate to the cause. This is not to say that chapters are bad in some way, just that their interests are more local and not as broadly focused as the foundation as a whole. Had the Summit finances been left solely to chapters to provide, there would have been no summit. The Foundation Board and the Global Committees are tasked with the stewardship of the foundation as a whole and have a broader interest. While I agree it’s important to empower chapters and local leaders to make smart decisions and as a result the GCC has provided, for the first time, profit sharing for local chapters I do not believe that we should provide the chapters with too much of the foundation’s overall resources otherwise OWASP will not be able to do some of the bigger things.

There has been much talk of overturning the current conferences committee policy in favor of a policy without any caps. I believe this would create a series of challenges for the OWASP foundation. First, implementing such a policy would put a significant amount of resources in a few local chapter budgets, potentially starving the foundation. With the current policy in place, profit sharing for 2010 would amount to 5.19% of ALL OWASP INCOME ($25,008.47) for 2010, by eliminating this cap this number jumps to nearly 10% ($62,992.56) putting an additional $37,984 (151.88% increase) into chapter coffers. This is money that can not go to funding that really great project that college student wants to work on, getting Kate and Paulo that much needed raise, expanding OWASP outreach activities at developer conferences or going to our ability to host another Global Summit in 2 years. You might say, well the chapters who receive the benefits can do all that but the majority of this this huge additional profit would be clustered in only 2 chapters (getting an additional $35,976) as illustrated in the graph below.

As you can see, the perceived notions that conference profit sharing caps discourage chapters from hosting events is really untrue, all they do is create a more equitable distribution of the profit sharing by eliminating “windfall” incomes for a very few chapters that host Global AppSec events in the US or EU and ensuring that the foundation has the resources it needs to continue the mission. While I recognize that the local chapters do most of the event planning and coordination work it’s important to also remember that the OWASP foundation takes on all of the financial risk for these events. We are not discussing profit/loss sharing, only profit, all losses are absorbed by the foundation. As you can see in the source data, many events only cost money, they do not make it and by implementing the caps, we are ensuring we do not create a rich chapter/poor chapter condition inside of OWASP.

Conferences and their profits are what make OWASP possible without these funds we could not put on events like the OWASP Summit (total cost to the foundation was $224,799.05, only $44,095.65 came from chapters in the form of donations, individual travel sponsorships, or forfeiture).