Board of Directors Code of Conduct

Adopted by the Board of Directors on September 25, 2024

Participation in The OWASP Foundation (“OWASP”) Board of Directors (the “Board”) is conditional upon each member of the Board (each a “Director”) adhering to the requirements of this Board of Directors Code of Conduct (the “Board Code of Conduct”). By participating on the Board, each Director agrees to comply with the following:

Board Responsibilities

The Board has the following responsibilities to the OWASP Foundation and our community:

• Vision, Values, and Mission. OWASP has a new mission for the first time in 20 years. A strong and clear mission statement provides a lens for the Foundation to prioritize, do less of, or not do at all.
• Strategic direction. Each Board should set their goals, priorities, and strategic direction in a special general meeting early in the year
• Fiduciary duty. Directors are accountable for Board decisions and Foundation actions
• Financial oversight. The budget is set between September and November each year. It must be approved in the first general meeting of the year to permit spending on programs above the Executive Director’s signing authority. If you want to get something done that will cost funds or bring money to the Foundation, it needs to be in each upcoming budget, or it won’t happen.
• Fundraising. Every non-profit needs to fundraise. The Board should focus on fundraising by promoting OWASP and introducing new corporate members, sponsors, and donations to the Foundation.

The Board can make motions on any topic as long as a motion does not contravene our mission, bylaws, or certificate of incorporation. No Board may bind a future Board. Binding future Boards doesn’t work because every Board can change the mission, bylaws, and policies and alter, reverse, or annul any past motion. The Board may wish to undertake policy or culture reform or transformation. If so, they should consult transparently and widely with key stakeholders and the wider community.

Board Conduct Generally

Each Director, including the Board Chair and Vice-Chair, has an equal vote on all matters presented to the Board. No Director has more power than any other. Each Director is responsible for monitoring and ensuring OWASP’s progress in attaining its goals and objectives while pursuing its mission. The work of the Board is a team effort.

Accordingly, in order to assist the Board in governing, promoting and ensuring positive and productive relationships between and among the Directors and OWASP staff, when performing Board duties or acting as representatives of OWASP or the OWASP community, all Directors are expected to:

• Comply with the OWASP Code of Conduct and all OWASP policies
• Practice the OWASP Core Values
• Keep in mind the OWASP Mission, and this Board Code of Conduct
• Fully participate in Board of Directors meetings and other public forums
• Treat others with respect, kindness, consideration and courtesy
• Be responsive and engage in attentive listening
• Prepare in advance of Board meetings and be familiar with issues on the agenda
• Work together as a collaborative process, assisting others in conducting Board affairs
• Be respectful of other people’s time
• Stay focused and act efficiently during Board meetings
• Serve as a model of leadership and civility to the community
• Demonstrate honesty and integrity in every action and statement
• Participate in scheduled activities to increase team effectiveness

Board Conduct with One Another

• Practice civility and respect in all Board discussions and debates, including by respecting the dignity, style, values, and opinions of each Director.
• Avoid belligerent behaviors, and personal comments that could offend other Directors, notwithstanding that difficult questions, tough challenges to particular points of view, and criticism of ideas and information are legitimate elements of a free democracy in action.
• Honor the role of the Chair in maintaining order. It is the responsibility of the Chair to keep the comments of Directors on track during public meetings. Directors should honor efforts by the Chair to focus discussion on current agenda items. If there is disagreement about the agenda or the Chair’s actions, those objections should be voiced politely and with reason.
• Demonstrate practical problem-solving approaches. Directors have a public stage to show how individuals with disparate and differing points of view can find common ground and seek a compromise that benefits the community.
• Be respectful of differing viewpoints in the decision-making process. Individuals have the right to disagree with ideas and opinions, but without being disagreeable.
• Once the Board of Directors acts, Directors should support said action with a united approach, and without public dissention or creating barriers to the implementation of said action.

Board Conduct with OWASP Staff

• The primary responsibility of the Board is to formulate and evaluate OWASP policy and strategy, financial oversight, and fundraising. Routine matters concerning OWASP operational matters are to be delegated to OWASP professional staff.
• Treat all staff as professionals, with civility, respect, and clear, honest communication that respects their abilities, experience, and dignity of all involved. Poor behavior towards staff is not acceptable. Directors should develop a working relationship with the Executive Director wherein current issues, concerns and OWASP business can be discussed comfortably and openly.
• Never publicly criticize or express concern about the performance of OWASP staff or any member thereof. Such comments should only be made to the Executive Director through private correspondence or conversation.
• Do not get involved in operational functions. The Board’s authority to make decisions regarding OWASP policy or other matters is to be exercised through Board meetings and communications with the Executive Director or appropriate OWASP staff supervisor. If approached by OWASP personnel concerning specific OWASP policy, Directors should direct inquiries to the appropriate staff supervisor or Executive Director. The chain of command should be followed.

Board Conduct with the Public

• When responding to community requests and concerns, Directors should be courteous, positively respond to individuals, and route their questions through appropriate channels to responsible management personnel.
• Refer all complaints to the Executive Director.
• Make no promises on behalf of OWASP. Directors are frequently asked to explain a Board action or give their opinion about an issue as they meet and talk with the community members. It is appropriate to give a brief overview of OWASP policy and refer to OWASP staff for further information. It is inappropriate to promise Board action overtly or implicitly or promise that OWASP staff will do something specific.
• Do not make personal or derogatory comments about other Directors or their opinions or actions. Directors are constantly being observed by the community. Honesty and respect for the dignity of other Directors should be reflected in every word and action taken by each Director.

Board Conduct with Other Organizations

• When speaking outside of OWASP on matters relating to OWASP, be clear as to whether the views you express are yours or OWASP’s. If a Director appears before another organization or governmental agency to give a statement on an issue, the Director must clearly state whether that statement: 1) reflects a personal opinion or is the official OWASP stance; and 2) is the majority or minority opinion of the Board. If the Director is representing OWASP, the Director must support and advocate the official OWASP position on an issue, not a personal viewpoint.
• Correspondence also should be equally clear about representations made on behalf of OWASP, as opposed to personal or separate business interests. Official OWASP correspondence must be from an owasp.org email address.

Sanctions

The Board may remove a Director due to any violation of the Board Code of Conduct pursuant to the last sentence of Section 4.5 of the OWASP By-laws.