Rules of Procedure

Code of Conduct (DRAFT WIP)

Members are invited to provide feedback on this draft policy until October 23, 2020. The Policy Review Team will respond to comments mailed from your email address to this address.

Participation in the OWASP Foundation is conditional upon individuals following the Code of Conduct, and as such individuals agree to do all of the following:.

Code of Conduct

  • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
  • Promote the implementation of and promote compliance with standards, procedures, controls for application security;
  • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
  • Discharge professional responsibilities with diligence and honesty;
  • Communicate openly and honestly;
  • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Foundation;
  • Maintain and affirm our objectivity and independence;
  • Reject inappropriate pressure from industry or others;
  • Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers;
  • Treat everyone with respect and dignity;
  • Abide by all provisions in applicable OWASP Foundation organizational documents, agreements and policies (i) requiring adherence to applicable export laws, including the export control rules and regulations of the United States, or (ii) requiring adherence to the applicable antitrust and competition laws, including the antitrust rules and regulations of the United States;
  • Not engage in any intimidating, harassment, discriminatory, abusive, derogatory, or demeaning speech or actions (“harassment” includes, but is not limited to: Communication or conduct that a reasonable person in the individual’s circumstances would consider unwelcome, intimidating, hostile, threatening, violent, abusive or offensive, such communication may be related to gender, gender identity and expression, sexual orientation, disability, national origin, race, age, religion; it also includes stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention);
  • Avoid relationships that impair — or may appear to impair — the OWASP Foundation’s objectivity and independence; and
  • Not engage in any illegal activities or commit violations of applicable law, including but not limited to the laws of the United States and its states or the European Union, that (i) could result or actually result in liability or harm to OWASP Foundation, or (ii) are related to your participation in OWASP Foundation, including use of OWASP Foundation materials and publications, sponsored activities, or (iii) are related to your use of software developed in a project sponsored by OWASP Foundation.


If the Code of Conduct is violated, the following will occur:

For First Time Breaches that are Less Severe (as determined by the Executive Director):

The participant can agree to sign an Acknowledgement Statement acknowledging that the participant has read the Code of Conduct and that continued participation or Membership of OWASP requires compliance with the Code of Conduct and comply with a temporary suspension of all OWASP participation for a period of no more than 30 days, depending on the severity of the breach. If agreed and signed, the matter will be considered over at the end of the suspension period. The Acknowledgement Statement and record of suspension will be kept for future reference and destroyed after three years. If the participant is a Member, membership will not be extended to cover the suspension period.

For Failures to Follow Sanctions, Serious First Time Breaches, or Repeated Breaches:

In the event (i) the participant does not follow the penalties imposed for lesser breaches (for example, participant does not agree to sign an Acknowledgement Statement), or (ii) for repeat or serious breaches of the Code of Conduct, or (iii) whenever a person is charged with a crime punishable by more than one year in prison, the Executive Director must suspend the Member, immediately refer the matter to the Compliance Committee, who will make an independent evaluation on if the Board should strip leadership, revoke participation, or membership privileges at their sole discretion. The period of suspension will remain in place until after the Board votes on the matter.

If the Board decides to take no action, full participation can resume immediately. If the participant is a Member, their membership will be extended by the period of the suspension served.

Transparency and Oversight

To provide transparency and oversight of sanctions, the Executive Director will inform the Board privately of the actions being taken under these sanctions, including providing recommendations from the Compliance Committee and scheduling a vote as necessary.