Leaders (Draft WIP)
This is a FINAL DRAFT having been reviewed by the OWASP Community and Policy Review Team.
Section 1: Core Principles
Leaders of Chapters, Projects, Committees, and other teams are the outward face of the organization. While it is a great privilege to serve as a leader in the OWASP Community, it also comes with obligations and responsibilies. Leaders serve at the pleasure of the larger AppSec Community.
- Conduct themselves, their group, and their group meetings in accordance to the Code of Ethics
- Provide sufficient notice of upcoming meetings, deadlines, and policy changes to the community
- Where necessary, openly share workplans and schedules with group members
- Document proceedings in an open manner or make them available upon request.
- Use good faith efforts to be inclusive in their group’s work items
- Follow these and other policies of the OWASP Foundation
- Take reasonable steps to protect participant data in any proceedings or participation
- Annually sign a Leaders Agreement that includes these Core Principles
Leaders shall not:
- Sign agreements on behalf of the OWASP Foundation
- Injure or impugn the reputation the Foundation, colleagues, staff, or Directors
- Collect or accept money on behalf of the OWASP Foundation for any purpose
- Authorize expenses that are in violation of OWASP Foundation policies
Section 2: Governance
Chapters, Projects and groups are overseen on an operational basis by the Foundation Staff and, ultimately, the OWASP Board of Directors. If the Foundation Staff or Board of Directors determines that a Leader has not complied with these rules, their status as a Leader may be revoked. Additionally, OWASP administrative access (including the leader’s owasp.org email address) may be immediately revoked.
Chapters, Projects and groups are not legal entities and are organized under the authority of the OWASP Foundation. As non-legal entities Leaders or members of Chapters, Projects, or groups cannot sign contracts, hold independent insurance, or transact funds independently of the OWASP Foundation. Groups operate with a great deal of freedom; however groups must abide by the Code of Conduct, Foundation bylaws and polices.
Leaders serve as the main point of contact for Chapters, Projects, and group and are responsible for ensuring the group complies with OWASP policies while fulfilling its mission and obligations.
- Publicly list their owasp.org contact information on the OWASP website.
- Consistently maintain OWASP website information.
- Be responsive to all requests.
- Commit to serve for a minimum term of 24 months.
- Encourage consensus in decision-making and when not possible administer voting among OWASP Members.
- Manage leadership appointments and changes in accordance with the relevant guidelines.
- In the case of Chapter, Committee, or group leadership, OWASP follows an elective representative approach; so fair and open elections for the leadership roles in these cases are required at least every 24 months to ensure that the leadership of those entities do represent the will of those communities.
- In the case of Project leadership, OWASP follows other open source initiatives in allowing project leadership to remain with the project initiator (or their successor, through whatever internal process) and to allow the forking of projects and then the relative popularity of the forks to determine dominance. A project that forks from an existing OWASP project can make an application to become a new OWASP project and potentially to even replace the original should that be in the best interest of the Foundation.
The Foundation strives to operate in a consensus-driven decision making environment. Groups are encouraged to negotiate a common ground with regard to decisions and policy. However, at times it may be necessary to vote on decisions. Only OWASP Members have voting rights and all matters will be decided on a simple majority. Due process is expected and stakeholders should be given sufficient notice of upcoming decisions which might require a formal vote.
Leaders are required to govern their group in accordance with OWASP Foundation policies. When there are violations, please follow the following hierarchy when escalating concerns:
- Bring your concern to the attention of your group’s Leaders or Leadership team.
- If you are unable to resolve at the local level, please contact staff through the Contact form.
- If staff is unable to handle your concern or you would like to challenge their feedback/decision, the concern can be raised with the OWASP Board of Directors.
If you feel an Code of Ethics violation has occurred, you may review the Whistleblower Policy for instructions on how to file a complaint.
Section 3: Administration
OWASP.org Email Accounts
Leaders will be provided an Owasp.org email account and shall use this address for all OWASP related matters. The email address of Leaders shall listed on the OWASP website. By using the OWASP email address, Leaders ensure vendor neutrality, protect their own privacy, and allow for identity portability within the OWASP community.
