Rules of Procedure

Code of Conduct

Adopted by the Board 02-Dec-2020.

Participation in the OWASP Foundation is conditional upon individuals following the Code of Conduct, and as such, individuals agree to conduct themselves per the following Code of Conduct:

Code of Conduct

  • Perform all professional activities and duties in accordance with all applicable laws and the highest ethical principles;
  • Promote the implementation of and promote compliance with standards, procedures, controls for application security;
  • Maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities;
  • Discharge professional responsibilities with diligence and honesty;
  • Communicate openly and honestly;
  • Refrain from any activities which might constitute a conflict of interest or otherwise damage the reputation of employers, the information security profession, or the Foundation;
  • Maintain and affirm our objectivity and independence;
  • Reject inappropriate pressure from industry or others;
  • Not intentionally injure or impugn the professional reputation or practice of colleagues, clients, or employers;
  • Treat everyone with respect and dignity;
  • Not violate the OWASP trademarks, copyrights, or licenses;
  • Provide proper attribution to avoid plagiarism and copyright infringement, both within and outside of OWASP;
  • Ensure work submitted to OWASP is entirely yours and not copied, whole or in part, without proper attribution or permission;
  • Abide by all provisions in applicable OWASP Foundation organizational documents, agreements, and policies (i) requiring adherence to applicable export laws, including the export control rules and regulations of the United States; or (ii) requiring adherence to the applicable antitrust and competition laws, including the antitrust rules and regulations of the United States.
  • Not engage in any intimidating, harassment, discriminatory, abusive, derogatory, or demeaning speech or actions (“harassment” includes, but is not limited to: Communication or conduct that a reasonable person in the individual’s circumstances would consider unwelcome, intimidating, hostile, threatening, violent, abusive or offensive, such communication may be related to gender, gender identity and expression, sexual orientation, disability, national origin, race, age, religion; it also includes stalking, following, harassing photography or recording, sustained disruption of talks or other events, inappropriate physical contact, and unwelcome sexual attention);
  • Avoid relationships that impair — or may appear to impair — the OWASP Foundation’s objectivity and independence; and
  • Not engage in any illegal activities or commit violations of applicable law, including but not limited to the laws of the United States and its states or the European Union, that (i) could result or actually result in liability or harm to OWASP Foundation; or (ii) are related to your participation in OWASP Foundation, including use of OWASP Foundation materials and publications, sponsored activities; or (iii) are related to your use of software developed in a project sponsored by OWASP Foundation.


The Executive Director can suspend participation in OWASP for 30 days for perceived or actual breaches of the OWASP Code of Conduct or US law. Depending on the severity of the breach, the member or participant can accept the 30-day suspension, or in serious cases, the member or participant will be referred to the Compliance Committee for a decision regarding their ongoing participation or membership by the OWASP Board at the next available Board meeting.

For first time Code of Conduct breaches, where no violation of US law has occurred:

The member or participant can agree to comply with a temporary suspension imposed by the Executive Director of all OWASP participation for no more than 30 days. Membership will not be extended to cover the suspension.

For repeat or serious breaches of the Code of Conduct, or where a participant has been charged with a crime:

The Executive Director must suspend the member, refer the matter to the Compliance Committee, who will make an independent evaluation on if the Board should strip leadership, revoke participation, or membership privileges. The period of suspension will remain in place until after the Board votes on the matter.

If the Board decides to take no action, full participation can resume immediately. If the participant is a member, their membership will be extended by the period of the suspension served.

Transparency and Oversight

To provide transparency and oversight of sanctions, the Executive Director will inform the Board privately of the actions being taken under these sanctions, informing the Compliance Committee as required, and providing recommendations from the Compliance Committee to the Board and scheduling a vote as necessary.