Rules of Procedure

Temporary Covid Restrictions

OWASP has a responsibility to provide its community and staff with a safe environment, promote chapter, project and committee mission related activity, and to be financially responsible. The following restrictions are in place until they are all lifted. All of these sections have a exceptions to the rule, so please don’t assume that something can’t happen, please talk to us about your region’s COVID situation.


Safety is paramount, with virtual activity and financial responsibility as secondary concerns. The following services, gathering, travel, and expense restrictions will apply until further notice, and reviewed regularly.

  • Max expenses are $250, over $250 requires pre-approval. No monthly or subscription payments permitted
  • Shared services are free to projects, chapters, events, and trainers. Private service payments require pre-approval. Always use shared services in the first instance
  • Physical gatherings require pre-approval and must follow local health authorities
  • Expenses for physical meetings and work spaces are not permitted without prior approval
  • All travel is prohibited. Do not make plans or bookings to travel. No travel expenses will be paid
  • Regional and training events should not plan physical events in 2020, and will be approved on a case by case basis for 2021 with certain restrictions. No contracts will be signed without prior approval that meet the restrictions in that region

We will review these restrictions every month until they are all gone, and communicate our current restrictions and any changes. As key stakeholders, such as the OWASP Board, review and provide direction to the Foundation, details on these temporary restrictions will change. Any changes, including directions from the Board, will be announced to the OWASP Leaders list, OWASP Slack, and on the OWASP ED twitter account (@owasped).

Maximum expense cap

During the COVID pandemic, a cap of $250 USD per request will be in place for expenses, and in return for a lower limit, we will only require a receipt and two leaders to approve the expense and it will be paid. Expenses over $250 must be pre-approved by the Foundation.

Approval criteria:

  • A short explanation of why this expenses is relevant to your chapter, project, or event
  • Approved by two chapter or project leaders
  • All expenses must have a receipt or invoice
  • Expenses under $250 do not require pre-approval, expenses above $250 USD require pre-approval
  • Shared services, physical gathering or coworking spaces, travel expenses, and event expenses are subject to pre-approval per the following sections; and
  • Donations, sponsorships, or funding of external organizations require pre-approval, but we should be doing non-monetary donations or sponsorships rather than direct funding.
  • No periodic subscriptions, monthly or annual are permitted until further notice or pre-approval. This prevents us paying for services that cannot be consumed.

During COVID, PPE, sanitization, and cleaning supplies are a fair and reasonable expense (see below in relation to gaining approval for physical gatherings). If you do not have pre-approval for a physical gathering, no expenses will be paid, including for PPE.

Other than these caps and approval criteria, the current expense policy and procedures should be followed.

Shared Services Preferred

Chapters, Projects, and Committees have free access to Foundation virtual tools, such as Zoom (meetings and webinars), Google Meet (leader meetings, etc), Google Classroom (for training), YouTube, GitHub, Azure, AWS, and so on. Any expenses for these services will be rejected without prior approval. Please migrate to the OWASP shared service and you will have $0 bills going forward, and you have access to our premium level accounts.

If you need a shared service that is not currently in our shared services toolkit, please contact us to have it added, so we can evaluate the service and see if it fits a shared service model (OWASP pays the bills, project or chapter controls the sub-account). An example which we are actively evaluating is StreamYard, but it could be any service. We will either get you the service as a shared service, approve a one off payment to allow you to move forward, or reject the request within 30 days. If we reject a service request, no further applications for this service will be considered, approved, or paid. We will communicate rejected services and provide a list of free shared or low cost alternatives to you.

If you need a shared service for dedicated project or chapter use, such as you are an active content creator with a busy published schedule, and have an existing subscription, please obtain a sponsorship or donation in the amount of your needs, and work with us to ensure that we can do a barter arrangement with the sponsor or provide a minimal overhead donation mechanism.

Something like this policy will become standard OWASP shared service policy in the future once consultation has occurred.

Physical meetings during COVID require pre-approval

We all want to get back to normal as quickly as possible, but this will happen at different times in every region and country. If you want to run (or expense) a physical gathering, please get pre-approval.

OWASP is not a health agency. We require Chapters, Projects, and Committees to comply with their local COVID regulations, including any face covering mandates or regulations, prohibition of in-person gatherings, limits on event sizes, preferences for outdoor locations, adequate internal fresh air ventilation, access to sanitizer or hand washing facilities, and required social distancing. If there are no local regulations and local community transmission is still occurring, approval for physical gatherings will not be authorized.

