Chapters Policy

Adopted by the Board on 23-Feb-2021

Overview

Chapters are central to OWASP’s mission of achieving community around the world. This policy defines the rules related to starting, running, maintaining, and dissolving OWASP chapters.

Chapter Leadership

Chapter leaders serve as the main point of contact for their chapters and are responsible for ensuring the chapter complies with all OWASP policies while fulfilling its mission and obligations.

• Chapter leaders are not required to be members, but it is recommended to become one to promote membership.
• Chapter leadership is open to all participants. Leadership is personal, and not associated with any organization, company, or employer.
• Each chapter must have a minimum of 2 and a maximum of 5 foundation-recognized, official leaders. In the event of a resignation, leadership transition, or new leadership being appointed, a chapter is allowed a grace period of up to 3 months from the event to comply.
• A chapter leader can be a leader of only one chapter.
• Leaders will sign and return a leader’s agreement within 30 days of receipt.
• Each leader will annually confirm upon request within 30 days that they intend to continue volunteering as chapter leader.
• Leaders are encouraged to transition or rotate every 2-3 years (minimum 2 years, maximum 3 years) to allow fresh leaders to step up and participate in the chapter operations. Leader selection is at the chapter’s discretion, provided all policies are followed.
• If a chapter’s leadership does not have consensus, fair and open elections should be administered with the support of OWASP staff and the Chapter Committee.
• Any changes in chapter leadership should be done by submitting a ticket with all information to the New Chapter/Leader Request by one of the existing leaders. If the local chapter leadership is inactive, this request can be made by local chapter OWASP members.
• If a leader needs to step down, they should submit a ticket to the New Chapter/Leader Request.
• If a leader is no longer reasonably responsive and contributing to the chapter, the remaining chapter leaders may petition the leader’s removal in accordance with the dispute resolution process.

Running a Chapter

Discoverability

Chapters must be discoverable by new and existing members and participants.

• Chapter activities must appear on the owasp.org website.
• It is strongly recommended to use OWASP’s official chapter and event scheduling platform. The foundation pays event platform fees for active chapters. If you use another platform, OWASP may not reimburse these expenses. If you do use the foundation’s scheduling service, your chapter’s group account must be defined under the OWASP Foundation account to provide continuity for chapter members in case chapter leadership becomes inactive.
• If you do not use OWASP’s official event platform, you must ensure your events are synchronized (whether automatically or manually) to your chapter page on the owasp.org website.
• Each chapter is responsible for creating and maintaining their owasp.org chapter home page (see also Starting a New Chapter and Meetings and Activity Requirements).
• A list of the current leaders and email addresses must be listed on the Chapter’s web page on owasp.org. It is highly encouraged that leaders use their @owasp.org email address on these pages.

Meetings and Activity Requirements

• Attendees do not need to be members. All members of the public are allowed to attend OWASP meetings. However, reasonable restricted chapter events and activities may be organized in addition to regular meetings.
• Chapter meetings must be free.
• Chapters should host a minimum of 3 chapter activities a year to maintain an active OWASP chapter. The activity can be in person, virtual, or an approved OWASP event run by the OWASP chapter (or in collaboration with another chapter or external organization with the approval of the foundation).
• Chapter activities are for the benefit of the community, and could include, but are not limited to:
  • Chapter meetings (traditional meetups)
  • Training days
  • Capture the Flag/Hack-a-Thon events
  • Local/Regional AppSec Days events
  • Student-focused activities, at secondary and/or college level
• Chapter activity information (date, time, and location) must be posted on the owasp.org chapter page before the event start date.

For chapters using OWASP Meetup Pro, mirroring meetings automatically is simple and easy. Add the following code to make your life a lot easier. In the header, please make sure the meetup-group parameter exists and is accurate:

meetup-group: your-meetup-group

If the meetup-group header is identical to your OWASP Meetup Pro Group name (e.g. meetup-group: OWASP-Colorado-Springs-Meetup), the code will automatically mirror your upcoming meeting information as mandated by the policy above.

Add this line to where you would like your upcoming meetings to automatically appear in the body:

. { % include chapter_events.html group=page.meetup-group %}

(Remove the space between { and % to make this work on your page)

NB: Per the policy above, if you don’t use this, or it’s set up incorrectly, you will need to do this step manually. Once your events are done, please add past events to a past events tab. For a more detailed example, see [https://owasp.org/www-projectchapter-example/]

Communication

OWASP is a social community, and we need to communicate with our community regularly.

• Chapter leaders should use owasp.org email address for all OWASP related correspondence.
• Chapter leaders should monitor their owasp.org email address regularly and respond within 9 business days.
• Requests from OWASP staff, such as expense claims, should be responded to by one or more of the chapter leaders within 9 business days.
• Leaders are encouraged, but not required, to monitor and participate in the OWASP Leaders List, other Google groups, and the Slack platform.
• OWASP chapters can create and manage their own social media presence and other reasonable communication channels. Access to these accounts must be shared with all leaders of the chapter. Administration of the account should be handed over to a remaining chapter leader when stepping down.

