Rules of Procedure

Events Policy (Draft WIP)

This is a DRAFT or SUBSTANTIALLY MODIFIED existing policy currently in an open review period. Please respond with your comments and inputs regarding this page or directly submit a pull request.

Safe and Fun Networking

All OWASP events must be conducted in a manner consistent with the OWASP Mission, Principles and Code of Conduct. To ensure a safe, consistent learning and networking experience, OWASP events shall conform to the Conference & Event Attendee Policy and in particular its Anti-Harrassment provisions. Additionally, organizers are required to follow the OWASP Foundation Privacy Policy and ensure GDPR compliance.

Speaker/Trainer policy

Training providers and Speakers for both Global AppSec and Regional Events are required to sign and adhere to the terms of the speaker/trainer agreement. An online version can be provided to Regional Event Teams upon request. Failure by Trainers or speakers to execute this agreement within seven days of the event are minimally grounds for cancellation. While the complete terms are included in the agreement it should be highlightes that:

  • Speakers do not any receive compensation for their participation
  • Travel expenses are not reimburseable for Speakers or Trainers

Global AppSec Events


Budgets will be developed based on the proposals received by both vendor and venue proposals and will be presented to the Board of Directors for its approval no later than 16 months prior to the start of the conference. Once approved, the Executive Director, or their designatee, may execute instruments that contractually and financially obligate the OWASP Foundation to execute the event.

Local host chapters for internal accounting practices may share in Global AppSec event net profits up to 10% based on chapter participation. In the case of multiple host chapters, the host chapters will be responsible for determining the division before the event. Net profit sharing can be achieved by completing the following:

  • Recruiting and supervising local volunteers
  • Participating in the CfT/CfP Review Process
  • Successfully marketing the Global AppSec in the local area (to be tracked by discount code)

Site Selection/Venue

Cities and venues will be selected through an RFP process. Criteria for selection will include but will not be limited to:

  • Accessibility
  • Local community/security community presence
  • Venue availability
  • Value for attendees


All vendors will be selected through the RFP process. Vendors will be selected based on the value they are able to provide to the conference.


Content will be created be sources and selected by the Program Team in accordance with the Program Teams Charter. OWASP Staff will be responsible for keynote speakers and non-programmatic content.

Content will be shared with the community when possible. OWASP will not incur additional expenses such as web casting, third party hosting sites, or video recording in order to make the content available to those that were not in attendance.

Event Volunteers

How sourced and what do they get?

Regional Event Policy

General Process and Highlights

  • Event Teams must apply and be approved to host an OWASP Branded Regional/Local Event
  • An Event Budget must be provided as part of the application process
  • If selected the Event Team must acknowledge receipt of and their agreement with these policies
  • OWASP Foundation staff and local volunteers collaborate to host a successful event
  • Contracts along with finanical obligations and revenue must be managed by the OWASP Foundation
  • OWASP Events must provide a safe, and supportive environment for all attendees

All OWASP Events must be approved by OWASP Foundation Staff by submitting an event description and comprehensive budget via a process designated by the Executive Director. Regional events may not take place within 30 days of a Global AppSec Event. Regional events must be conducted in a manner consistent with the OWASP Mission, Principles and Code of Conduct. All regional organizers are required to follow the OWASP Foundation Privacy Policy and ensure GDPR compliance.

Applications to host Regional Events will be evaluated on the following:

  • Previous experience organizing a Regional Event
  • Historical experiences cooperating with Foundation staff
  • Budget forecasts (balance, not profitability)
  • Community outreach potential


Each application must also include a complete budget. Budgets must be reviewed and approved by the Executive Director. Budget categories will minimally include:

      Social Events
   Meeting Room Rental
   Trainer Fees
   Printing & Branding
   Giveaways/Hard Goods

For internal accounting practices, Local host chapters who comply with the terms of these policies will share 90% of OWASP event net profits. In the case of multiple host chapters, the host chapters will be responsible for determining the division before the event. A Regional Event Profit and Loss statement will be provided to all parties no later than 120 days following the event. Uncollected sponsorship revenue will not be included in this revenue reconciliation.

