Update on the bylaws


Andrew van der Stock

Thursday, August 25, 2022

The OWASP Foundation is currently in the process of updating the bylaws due to the existing bylaws not being valid. We have received a draft that we believe is ready to be approved, but we are still waiting upon the Board to hold an Executive Session on the status of fees and membership privileges.

Once we have clarity on the status of members’ fees and privileges, the process of ratification can begin.

Please review the draft OWASP Bylaws

Please review the following bylaws, and please let me know if you have any questions. I’ll update this post with any great questions from our community.

Why is this necessary?

As part of policy reform, I had the bylaws reviewed by our new lawyers. They pointed out that along with our certificate of incorporation, Directors didn’t have the right to amend the bylaws, only OWASP Members.

When the OWASP Foundation was founded in 2004, the Certificate of Incorporation did not bestow the power to replace or amend the bylaws upon any Member class. Under Delaware General Corporate Law (DGCL), by default, this right remains with the Members and cannot be removed.

For the first two years, the only Members were the initial Directors. The 2004 bylaws had no Membership provisions, so it’s unclear if anyone was a Member or Director until 2011 other than the founding Directors, despite taking paid memberships since 2006 for individuals, education institutions, and corporate supporters.

The 2011 Board replaced the 2004 bylaws, which they did not have a right to do.

Various Boards have amended the bylaws over 50 times since 2011, including various non-compliant clauses, substantial changes to the way elections are held, and Director qualifications, which is a red flag against fixing the current bylaws. Additionally, some member classes should still exist because they were never officially abolished, and others shouldn’t exist because they were not in the bylaws, such as student members.

We need to fix this by starting afresh.

What are we doing?

We have started afresh with template DGCL bylaws provided by our lawyers and formed a Board review sub-committee. I have conducted extensive legal consultation to ensure that these bylaws are legal and their adoption will be valid under the law.

Our legal advice for the legal ratification of our current bylaws has three options:

  • Ratification by prior and current Directors; or
  • Ratification by a majority vote of all current OWASP members; or
  • Petition the Delaware Chancery Court to replace the CoI and bylaws.

We are going to try each option in turn, but my hope is that we will succeed by unanimous consent of all prior Directors, as it is just unlikely that we will have 3000+ members vote for any matter, let alone something as dry as a bylaws update.

There will need to be changes made to OWASP policy to ensure that the bylaws do not need to be amended quite so often - preferably not at all. The key changes will be:

  • Membership policy will describe all classes of membership, including leaders and complimentary members
  • Election policy will describe the process for amending or replacing bylaws by members
  • Committees policy must be aligned with membership policy and bylaws, particularly around voting procedures for officers
  • Add Board signing limits to the Signatory policy
  • Create an intellectual property (IPR) policy that makes our commitment to open source and free and open licensing official.

Next steps

  • Engage with our community with blog posts and social media about the status of this process
  • Contact all current and former Board members. We’ve not heard from everyone so far, so we need to ensure that they are engaged
  • Set up a vote with wording to be advised by our lawyers. We will use Simply Voting as per our current Board process.
  • Run a 30 day vote. This gives everyone an adequate chance to discuss the bylaws and vote on them
  • Announce the results to our community.

If the vote does not pass, work on the next phase, which is a vote of our entire community. We will know this towards the end of September.

If you have any questions, please contact me at [email protected] or make an appointment with me at https://calend.ly/owasped