Chapters (Draft WIP)
Members are invited to provide feedback on this draft policy until December 15, 2020. The Policy Review Team will respond to comments mailed from your owasp.org email address to this address.
Chapters are central to OWASP’s mission of achieving community around the world. This policy defines the rules related to starting, running, maintaining, and dissolving OWASP Chapters.
Chapter Leaders serve as the main point of contact for their Chapters, and are responsible for ensuring the chapter complies with all OWASP policies while fulfilling its mission and obligations.
- Chapter leaders are not required to be members, but it is recommended to become one in order to promote membership.
- Chapter leadership is open to all participants. Leadership is personal, and not associated with any organization, company, or employer.
- Each chapter must have a minimum of 2 and a maximum of 5 leaders.
- Leaders will sign and return a Leader’s agreement within 2 weeks of receipt.
- Each leader will annually confirm upon request that they intend to continue volunteering as Chapter Leader.
- Leaders should transition or rotate every 2-3 years, and encourage fresh Leaders to step up and participate in the Chapter operations. Leader selection is at the Chapter’s discretion.
- If a Chapter’s Leadership does not have consensus, fair and open elections should be administered with the support of OWASP Staff and the Chapters Committee.
- Any changes in chapter leadership must be done by submitting a ticket with all information to the New Chapter/Leader Request by one of the existing Leaders.
- If a leader needs to step down, they must send an email to the Foundation or submit a ticket to the New Chapter/Leader Request.
- All leaders are provided with an owasp.org email address.
- Complimentary membership is available on request for leaders after six months of active chapter leadership, to be reviewed by Chapter Committee.
- Access to OWASP Foundation Shared Services
- Student chapter leaders are entitled to additional benefits including mentoring and access to scholarships as available.
Running a Chapter
Chapters must be discoverable by new and existing members and participants.
- Chapter activities must appear on the owasp.org website.
- It is strongly recommended (but not required) to use OWASP’s official chapter and event scheduling platform. If you do use the Foundation’s scheduling service, your chapter’s group account must be defined under the OWASP Foundation account to provide continuity for chapter members in case chapter leadership becomes inactive. The Foundation pays event platform fees for active chapters. If you use another platform, OWASP will not reimburse these expenses.
- If you do not use OWASP’s official event platform, you must ensure your events are synchronized (whether automatically or manually) to your Chapter page on the owasp.org website.
- Each chapter is responsible for creating and maintaining their owasp.org chapter home page.
- A list of the current leaders and their active owasp.org email addresses must be listed on the Chapter’s web page on owasp.org.
Meetings and Activity Requirements
- Attendees do not need to be members. All members of the public are allowed to attend OWASP meetings.
- Chapter meetings must be free.
- Chapters shall host a minimum of 4 chapter activities a year to maintain an active OWASP chapter. The activity can be in person, virtual, or an approved OWASP event run by the OWASP chapter (or in collaboration with another chapter or external organization).
- Chapter activities are for the benefit of the community, and could include, but are not limited to:
- Chapter meetings (traditional meetups)
- Training days
- Capture the Flag/Hack-a-Thon events
- Local/Regional AppSec Days events
- Student-focused activities, at secondary and/or college level
- Chapter activity information (date, time, and location) must be posted on the owasp.org chapter page before the event start date.
The Chapter Handbook[TBD: Needs Link] contains details of how to publish event information automatically when using the OWASP meeting scheduling platform.
OWASP is a social community, and we need to communicate with our community regularly.
- Chapter Leaders should use owasp.org email address for all OWASP related correspondence.
- Chapter Leaders should monitor their owasp.org email address regularly and respond within a reasonable timeframe.
- Requests from OWASP Staff and OWASP shared services, such as expense claims, should be responded to by one or more of the chapter leaders within 7 days.
- Leaders are encouraged but not required to monitor and participate in OWASP Leaders Mailing List, Google Groups, and the Slack platform.
- OWASP Chapters can create and manage their own social media presence. Access to these accounts must be shared with all Leaders of that Chapter.
We recommend Chapter Leaders set an out of office notification if they are planning to take leave, so that chapter members, Chapter Committee, and Foundation Staff are aware of any absences or delays in responding to communications.
OWASP Foundation will provide Chapters with the following Shared Services at no cost. Chapters are encouraged to make use of these. Access to these Services can be obtained by submitting a ticket via Contact Us.
- Chapter page on the owasp.org website.
- A chapter scheduling service for meetings and local events with RSVP functionality and hidden video conference details.
- Video conferencing and webinar facilities for virtual meetings and events, and hybrid in-person / virtual events
- Social messaging app to communicate in real time with the OWASP Community.
- Leaders will be added automatically to [email protected] - join using owasp.org email address.
- Assistance & resource is available [email protected] and other OWASP Committees.
- Event insurance covering chapter meetings.
Services identical or similar to those provided by the one’s the Foundation provided to chapters cannot be expensed without prior approval .
Starting a New Chapter
There are currently two types of chapters you can start: city chapters and student chapters. Prospective chapter leaders should familiarize themselves with this policy and the Chapter Handbook prior to submitting the form.
- New chapters must be approved by the Foundation, by submitting a request through Contact Us.
- After the new Chapter is approved, the Chapter Leader must:
- Submit a Request for Leader Github Usernames in order to access the chapter repository.
- Create new chapter pages within ten days of GitHub access on the owasp.org website.
- Login into their owasp.org email account within 24 hours, or they will need to log a support ticket via Contact Us to have a password recovery email sent to their registration email address.
Starting a city chapter
City chapters are the primary form of the OWASP chapter, with hundreds of Chapters worldwide.
- Approved city chapters are named “OWASP
.” City chapter names must not be a regional or country name unless the city name is the country name (e.g., Monaco).