We recommend chapter leaders set an out of office notification within their @owasp.org email if they are planning to take leave, so that chapter members, the Chapter Committee, and foundation staff are aware of any absences or delays in responding to communications.

Shared Services

OWASP Foundation will provide chapters with the following shared services at no cost. Chapters are encouraged to make use of these. Access to these services can be obtained by submitting a ticket via Contact Us. If, after 9 business days have passed, and reasonable efforts have been made to attempt to utilize shared services, no response is received, the chapter may, with due care, seek a reasonable alternative, filling out a Chapter Funding Pre-Approval ticket.

• Chapter page on the owasp.org website.
• A chapter scheduling service for meetings and local events with RSVP functionality and hidden video conference details.
• Video conferencing and webinar facilities for virtual meetings and events, and hybrid in-person / virtual events.
• Social messaging app to communicate in real time with the OWASP community.
• Leaders have access to [email protected] - join using owasp.org email address.
• Assistance and resources are available through the Chapter Committee and other OWASP Committees.
• Event insurance covering chapter meetings.

Services identical or like those provided by the foundation cannot be expensed without prior approval. Where possible, all chapters are encouraged to use a service that respects user privacy.

Starting a New Chapter

There are currently two types of chapters you can start: city chapters and student chapters. Prospective chapter leaders should familiarize themselves with this policy and the draft Chapter Handbook prior to submitting the form.

• New chapters must be approved by the foundation, by submitting a request through Contact Us.
• After the new chapter is approved, the chapter leader must:
  • Provide GitHub usernames in order to get admin access your chapter repository.
  • Create new chapter pages within 30 days of GitHub access on the owasp.org website (see Website Migration Information and Tutorial for assistance).
  • Log into their owasp.org email account within Google’s defined time period, or they will need to log a support ticket via Contact Us to have a password recovery email sent to their registration email address.

Starting a City Chapter

City chapters are the primary form of the OWASP chapter, with hundreds of chapters worldwide.

• Approved city chapters are named “OWASP «city name»”. City chapter names must not be a regional or country name unless the city name is the country name (e.g., Monaco).
• Chapters shall be defined for a single city only; a new chapter may be denied approval if there is another chapter within 80 km (50 miles).
• Chapter leaders must reside within 80 km (50 miles) of the chapter location.
• Exceptions to distance rules may be approved on a case-by-case basis, for example where travel times between two geographically close chapters is excessive (defined as more than one hour).

Starting a Student Chapter

Students and faculty of institutions of higher education can create student chapters.

• Student chapters are named “OWASP «institution name»” or where the institution has different campus locations, “OWASP «institution name» «campus»”
• Student chapters are associated with one educational institution in a single geographic area. For example, each educational institution in a city is more than welcome to have their own student chapter, which is not the case for regular city chapters.
• At least one leader must be a student, and at least one leader must be faculty from the institution.
• Student chapters in a city with an active OWASP city chapter should make meaningful efforts to collaborate with the city chapter, and vice versa, where appropriate.

Renaming a Chapter

• Any chapter name changes must be approved by the foundation. A request for approval must be submitted through Contact Us.

Regional Chapters

Existing active regional chapters can continue to operate, as per the policy for city chapters, including access to foundation services, expenses, etc as detailed in this policy. Regional chapters hold no powers over any other chapter.

Once the new supplemental regional chapter policy is created and approved by the board, this section will no longer be in effect, and existing regional chapters will be governed by the supplemental regional chapter policy.

Note: Starting new or re-activating inactive regional chapters will not be approved until the supplemental regional chapter policy comes into effect.

Background rationale Regional chapters have never been defined by any prior policy, and they all operate differently with various levels of success. As there are at least 10 regional chapters, the regional model is actively being re-developed to be a sustainable model that promotes regional cooperation, activity, leadership, accountability, and transparency. Existing regional chapter leaders are encouraged to work with the Chapter Committee to define the regional chapter model.

Inactive Chapters

The OWASP Foundation aims to provide continuity for OWASP chapter members. The following process is to determine inactive chapters and try to install fresh leadership.

• An inactive OWASP chapter is a chapter that has not met minimum activity requirements defined in this policy.
• An inactive chapter must either be reactivated or dissolved.
• The OWASP Foundation will revoke the inactive chapter leadership and refer the inactive chapter to the Chapter Committee to help find fresh leadership or to run elections to elect new leadership.
• Use this form to reactivate a chapter. Where an inactive chapter does not hold a meeting within 90 days of being reactivated, or new leadership could not be appointed within 90 days of failing to meet activity targets, the Chapter Committee will discuss the inactive chapter and vote on it. If agreed, the chapter will be dissolved by the OWASP Foundation.

Finances, Oversight, and Transparency

Chapters are overseen on an operational basis by the Chapter Committee, the OWASP Foundation staff, and, ultimately, the OWASP Board of Directors. If the Chapter Committee, foundation staff, or board of directors determines that a leader has not complied with this policy, despite support and outreach, leadership may be revoked, suspended, or another action taken. Additionally, OWASP administrative access (including the leader’s owasp.org email address) may immediately be revoked.

