Code of Conduct
Adopted by the Board of Directors on September 25, 2024
Participation in activities of The OWASP Foundation (“OWASP”) is conditional upon each such participant adhering to the requirements of this Code of Conduct. Accordingly, by participating in OWASP activities, each individual doing so agrees that when so participating and in connection with OWASP activities, such individual will comply with the following:
Conduct Generally
- Comply with all applicable local, state, provincial, or federal laws of the United States, the European Union, and other jurisdictions, including but not limited to applicable United States and European Union trade sanctions, export control laws, regulations and rules, and antitrust and competition laws
- Comply with the highest ethical principles
- Not engage in any activity that results or reasonably could be expected to result in liability or harm to OWASP or cause OWASP to violate any applicable law, regulation or other legal requirement, including as a result of activities such as use of OWASP materials, publications, or software developed in a OWASP project, or your involvement in any OWASP activities
- Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of any OWASP activities
- Promote the implementation of and compliance with OWASP standards, procedures, and controls for application security
- Discharge all responsibilities with diligence and honesty
- Communicate openly and honestly
- Refrain from any activity that might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or OWASP
- Maintain and affirm the objectivity and independence of OWASP
- Reject inappropriate pressure from industry or others
- Not intentionally injure or impugn the reputation or practice of colleagues, members, or employers
- Treat everyone with respect and dignity
- Not violate OWASP trademarks, copyrights, licenses or other rights
- Provide proper attribution to avoid plagiarism and copyright infringement, both within and outside of OWASP
- Ensure work submitted to OWASP is entirely yours and not copied, whole or in part, without proper attribution or permission
- Abide by all provisions in all applicable OWASP organizational documents, agreements, and policies
- Not engage in harassment or any other intimidating, discriminatory, abusive, derogatory, or demeaning behavior, conduct, communications or actions. “Harassment” includes, but is not limited to, any behavior, conduct, communication or action that a reasonable person in similar circumstances would consider unwelcome, intimidating, hostile, threatening, violent, abusive or offensive, and may be related to gender, gender identity and expression, sexual orientation, disability, national origin, race, age, religion or other matters; “harassment” also includes stalking, unwelcome following, harassing photography or recording, sustained disruption of talks or similar activity, inappropriate physical contact, and unwelcome sexual attention
- Avoid relationships that impair or may appear to impair OWASP’s objectivity and independence
- Avoid any self-dealing or the appearance or actuality of a conflict of interest. For more information, please refer to the Conflict of Interest Policy.
Reporting violations of this code of conduct
If a participant, member, Director or staff member has violated this code of conduct, please refer to the Whistleblower and Anti-Retaliation Policy to report the issue to a Compliance Officer or the Executive Director.
Sanctions
The Executive Director can suspend participation in OWASP for up to 30 days for perceived or actual breaches of this Code of Conduct or applicable law. Depending on the severity of the breach, the member or participant may be subject to longer suspension or other sanctions, including termination of participation or membership, by decision of the OWASP Board of Directors (“Board”).
For first time Code of Conduct breaches, where no violation of applicable law has occurred:
The member or participant may be subject to temporary suspension imposed by the Executive Director for all OWASP participation for up to 30 days. Membership will not be extended to cover the suspension.
For repeat or serious breaches of the Code of Conduct, or where a participant has been charged with a crime:
The Executive Director must suspend the member and refer the matter to the Compliance Team. The Compliance Team will then independently evaluate the matter and recommend to the Board either no action or proposed sanctions, which may include (but are not limited to) revocation of leadership position(s), participation, membership privileges and/or membership. The initial suspension will remain in place until after the Board votes on the matter.
If the Board decides to take no action: (a) full participation will be reinstated and (b) if the suspended participant was a member, their membership will be extended for a period equal to the duration of the suspension.
Transparency and Oversight
To provide transparency and oversight, the Executive Director will inform the Board of the actions being taken in connection with sanctions, including by informing the Compliance Team as required, providing applicable Compliance Team recommendations to the Board, and in concert with the Board, scheduling a Board vote as necessary. Referrals, reports, recommendations, and decisions made by the Executive Director, Compliance Team, or Board will be stored and kept confidential for a period of seven years.