Rules of Procedure

Events Policy

Adopted by the Board on 20-Oct-2020

Classes of Events

OWASP Events are grouped into four classes: (1) Global, (2) Regional, (3) Local, (4) Chapter Meetings. At the discretion of the Executive Director, or their designatee, generally the definition of these classes are:

  1. Global: Staff managed events that include training, conference, and an exhibition hosted over a 4-5 day program. Financially supported by Sponsors and Attendee registration fees. Program Teams are constituted to guide and select conference program including keynotes, speakers, and trainers.
  2. Regional. OWASP local event team, which may include one or more chapters, managed event hosted over a 1-5 day program including a conference and also may include trainings or an exhibition hosted over a 4-5 day program. Supported by Sponsors and Attendee registration fees.
  3. Local. OWASP local chapter managed events that typically only include presentations or a table and are hosted by a coordinating third party non-profit organization.
  4. Chapter Meetings. OWASP local chapters host regular meetups and these Events are outside of the scope of this policy which can be found in Chapter Policies.

General Policies

Event Teams

Events shall be organized, managed, and led by an Event Team. Global Events are organized by a per event Program Team and are selected through a competitive application process. Regional and Local Events may organize their team at their discretion; however it is a requirement that Event Team members also be OWASP Members. Leaders of these Teams should strive to involve both longtime and new members of the OWASP Community. Events should be transparent of who is on its Event Team. Members of Event Teams will be not compensated for their volunteer work but shall receive a conference pass for the event organized.


Events offer unique opportunities for potential speakers to share their views with AppSec leaders in the OWASP Community. Where possible organizing teams should source content through a blind review process to ensure the highest integrity and objectivity in its selection. All calls for papers, training, and registration must be open and promoted to the public.

Generally the Community is more receptive to new talks, not ones presented at previous conferences. It is the discretion of the Event Team on the archival of talks following their conference. Content will be shared with the community when possible. OWASP will not incur additional expenses such as live streaming, third party hosting sites, or video recording in order to make the content available to those that were not in attendance.

Keynote, Speaker and Training Agreements

Presenters at OWASP Events are required to sign and adhere to the terms of the speaker/trainer agreement. An online version can be provided to Regional Event Teams upon request. Failure by presenters to execute this agreement within seven days of the event results in their session cancelled. While the complete terms are included in the agreement it should be highlighted that unless provided for in an approved budget with explicit line items, unapproved expenses or travel will not be paid.


Event Teams are responsible for the majority of marketing activities promoting their event. Additionally the Team is responsible for ensuring event website content is current and when requested, must provide administrative access to OWASP staff. Where possible, the Foundation will offer shared services like web hosting and when available should be used by the Event team. Event Team Leaders will provide content for the ticketing/registration site no later than 15 days prior to registration launch date.

The Foundation will provide social media and email support where possible.

Site Selection/Venue

Cities and venues for OWASP Events should be selected through an Request for Proposal (RFP) process. Criteria for selection will include but will not be limited to:

  • Accessibility
  • Local community/security community presence
  • Venue availability
  • Value for attendees


All vendors should be selected through the Request for Proposal (RFP) process. Vendors will be selected based on the value they are able to provide to the Event.


Budgets for all events will be developed based on vendor and venue proposals along with forecasted revenue. Global Event budgets shall be presented to the Board of Directors for its approval no later than 16 months prior to the start of the conference. If the forecasted expenses are greater than $5,000, Regional and Local Events must submit their budget as part of the Event Application Process. Once approved by the Executive Director, or their designatee, the Foundation will be the sole executor of instruments that contractually and financially obligate the OWASP Foundation to execute events.

Budget categories will minimally include:

      Social Events
   Meeting Room Rental
   Trainer Fees
   Printing & Branding
   Giveaways/Hard Goods

Finance, Invoicing, and Expenses

Exercising all necessary due diligence and care, Event Teams and their Leaders shall manage the finances of OWASP events. These efforts shall always be evaluated for their transparency and integrity.

All expense reimbursements and payments will be paid in accordance with the expense policy with particular attention to the following:

  • It is the responsibility of those incurring expenses to obtain pre-approval of any unbudgeted expense likely to exceed $2,500 and failure to do so may result in your reimbursement request being denied.
  • When any expense other than airfare is expected to exceed $5,000, an invoice must be requested from the vendor so the Foundation can remit payment directly.
  • Invoices from vendors should have Net 60 terms and the OWASP Foundation will make a best effort to pay within the current Service Level Agreement. Variations from these terms require approval by the Executive Director or their designatee.
  • Invoices received within 30 days of when payment is required cannot be guaranteed to be paid on time.
  • Invoices and expense reimbursements submitted more than 60 days following the event will be denied.


The OWASP Foundation is the exclusive sponsorship agent of all OWASP Events. At the discretion of the Executive Director, the OWASP Foundation may provide services to Event Teams to identify, solicit, contract, invoice, and collect sponsorship revenue. In collaboration with the Foundation, Event Teams can develop a collection of sponsorship opportunities that offer unique value to partners when supporting these events. Event Teams acknowledge that pricing and benefits for their events must be compatible with offerings for Global AppSec events.

From time to time the OWASP Foundation may offer “bundled” sponsorships that may include benefits delivered through Regional Events. Both the OWASP Foundation and Regional Event Teams will make a best case effort to always ensure each partners’ satisfaction with their sponsorship.


