New Articles of Incorporation and Bylaws for the OWASP Foundation!


Andrew van der Stock

Tuesday, July 9, 2024

I’m excited to announce that OWASP’s restated Articles and Certificate of Incorporation and new Bylaws have been approved by the Delaware Secretary of State. These documents are the foundation of our governance and provide the framework for how the Foundation operates. The new bylaws are the result of a comprehensive review and update process that began in 2021. The changes are designed to modernize and streamline the governance of the Foundation, and to ensure that we are operating in the best interests of our members and the broader community.

OWASP has had a very potted bylaws history. Our original 2004 Articles and Certificate of Incorporation did not grant the Board of Directors the power to amend or replace the bylaws. It also didn’t have any membership classes, and didn’t really allow for a change to the qualifications of Directors, such as being elected. This meant that members from the establishment of a membership program to now were not legally OWASP members, despite being treated as such. This also meant that the replacement 2011 bylaws were never legally valid. The 2011 bylaws were amended extensively by various Boards in good faith that they had the power to do so, but these amendments which were also never legally valid. The 2011 bylaws are now replaced by the 2024 bylaws, which are legally valid. The current Directors and Board composition and qualifications, Members, and the Foundation are all now legally valid.

From around 2006 to 2012, OWASP was not officially an active business according to Delaware. This was news to me, and there doesn’t seem to be a lot of information around this, but it came to light when working on getting a Certificate of Good Standing. Luckily, Delaware did agree to revive OWASP in 2012, and now we’re back in good standing. The things you learn!

In short, we had a huge legal mess, and it took a long time to clean it all up. The process involved documenting all the changes to Boards since 2004, and ensuring that all the changes were legally valid by getting a restated Certificate of Incorporation and completely new bylaws that are compliant with the Delaware General Corporation Laws. This was a huge effort, and I want to thank this and all previous Boards for getting this done. I also want to thank our legal advisors at Gesmer who helped us navigate the process and ensure that we are now in compliance with the law.

The new bylaws are effectively a standard Delaware non-profit, member non-stock corporation’s bylaws, which should require minimal amendments, because all the policy settings must now go to policies.

The new bylaws include a number of important changes, including:

  • Compliant with the Delaware General Corporation Law (DGCL) changes post 2017, and the Internal Revenue Service (IRS) requirements for 501(c)(3) organizations.
  • Grants the Board the power to amend the bylaws for the first time in our history.
  • Ensures that all previous Board votes amending the bylaws and member and director qualifications are valid.
  • Establishes and confirms the composition of all previous Boards.
  • Ensures that members are legally in our bylaws for the first time, and their rights and privileges.
  • Updated definitions and clarifications to ensure that the bylaws are clear and easy to understand.
  • Allows for remote Board meetings, despite this being how we operated for our entire history.
  • Removes a lot of policy and procedure from the bylaws … more on that in a bit.
  • Clarifies a lot of our foundational principles, including the role of the Global Board, the Executive Director, and the staff.
  • Clarifies that Complimentary members do not have a vote, which is consistent with legal advice for a membership non-stock corporation.
  • Fairer process for suspensions and terminations of membership.
  • The new bylaws also include anti-trust provisions.
  • Makes the Executive Director an ex-officio member of the Board, with no vote, but with the ability to attend all meetings and participate in discussions.
  • Grants the Board the power to dissolve OWASP if it is necessary to do so.
  • Many other changes!

The next steps are to update our policies and procedures to align with the new bylaws. This will take some time, but we are committed to ensuring that the Foundation is operating in a transparent and accountable manner. In particular, we need to work out how best to ensure that Director qualifications are consistent with our past practice, and to ensure that everyone who has a vote in the Foundation is a member in good standing.

We can finally move forward with long overdue policy reviews, probably starting with the expenses and travel policies, as well as revising the Chapters and Projects policy.