Several members of the management board of OWASP have been accused of financial mismanagement and bullying by a former employee.
In an email sent to the OWASP leaders list, former OWASP project program manager Samantha Groves, accused some OWASP board members of “mis-managing project funds” and of using “sexually aggressive and offensive, gender specific language against her in front of my co-workers, other board members, and volunteers”.
Specifically name-checking board members Jim Manico, Josh Sokol, and Eoin Keary, she accused them Manico and Sokol of criticising her, and Keary of the mis-management of finances.
In her email, Groves said that there was a chronology of unwarranted criticism and she was asked to resign her employment after making complaints. She said: “This is why I resigned, from my perspective. Just as one board member encouraged a volunteer to share her frustrations, I feel I have the same right to share mine.”
She said she would change her mind on issuing a civil lawsuit against the board, but demanded a “sincere, public apology from the OWASP Board for your gross misconduct against me, your inappropriate, condescending, and outright un-justifiably aggressive behaviour towards the OWASP staff, and for wasting the OWASP community’s time instead of doing what you were elected to do which is to set a strategic direction for this company”.
She also asked for an open, respectful, discussion about what happened between the OWASP board members, the OWASP community, and the OWASP staff. “If I get an agreement to the items from all members of the OWASP board, then I promise to drop the charges I filed against you,” she said.
“I want OWASP to get to a point where we can have open honest discussions with one another that are respectful, professional, and devoid of malice and vindictiveness. That is the only way this community is going to grow and change for the better, I feel.”
The most recent incident was on Monday May 28th, when members of the board asked the executive director to send Groves her termination agreements where they asked her to waive her rights to sue them for damages, and waive her rights to the complaint submitted on April 30th. “They also wanted me to remain silent about the details listed above. They offered me money in exchange for the waiver of my rights. I declined the money and pressed charges.”
In an email seen by IT Security Guru, Manico said to Groves that he did not attack her personality, but this was a professional concern “and a very serious one”. Sokol said in another email that as “much as we all would like to think that Samantha is a brave whistleblower who is trying to right the wrongs of our organisation, this letter is effectively a ‘Plan B’ of slander when her prior attempt at extortion and blackmail is failing due to a lack of supporting evidence”. He said that OWASP is preparing a response and its lawyers believe that it will be dismissed.
He said: “It’s difficult to follow Samantha at this point because her claims keep evolving. At first, it was a complaint made against Jim (to Michael and Sarah) for his public lashings of her performance on the Leaders list. This complaint was escalated to the Board and in true OWASP fashion we suggested mediation at the upcoming AppSecEU
conference between Jim and Samantha by a professional, third-party, mediator.
“That solution was accepted by both parties and we were quite excited that our open, honest, and peaceful OWASP-way would prevail. Shortly thereafter, Samantha submitted her resignation and mitigation was no longer an option. At this point, the complaint has been turned over to our compliance officer (Martin Knobloch). He is tasked with investigating the claims in the complaint and providing a recommendation to the Board. It is certainly not any of our desires to have this issue dropped or ignored.
Sokol said that Groves “has a lot to say” and that “her story keeps changing” and while he regretted the outcome and stated on record “that I don’t feel that the board has done anything wrong in this situation”.
In emails to IT Security Guru, Keary said that the information is incorrect, inaccurate and slanderous, and it was “seeking legal advice”. Manico said that he went to Groves privately about the matters, but was ignored and to her boss “who politely brushed it off”.
“Then I took the issue to the leaders community, the leaders largely agreed with my concern and Samantha’s boss then asked Samantha to revert her decision because of it,” he said. “Samantha was seething angry at me for this, but I’m a technical board member and oversight of these matters is my legal responsibility.
“I do not feel like I was a bully; both I and Samantha’s own project council warned her that her actions were bad decisions but she ignored everyone who critiqued or disagreed with her. This is a sad and hurtful matter to everyone involved.”
Sokol said: “It’s quite the unfortunate situation that we’ve found ourselves in. While we had the option to simply pay up and move along, the Board determined that seeing it through was in the best interests of our organisation, and did not meet Samantha’s demands. OWASP’s mission is application security and that will always be our core competency, but we also recognise the need to be a stable employer for our staff.”