All ticketing shall be done through OWASP managed services. Discount code requests shall be provided no later than 15 days prior to the opening of event ticketing. Each event has a revenue forecast that is built on a particular number of tickets sold at various discounts. Event Teams will make their best effort to achieve the events’ revenue forecast.

Notwithstanding the Event Team, the volunteers, speakers, and OWASP staff, Event Teams are discouraged from providing complimentary tickets exceeding 20% of the total expected attendance. Complimentary ticket forecasts should be noted in the Event Budget.

All OWASP Event Teams and Leaders are explicitly prohibited from offering OWASP Membership sold separately or bundled with any attendee service or ticket. Ticketing systems may not collect charitable gifts. Upon request, complimentary tickets shall be provided to Board Members and OWASP Staff to all OWASP Events.

Profit Sharing (internal accounting practices)

Regional and Local Event Teams who comply with the terms of these policies will share 40% of OWASP event net profits. In the case of multiple host chapters, the host chapters will be responsible for determining the division before the event. For events with more than $10,000 of expenese, an Event Profit and Loss statement will be developed by staff and provided to all parties no later than 120 days following the event. Uncollected revenue will not be included in this reconciliation.

Local host chapters may share in Global AppSec event net profits up to 10% based on chapter participation. In the case of multiple host chapters, the host chapters will be responsible for determining the division before the event. Net profit sharing can be achieved by completing the following:

  • Recruiting and supervising local volunteers
  • Successfully marketing the Global AppSec in the local area (to be tracked by discount code)

For each Corporate Sponsorships sold and collected that select a Regional Event, that event’s profit and loss statement shall be credited per the following schedule:

  • $5,000 for total Event Revenue more than $250,000
  • $2,500 for total Event Revenue more than $100,000 but less than $249,999
  • $1,000 for total Event Revenue more up to $99,999

Additionally any other Sponsor Benefits beyond the standard base Event Sponsorship delivered through a Regional Event, shall also increase the Regional Event Teams’ revenue, at the difference of the base Event Sponsorship and list price of those benefits.

Safe and Fun Networking

All OWASP events must be conducted in a manner consistent with the OWASP Mission, Principles and Code of Conduct. To ensure a safe, consistent learning and networking experience, OWASP events shall conform to the Conference & Event Attendee Policy and in particular its Anti-Harassment provisions. Additionally, organizers are required to follow the OWASP Foundation Privacy Policy and ensure that personal information is collected and stored in complaince with local laws and regulations like GDPR.

Event Volunteers

Event Teams are responsible for adequate staffing their event. Oftentimes in addition to the Events Team, events should source limited volunteers for their event from the Community; but a strong preference shall be given to OWASP Members. Leaders are encouraged to involve both longtime and new members of the OWASP Community. For multi-day events, it is recommended that volunteers commit to working at least a minimum of two four-hour shifts in exchange for a Conference pass to their volunteering event. No other compensation will be offered to Event Volunteers.

Regional Events

All of the above policies apply to Regional events. Additionally prior to any public announcements of an event, the Leader must constitute an Event Team, develop a budget, and then apply to the OWASP Foundation for event approval and the non-exclusive limited use of OWASP trademarks in marketing the event. Event Teams are not authorized to host an event without OWASP Foundation approval.

Application Process

General Process and Highlights

  • Event Teams must apply no less than six months prior to the start of the Event.
  • An Event Budget must be provided as part of the application process
  • Sponsorship terms and offers shall be provided as part of the application process
  • No more than 30 days following an application, the Executive Director or their designatee shall approve or deny an Event Application.
  • If selected, the Event Team must acknowledge receipt of and their agreement with these policies
  • OWASP Foundation staff and local volunteers collaborate to host a successful event
  • Contracts along with financial obligations and revenue must be managed by the OWASP Foundation

Applications to host Regional Events will be evaluated on the following:

  • Previous experience organizing a Regional Event
  • Historical experiences cooperating with Foundation staff
  • Budget forecasts (balance, not profitability)
  • Community outreach potential
  • Date proximity to Global Events
  • Completeness of the application


Regional Event Teams are solely responsible for managing their respective Event. Some of those responsibilities include:

  • All event management logistics, budget management, website content, promotional items, site selection, catering, and venue
  • Manage facility space allocation and programming layout
  • Management of other meetings and receptions
  • Graphical design of conference including signage and print materials
  • All other Conference-related activities not explicitly delegated and then accepted by OWASP Staff.
  • Ensure events are conducted in a manner consistent with the OWASP Mission, Principles and Code of Conduct
  • Comply with the OWASP Foundation Privacy Policy and ensure that personal information is collected and stored in complaince with local laws and regulations like GDPR.

OWASP Foundation Staff is responsible for the following:

  • Signatory of Contracts and Agreements
  • Securing necessary insurance given parameters provided by the Regional Event Team
  • Solicitation and securing event sponsors
  • Processing of payments
  • Accounting of profit and loss statement for event

Local Events

All of the above policies apply to Local events. Separately to host a Local Event or a Local Event Partnership, a local OWASP Champion must executive a Local Event Memo of Understanding with the Foundation.


Local Event Teams are responsible for managing all aspects of their Event. The OWASP Champion must be a Member of the OWASP Foundation and is solely responsible for ensuring all parties compliance to these terms of the Local Event Partnership.