All expense reimbursements and payments will be paid in accordance with the expense policy with particular attention to the following:

  • It the responsibility of those incurring expenses to obtain pre-approval of any unbudgeted expense likely to exceed $2,500 and failure to do so may result in your reimbursement request being denied.
  • When any expense other than airfare is expected to exceed $5,000, an invoice must be requested from the vendor so the Foundation can remit payment directly.
  • Invoices from vendors should have Net 60 terms and the OWASP Foundation will make a best effort to pay within current Service Level Agreement which the writing of this policy is 22 days. Invoices received within 30 days of when payment is required cannot be guaranteed to be paid on time.
  • Invoices and expense reimbursements submitted more than 60 days following the event will be denied.


The OWASP Foundation is the exclusive sponsorship representative of all OWASP Events. At the descretion of the Executive Director, the OWASP Foundation may provide services to Regional Event Teams to identify, solicit, contract, invoice, and collect sponsorship revenue from partners. In collaboration with the Foundation, Regional Event Teams can develop a collection of sponsorship opportunities that offer uniqe value to partners when supporting these events. Regional Event Teams acknowledge that pricing and benefits for these events must be compatible with offerings for Global AppSec events.

From time to time the OWASP Foundation may offer “bundled” sponsorships that may include benefits delivered through Regional Events. Both the OWASP Foundation and Regional Event Teams will make a best case effort to always ensure each partners’ satisfaction with their sponsorship. In those cases where a Corporate Sponsor selects a Regional Event for their exhibition benefit, Regional Event Teams’ revenue, for internal accounting practices, shall be increased according to the following schedule:

  • $7,000 if the event is AppSec California
  • $5,000 for Event Revenue more than $250,000
  • $2,500 for Event Revenue more than $100,000 but less than $249,999
  • $1,000 for Event Revenue more up to $99,999

Additionally any other Sponsor Benefits beyond the standard base Event Sponsorship delivered through a Regional Event Team, shall also increase the Regional Event Teams’ revenue, for internal accounting practices, at the list price of those benefits.


All ticketing shall be done through OWASP managed services. Discount codes shall be provided in a reasonable timeframe for event teams to affect those discounts. Each event has a revenue forecast that is built on a particular number of tickets sold at various discounts. The Regional Event Team will make its best effort to achieve the events’ revenue forecast.

Both Global and Regional Event Teams are explicity prohibited from offering OWASP Membership sold separetely or bundled with any attendee service or ticket. Complimentary tickets shall be provided to Board Members and OWASP Staff to all OWASP Events. Ticketing systems may not collect charitble gifts.


Venue selection is at the organizers’ discretion but should follow an RFP process.


Vendor selection is at the organizers’ discretion but should follow an RFP process.


All calls for papers, training, and registration must be open and promoted to the public and selected through a non bias review process. Content will be shared with the community when possible.


Organizers are responsible for ensuring event website content is current and when requested, must provide administrative access to all event websites to OWASP staff. Organizers will provide content for the registration site no later than 30 days prior to registration launch date.

Organizers are responsible for the majority of marketing activities promoting the event. The Foundation will provide social media and email support when possible.

Organizer Agreement:

Organizers Shall:

  • Adhere to OWASP code of conduct
  • Submit and adhere to event budget
  • Manage all participant data in accordance with GDPR
  • Provide registration information to
  • Provide discounted and free registrations, not to exceed more than 35% of total registrations

Organizers Shall Not:

  • Sign or enter into contracts on behalf of the Foundation
  • Charge any event-related expenses on their personal credit cards (personal travel expenses to the event excluded)
  • Plan a regional event where it’s end date is within 30 days of a Global AppSec Event