Leaders, along with support from staff, shall maintain their groups’ web page on owasp.org. The OWASP website shall be the primary authoritative information source for OWASP Projects and Chapters. Other services such as LinkedIn, Facebook, Twitter, Ning, etc. maybe used but are additive not a replacement for the OWASP website. A group’s webpage shall minimally include:
- Group leadership with contact information
- Link to the group’s Mailing List (Google Group)
- For Chapters, its Meetup Page
The OWASP Foundation uses Github to host group pages and content. Please use the Contact Us form if you need assistance with access to the OWASP Github repo. The Foundation will only review and update the policy page on owasp.org and leaders should review that page on a regular basis to be compliant with OWASP Policies.
OWASP Mailing Lists (Google Groups) shall be the primary and archival communication channel of OWASP group activites. Mailing Lists are discoverable, have open membership, and no posting restrictions; however, all participants shall follow the OWASP Code of Conduct. Violators of the Code of Conduct shall not be tolerated and displinary action, with consequences including up to expulsion from the Mailing List and suspension of OWASP Membership. Certain mailing lists for staff operations shall be non-public.
All social media channels used by OWASP groups must abide by the OWASP Principles and Code of Ethics. Any person who posts or moderates OWASP branded social media must execute and abide by the OWASP Social Media Agreement.
While the Leader, or in rare cases members may create Social Media accounts associated with OWASP Projects, Chapters, or groups and manage their day-to-day operations, credentials including passwords and recovery emails/numbers must be transferred when there is a change of leadership.
Group members shall not be required to sign up for any social media account to get access to meeting notices or other group information. Should a group choose to terminate its use of a platform, it should close the account and alert the Foundation using the Contact Us form. Abandoned social media accounts are those that have not had a post for over six months, and control of these accounts may be requested by the Foundation for termination.
Leaders can request the OWASP Foundation register a domain name for their Chapter, Project, or group. While discouraged, Leaders may register a domain name for their Chapter, Project, or group. Domain names must be transferred when there is a change of leadership for the group. In either case, custom domain names shall point to the corresponding page on the Foundation website for the group, and if maintained by a Leader, its use shall be registered with the Foundation.
Section 4: Meetings
Leaders shall host group meetings no less than four times a year, preferably at reasonable intervals. Chapter Meetings must be in-person unless prevented by local law or meeting guidelines. OWASP meetings are free and open to anyone for anyone to attend, regardless of whether the attendee is a member of the OWASP Foundation. All channels of communication must be free and open, not requiring a paid subscription to consume. This includes but is not limited to the OWASP Mailing Lists (Google Group), Meetup for Chapter Meetings, Slack, and with social media platforms like like Twitter and Facebook.
Leaders shall post notice of meetings no less than two weeks prior to a meeting. At a minimum meetings should be announced via two public communication mechanisms known to be regularly used by the Project, Chapter, or group.
The privacy of OWASP Members or meeting attendees must be protected at all times. Leaders shall not disclose names, email addresses, or other identifying information about OWASP Members or meeting attendees. Only aggregate statistics can be referenced. At the sole descretion of the attendee, they may share their own contact information voluntarily with third parties at meetings, such as in the case of Chapter Meeting raffle.
Proceedings of the OWASP Foundation including, but not limited to, Projects, Chapters, Events, and our website shall always maintain vendor neutrality (act independently). Leaders shall ensure groups maintain this non-commerical principle in our work.
Section 5: Finance & Expenses
From time to time in the course of a group’s activities, leaders may incur expenses which maybe reimbursable by the OWASP Foundation. Generally the Foundation will reimburse leaders for fair and reasonable expenses. Prior to incurring expenses, Leaders must review the Expense Policy for complete details.
- Participation in OWASP activities, except Conferences and Trainings, is free and at no cost.
- Leaders shall not accept finances/funds into any bank account other than the OWASP Foundation.
- Group finances and expenses shall be managed in a transparent fashion.
- Donations may only be processed via the OWASP Foundation Donation Form.
- Certain donations can be restricted or may be listed as supporting the group.
Leaders are encouraged to have supporters visit their respective Chapter or Project page and then click the DONATE button to connect gifts to their group. At the time of the donation, the donor may elect to attribute their gift to the referring OWASP website page as indicated by its title.
Recognizing Supporters. Leaders are responsible for recognizing Supporters of their group. Recognition for monetary donations is outlined in the Donation Policy and should be regularly maintained and updated as frequently as possible.
Direct Support. Supporters may elect to pay directly for group needs like signage, food, venue, etc. In these cases, the respective transaction is not a gift to the OWASP Foundation nor does it need to be tracked by Leaders.
Charging for Events
OWASP does not charge people to attend chapter, group, or project meetings. Conferences and Training events may have a registration fee.