Code of Conduct and Other Relevant Policies

All leaders must follow and adhere to all OWASP Foundation policies and procedures, which are in a central repository. As a US-based 501 (c)(3) non-profit organization, OWASP must follow specific financial and legal guidelines that can change from time to time.

Chapters operate with a great deal of freedom; however, chapters must abide by the latest approved Code of Conduct, Foundation Bylaws, and these policies and procedures. Copies of older versions are not relevant.

Privacy

OWASP membership and participation in chapter meetings are subject to locally applicable data protection regulations (for instance, see GDPR). Where conflicting local regulations exist, the most restrictive should be observed. All chapter meetings must comply to OECD principles; the Collection Limitation Principle applies to all activities where personal information of participants is needed. Chapter leaders are not permitted to share member lists, event attendees, or private information with third parties except where operationally necessary and only after informing relevant parties with opt-in acceptance. Chapters should, where possible and not otherwise required by local legislation or compliance requirements, adopt a data minimization approach, and delete data that is no longer necessary.

Submitting Expenses

Chapter related expenses incurred while holding a chapter meeting within the geographic area of the chapter itself must comply with the expense policy and must be submitted within 60 days.

Memberships

Members are the lifeblood of chapters. Memberships must be processed per the membership policy

Donations

All donations must comply with and be processed per the foundation donation policy.

Paid Events

Chapters wishing to create paid events like training and workshops should review the events policy for more information. Payments for training, workshops, and other events will be made in accordance with the expense policy.

Chapters are Not Legal Entities

Chapters, projects, and groups are not legal entities and are organized under the OWASP Foundation’s authority.

Finances are via OWASP Foundation Only

As chapters are not legal entities, all membership dues and funds must be processed through the foundation for transparency, the US not-for-profit laws, regulatory, and tax compliance reasons. Chapters are not permitted to hold any bank accounts, independent insurance, have an independent donation mechanism, or use any funds transfer mechanisms to store financial value such as gift cards, PayPal or Venmo, or any other banking or financial instruments.

Signing Authority

Chapters operate under the aegis and policies of the OWASP Foundation and are subject to the OWASP signing policy. As non-legal entities, chapters leaders and members of chapters cannot sign contracts or enter into agreements with commercial organizations. All such agreements should be referred to the OWASP Foundation for pre-approval and possible signing.

Supporters and Bartering Arrangements

Chapters are encouraged to obtain local chapter supporters via bartering arrangements (i.e. services, event spaces, or food and beverages are paid for by a chapter supporter) and donations via the OWASP website. Chapters can define levels and benefits of local Chapter Supporters, including logos on introduction slides and the Chapter home page. Any contractual agreement, bartering arrangement, or financial transaction must be registered and processed by the Foundation through our service desk

Disputes

OWASP has various dispute resolution mechanisms. Please contact the Compliance Committee if you are unsure of reporting a complaint or raising a dispute. In general, disputes should be resolved between parties and not in the court of public opinion on social media or mail lists.

Chapter members and leaders can use the following policies and reporting mechanisms to resolve disputes or to report code of conduct breaches, violations of policy, or financial requirements:

• Conflict resolution policy for most disputes between participants.
• Code of Conduct policy for ethical or conduct breaches.
• The OWASP Chapter Committee is the first point of escalation.
  • The Executive Director as the second point of escalation, and finally.
  • the Global Board.
• To report severe violations of policy, financial, or fiduciary misconduct, please refer to the whistleblower and anti-retaliation policy.

Sanctioned Countries and Leaders

OWASP must comply with international laws and regulations, including international sanctions. Sanctions take many forms and are often limited in scope to access to specific intellectual property, organizations, governments, and/or individuals.

From time to time, the Executive Director and Community Manager will review sanctions from the EU, USA, and anywhere else the foundation has an operating entity, and apply the following policies.

Until sanctions are lifted and where not complying with or breaching sanctions would cause the OWASP Foundation to be subject to fines, civil or criminal liability, the following policies will be applied:

a) New chapters cannot be formed. b) Existing chapters may be disbanded or made independent of the Foundation depending on the nature of the sanctions. c) Leaders and members who are sanctioned individuals will be removed from any leadership positions, and any membership fees refunded, including Lifetime membership. d) Access to OWASP materials are free and open-source, and can be obtained through many means, including OWASP shared cloud platforms. For the purposes of curtailing access or prohibiting the “export” of such freely available information, OWASP relies solely upon the technical controls in place by our shared cloud platforms, which share the same sanction controls as the OWASP Foundation. The Foundation has no control over these technical controls, and the Foundation will not subvert these technical controls to allow access in sanctioned countries.

The Executive Director and/or Community Manager will inform the OWASP Global Board and Chapter Committee of any changes to sanctioned chapters, leadership, or access.

The Community Manager will review the list of sanctioned chapters and leaders periodically to determine if the Foundation can restore the chapter, leadership, and membership.