- Chapters shall be defined for a single city only; a new chapter may be denied approval if there is another chapter within 80 km (50 miles).
- Chapter leaders must reside within 80 km (50 miles) of the chapter location.
- Exceptions to distance rules may be approved on a case by case basis, for example where travel times between two geographically close chapters is excessive (defined as more than one hour).
Starting a student chapter
Students of high schools and institutions of higher education can create student chapters.
- Student chapters are named “OWASP
” or where the institution has different campus locations, “OWASP ”
- Student chapters are associated with one educational institution in a single geographic area. For example, each educational institution in a city is more than welcome to have their student chapter, which is not the case for regular city chapters.
- At least one leader must be a student, and at least one leader must be faculty from the institution.
Renaming a Chapter
- Any Chapter name changes must be approved by the Foundation. A request for approval must be submitted through Contact Us.
Existing active regional chapters can continue to operate, as per the policy for city chapters, including access to Foundation services, expenses, etc as detailed in this policy. Regional chapters hold no powers over any other chapter.
Once the new supplemental regional chapter policy is created and approved by the Board, this section will no longer be in effect, and existing regional chapters will be governed by the supplemental regional chapter policy.
Note: Starting new or re-activating inactive regional chapters will not be approved until the supplemental regional chapter policy comes into effect.
Background rationale Regional chapters have never been defined by any prior policy, and they all operate differently with various levels of success. As there are at least 10 regional chapters, the regional model is actively being re-developed to be a sustainable model that promotes regional cooperation, activity, leadership, accountability, and transparency. Existing regional chapter leaders are encouraged to work with the Chapter Committee to define the regional chapter model.
The OWASP Foundation aims to provide continuity for OWASP chapter members. The following process is to determine inactive chapters and try to install fresh leadership.
- An inactive OWASP Chapter is a chapter that has not met minimum activity requirements defined in this policy.
- An inactive Chapter must either be reactivated or dissolved.
- The OWASP Foundation will revoke the inactive chapter leadership and refer the inactive chapter to the Chapters Committee to help find fresh leadership or to run elections to elect new leadership.
- To reactivate a chapter, a minimum of 50% of the leadership must be new. Where an inactive chapter does not hold a meeting within 90 days of being reactivated, or new leadership could not be appointed within 90 days of failing to meet activity targets, the Chapter Committee will discuss the inactive chapter and vote on it, if agreed the chapter will be dissolved by the OWASP Foundation.
Finances, Oversight, and Transparency
Chapters are overseen on an operational basis by the Chapters Committee, the OWASP Foundation Staff, and, ultimately, the OWASP Board of Directors. If the Chapters Committee, Foundation Staff or Board of Directors determines that a Leader has not complied with these rules, leadership will be revoked. Additionally, OWASP administrative access (including the leader’s owasp.org email address) will immediately be revoked.
Code of Conduct and other relevant policies
All leaders must follow and adhere to all OWASP Foundation Policies and Procedures, which are in a central repository. As a US-based 501 (c)(3) non-profit organization, OWASP must follow specific financial and legal guidelines that can change from time to time.
Chapters operate with a great deal of freedom; however, Chapters must abide by the latest approved Code of Conduct, Foundation bylaws, and these [policies and procedures}(https://owasp.org/www-policy/). Copies of older versions are not relevant.
OWASP membership and participation in chapter meetings are subject to the EU GDPR, and any other locally applicable data protection regulations. Chapter leaders are not permitted to share member lists, event attendees, or private information with third parties except where operationally necessary and only after informing relevant parties with opt-in acceptance.
Chapter related expenses incurred while holding a chapter meeting within the geographic area of the chapter itself must comply with the Expense Policy and be submitted within 60 days.
Members are the lifeblood of chapters. Memberships must be processed per the membership policy
All donations must comply with the Donations policy and processed through the OWASP Donations page.
Chapters are not legal entities.
Chapters, Projects, and groups are not legal entities and are organized under the OWASP Foundation’s authority.
Finances are via OWASP Foundation only.
As Chapters are not legal entities, all membership dues and funds must be processed through the Foundation for transparency, the US not for profit laws, regulatory, and tax compliance reasons. Chapters are not permitted to hold any bank accounts, independent insurance, have an independent donation mechanism, or use any funds transfer mechanisms to store financial value such as gift cards, PayPal or Venmo, or any other banking or financial instruments.
No signing authority
Chapters operate under the aegis and policies of the OWASP Foundation and are subject to the OWASP Signing policy. As non-legal entities, chapters leaders and members of chapters cannot sign contracts or enter into agreements with commercial organizations. All such agreements should be referred to the OWASP Foundation for pre-approval and possible signing.
Chapter Supporters and bartering arrangements
Chapters are encouraged to obtain local chapter supporters via bartering arrangements (i.e. services, event spaces, or food and beverages are paid for by a chapter supporter) and donations via the OWASP website. Chapters can define levels and benefits of local Chapter Supporters, including logos on introduction slides and the Chapter home page. Any contractual agreement, bartering arrangement, or financial transaction must be registered and processed by the Foundation.
OWASP has various dispute resolution mechanisms. Please contact the Foundation if you are unsure of reporting a complaint or raising a dispute. In general, disputes should be resolved between parties and not in the court of public opinion on social media or mail lists.
Chapter members and leaders can use the following policies and reporting mechanisms to resolve disputes or to report code of conduct breaches, violations of policy or financial requirements:
- Conflict Resolution policy for most disputes between participants
- Code of Conduct for ethical or conduct breaches
- The OWASP Chapter Committee is the first point of escalation, the Executive Director as the second point of escalation, and finally the Global Board.
- To report severe violations of policy, financial, or fiduciary misconduct, please refer to the Whistleblower and Anti-Retaliation policy.