You MUST demonstrate you are permitted to hold such an event by your local health authority’s guidelines and you WILL follow any local conditions that may apply, such as providing PPE, face coverings, social distancing guidelines, and maximum size limits. PPE such as disposable face masks, antiseptic sprays or wipes, sanitizing and cleaning supplies, and hand sanitizer are fair and reasonable expenses during COVID for pre-approved meetings. PPE costs over $250 requires pre-approval.

Periodic payments for services, event spaces, and co-working prohibited

Chapters, projects, and events have free access to a wide variety of virtual meeting tools, learning platforms, and webinar platforms. During COVID, these should be used.

Some chapters and events have filed expenses for physical event spaces or shared workplaces, such as WeWork. OWASP will not pay any fees for services we have not used or cannot use.

Some projects have filed expenses for subscription services. In general, this causes OWASP to incur recurring expenses that often can’t be used without a recurring income source. No subscription service, such as graphic design, Adobe CC, etc, can be expensed without prior approval, and pre-approval will likely be dependant on a sponsorship or donation to cover these costs. Some software subscription services, we can get through TechSoup at a greatly discounted rate (or free) and provide access to all OWASP projects, not just a single project, so please do not join any subscription service without first asking.

  • One off fees. Only pre-approved events and chapters under the physical gathering rules above will be paid. All other one off events or co-working fees will not be paid.
  • Prohibition on periodic subscription payments. Services, such as software susbscriptions, contractor arrangements, physical event space or co-working membership fees or subscriptions are not permitted, and all such expenses will be rejected without pre-approval.
  • Activity required. Going forward, OWASP will only be paying for physical locations if a physical event or activity is actually held, and not on the off chance that you may or may not hold an event or visit a co-working space.
  • No contracting. As per our signing policy, Chapters, Projects, Events, and Committees are not permitted to enter into contracts or sign on behalf of OWASP, so any contracts with a shared office or event space is not an official OWASP contract and will not be paid.

This will become standard policy once consultation has occurred and after COVID restrictions are lifted.

Travel generally prohibited

Chapters, projects, and events have free access to a wide variety of virtual meeting tools, learning platforms, and webinar platforms. During COVID, these should be used.

Travellers may get stuck in quarantine or stranded in another place away from home for any number of reasons including airline insolvency, route cancellations, government travel restrictions, and so on.

  • Travel should be deferred for the foreseeable future
  • You should not make any booking or plans at this time
  • Travel expenses are not permitted during COVID restrictions.
  • OWASP will not pay any expenses related to being quarantined or stuck in a destination.

Exceptions may be granted if domestic travel is fully open. Please apply before assuming that you can’t travel.

Physical Event Contracting

At this time, the Foundation is not signing any physical event contracts for the remainder of 2020 and has no plans for any physical events in 2021. Sponsors, trainers, attendees and organizers require certainty, and so for the remainder of 2020 in particular, do not plan any physical events, especially without prior approval.

However, regional and training events may be permitted to start planning a 2021 event under the following conditions:

  • the event must be pre-approved per the normal process with a budget, including any necessary contingencies for any cancellation or refund fees;
  • to enter into a contract for a event space or hotel contract, the Foundation requires the location for the event must be COVID free for the past 90 days;
  • local health COVID restrictions permit large gatherings without many restrictions; and
  • the contract has a clause that allows immediate and free cancellation if COVID restrictions are put in place right up to the date of the event.

The only exception to this restriction is events currently approved: OWASP NZ Day, and we will work with the organizer closely to manage issues around running a physical event.

Minimum Meeting Requirements Feb 2020-March 31, 2021

We are not involuntarily decommissioning chapters prior to March 31, 2021. Chapters must hold at least one meeting or event of some description between February 1, 2020 and March 31, 2021 to be considered “active” after March 31, 2021. After that date, the minimum of 4 meetings a year policy will be enforced. Chapter leaders are encouraged to run virtual meetings, including social events between now and March 31, 2021. Zoom is freely available to all chapter leaders.

Chapters who have yet to migrate to the website, setup their Meetup, or not yet obtained their email or Zoom details should do so before March 31, 2021.

Monthly Review of Restrictions

These restrictions will be reviewed by the Foundation monthly just prior to the Connector being released, until they are all removed. We will communicate these restrictions and any changes in the Connector every month. We will post them to the OWASP website, and pin a message to the OWASP Community slack channel.

If you have any questions, please contact Andrew van der Stock, [email protected] to discuss. Office Hours are available in several time zones: