OWASP Members - submit your views to our bylaw survey for a chance to win an AppSec Virtual or AppSec Global pass

image

Andrew van der Stock

Tuesday, April 12, 2022

Recently, we received legal advice on the upcoming Leaders as Members bylaw and policy changes. Long story short, we may need eligible OWASP members to vote to approve a new or updated certificate of incorporation and bylaws. The required changes are so extensive, that we may need to replace our bylaws with much newer ones. Therefore, OWASP is consulting with OWASP Members on our bylaws’ membership classes and their rights, privileges, and powers.

Bylaws and membership rights is both incredibly important and yet incredibly boring unless you are a policy wonk. To encourage survey submissions, the OWASP Foundation is offering a prize for three random OWASP members who complete the survey: a pass to any OWASP Global AppSec conference held in 2022, including OWASP 2022 Global AppSec Europe Virtual Event, OWASP 2022 Global AppSec AsiaPac Virtual Event, and OWASP 2022 Global AppSec San Francisco. See conditions of entry below for the fine print.

When life gives me a lemon, I always look to make lemonade. This is our chance to update, standardize, and become fully compliant with the updated Delaware General Corporation Law. The Board could also decide to simply make our current bylaws work, but this is likely to take longer and be more expensive. Regardless if a member vote is required to approve changes, I believe our bylaws must be agreeable to, and likely approved by, OWASP Members.

Call to action - please take the survey

Today, we are asking OWASP Members their views on our membership classes and their rights, privileges, and benefits. THIS IS A NON-BINDING SURVEY

  • Who should have the right to amend or replace the bylaws?
  • Which OWASP Leaders should be required to be financial OWASP Members?
  • Do OWASP Members support a single Individual Membership class with all the current rights and privileges given to Student, One, Two, Lifetime, and Distinguished Lifetime Members?
  • Do OWASP Members support non-financial membership, and if so, what rights and privileges?
  • Do OWASP Members support existing Corporate membership rights and privileges?

OWASP Members, please log in to your owasp.org email address and take the survey here: https://forms.gle/Vf9A96KvSjCQzTwf7

Troubleshooting

  • If you are a member, but don’t have an owasp.org email address or can’t remember if you do, please use Manage Your Membership to send a link to provision or reset your password.
  • If you are not a member, please join OWASP today.
  • Some managed Microsoft email services, including Outlook.com, Live.com, or Hotmail.com seem to be blocking some members receiving their OWASP’s Manage Membership email. If you use one of these platforms, please check the spam folder. Please mark it as Not junk so that eventually mail will be received by Members using these Microsoft managed email platforms. If you still can’t find it, please try using another email address first, or please log a support ticket. Due to the manual process involved, it might take up to 14 days to get back to you, which means you may miss the deadline for this poll.

What’s the rush, why now?

Changes must be approved before the next General Board election is called, as the bylaws and Election policy govern this process, and the Board composition, method of election, qualifications, and rights and powers must be certain. Additionally, the OWASP Foundation wants to implement likely membership classes, dues, and business rules in our new AMS very soon.

What’s next?

Once the Board has received legal advice, decided on the process, and considered your inputs, any changes or votes will be communicated. The Board will hold a series of town halls to gather additional Member input. Any new or revised bylaws and policies will available to all Members per the Policy Review Process. If or when a ballot of eligible Members is necessary, we will use our standard voting platform (Simply Voting). Ballots will be sent to eligible voters, so if you want to vote, please opt in to OWASP Foundation communications in the Membership Portal. Please keep an eye on your owasp.org email for updates and your individual ballot.

Why do we need to do this?

We need to simplify and clearly define OWASP membership classes, rights, qualifications, and privileges. I’d prefer to have just three membership classes: Individual, Corporate, and if legally allowed or aligned with good governance practices, Complimentary Members. We will need to move some settings from the bylaws, and synchronize other settings with relevant policies to eliminate ambiguity or confusion. As just one example, OWASP’s bylaws and policies are sometimes conflicting or ambiguous, such as Complimentary Membership being granted to event leaders in the bylaws and taken away in the Events policy. As bylaws have precedence, Complimentary Membership is enshrined for active Event leaders, but automation and often the result of support tickets have different outcomes. You see the problem.

