-
-
Notifications
You must be signed in to change notification settings - Fork 402
CRS Expense Policy
This is a guideline / procedure how we are planning to spend money within the CRS project.
We are getting 5-digit sums of sponsoring money and we need a bit of a guideline. Everything is new as of this writing, so we keep this brief and simple for a start and see if it is good enough. If not, we'll improve it as we move along.
Our project funds are with OWASP.
OWASP has an expense policy that we need to follow.
This expense policy is supervised by OWASP HQ and they won't pay out without checking their expense policy and without approval. So we do not really have to fear somebody runs out the door cash in hand.
OWASP does not run separate accounts for separate projects anymore. We tried to get a separate account, but to no avail. Instead there is now a big expense pool and projects will be paid out of this pool. This is a somewhat troubling situation. But then it's also very clear how much we contribute to this pool. So should we be denied, we have the books on our side.
Countless discussions happened between Christian and OWASP HQ before CRS received the first real sponsorship in 2021. Lots was very fuzzy, in calls, countless emails and chats and very little ever confirmed and the aforementioned expense policy was not yet adopted. CRS decided to play along because the window for the first sponsor was closing. So we are under a new policy and see how it develops. So far, no problem with getting expenses approved outside of the administrative overhead.
We also talked to Harold Blankensmith from OWASP on 2021-09-15 and he confirmed that it is well understood within OWASP HQ that we brought this money to the pool. So it is not formally restricted to us, it is still meant for us to use.
Given there is a safety net (and additional administrative overhead!) by OWASP, we can simplify and speed up things within the project. We would like to avoid a lot of formalities, because they add even more administrative overhead to implement properly and it could slow everything down. Here are the rules.
- The CRS expense policy follows the current OWASP expense policy.
- The CRS project leads have authority over the project's spending.
- The CRS project leads decide unanimously over expenses regardless of the sum. If the project leads disagree, the expense is blocked.
- The CRS project leads will consult with the CRS developers for expenses over 250 USD. The project leads are advised to consider the opinion of the developers, but the opinion of the developers is not binding.