I hope we become a standard membership organization, one that’s well understood by donors, grant makers, and so on. I’ve donated thousands of hours to OWASP over the last 20 years. That said, I understand and respect those who disagree with me that my belief that anyone supporting OWASP’s mission should be a financial member, but I’ve tried very hard to make this survey not a “push poll” that pushes my particular biases. For example, I’ve set the survey up to randomize the order of responses, to prevent the “donkey vote” from winning in the off chance to get a prize.

OWASP, like all membership organizations, must clearly and simply define our membership classes, and any qualifications, rights, or privileges. Historically, there’s been little difference in these rights and privileges, but some are more risky or less compliant than others. The resulting changes may require approval by “eligible” voting OWASP Members. We don’t currently know who these “eligible” members are yet: members within the definition of the original member classes back in 2006, financial individual members, new financial classes and existing financial Individual members, or more simply, just all Members. Once we know who is eligible to vote, the results will be anonymized, filtered, and presented to the Board.

Biases and how I tried to address them

The questions are asked in the order you see them, but every single answer option is shuffled so that there can be no leading questions or push polling. This means there’s around 4096 possible permutations of the answers, so it’s unlikely any member will see the same order of answers as any other. This means you need to read the question and answers carefully, as otherwise, if you answer “A” or “B” for all questions, this is unlikely to be the results you want for OWASP. That said, some of the permutations don’t make any sense at all, for example, allowing non-members to stand for the Board. What we are doing is independently asking for each membership class to be approved, their voting rights, and their eligibility for the Board or Committees. Additionally, as Members will likely need to approve the overall bylaws, we would like to know who should have that power, and lastly a bit more detail on what type of membership leaders should have.

We all have bias, and being aware of it and taking steps to protect against it is essential for gaining trust and good governance. This process is not about me. It happened on my watch as ED, so it falls to this Board and myself to resolve twenty years of technical/legal debt, and with a result that the majority of members will agree.

Bias is understandable if you are human. Bias is not an issue if you live one of OWASP’s core values of transparency. For over 20 years, I have passionately supported OWASP through thick and thin. I’ve promoted and advanced our mission. I am a Lifetime member. I have donated thousands of hours freely in my time as multiple flagship project leader, ex-Global Board Member, and occasional chapter leader. I am now lucky enough to be leading OWASP to the next level.

Some of the choices available to the Board advance our mission, others less so, and some outright expose us to unnecessary legal or governance risk. Despite all that, I am not here to get free cookies or a pat on the back, but to simply fix the issue in a way that satisfies the law, leading governance practices, and is OWASP-like by respecting prior policy settings. No matter what the survey says or what the Board chooses, I will respect the outcome, even if I disagree with it. Any biases in the wording or questions are mine alone.

If you have any questions, please reach out to me. We will be keeping OWASP Members informed of any progress on these necessary bylaw changes, including any necessary votes.

Thanks, Andrew van der Stock Executive Director, OWASP Foundation

Conditions of entry

Conditions of this prize are held per the OWASP Awards and Scholarships Policy. The winners must be OWASP Members who completed the survey on or before April 20, 2022. Three Members will be selected randomly to win a complimentary pass to a 2022 OWASP Global AppSec conference program, keynotes, and vendor area. Winners will be announced on April 21 or shortly thereafter. Winners can choose not to be identified publicly. The passes are not transferrable to another person or event, and as they are a prize, they are not refundable. Travel expenses are not included. The Member can nominate the event they’d like to attend.

Privacy

This is a non-binding survey. You must use your owasp.org email address to submit a response to this survey, which indicates you are an OWASP Member or Leader. After the survey is closed, your email address will be used to filter out ineligible membership classes, if any exist. Your email address will not be shared with the Board, other respondents, or third parties other than our lawyers (and only if they need it). Shortly after April 21, we will scrub email addresses as they are no longer required. Responses will be stored in a shared OWASP Google Drive controlled by the OWASP Foundation and only used for the purposes of updating the bylaws.