Rules of Procedure

Leaders (Draft WIP)


Members are invited to provide feedback on this draft policy until September 09, 2020. The Policy Review Team will respond to comments mailed from your owasp.org email address to this address.


Section 1: Core Principles

Leaders of Chapters, Projects, Committees, and other teams are the outward face of the organization. While it is a great privilege to serve as a leader in the OWASP Community, it also comes with obligations and responsibilies. Leaders serve at the pleasure of the OWASP Board and the larger AppSec Community.

Leaders shall:

  • Conduct themselves, their group, and their group meetings in accordance to the Code of Ethics
  • Provide sufficient notice of upcoming meetings, deadlines, and policy changes to the community
  • Where necessary, openly share workplans and schedules with group members
  • Document proceedings of the group on the OWASP Foundation supplied Mail List
  • Use good faith efforts to be inclusive in their group’s work items
  • Follow these and other policies of the OWASP Foundation
  • Protect participant data and ensure GDPR Compliance in proceedings
  • Annually sign a Leaders Agreement that includes these Core Principles

Leaders shall not:

  • Sign agreements on behalf of the OWASP Foundation
  • Injure or impugn the reputation the Foundation, colleagues, staff, or Directors on social media
  • Collect or accept money on behalf of the OWASP Foundation for any purpose
  • Authorize expenses that are in violation of OWASP Foundation polocy

Section 2: Governance

Oversight

Chapters, Projects and groups are overseen on an operational basis by the Foundation Staff and, ultimately, the OWASP Board of Directors. If the Foundation Staff or Board of Directors determines that a Leader has not complied with these rules, their status as a Leader may be revoked. Additionally, OWASP administrative access (including the leader’s owasp.org email address) may be immediately revoked.

Chapters, Projects and groups are not legal entities and are organized under the authority of the OWASP Foundation. As non-legal entities Leaders or members of Chapters, Projects, or groups cannot sign contracts, hold independent insurance, or transact funds independently of the OWASP Foundation. Groups operate with a great deal of freedom; however groups must abide by the Code of Conduct, Foundation bylaws, and the polices in these Rules of Procedure.

Leadership

Leaders serve as the main point of contact for Chapters, Projects, and group and are responsible for ensuring the group complies with OWASP policies while fulfilling its mission and obligations. Leaders shall:

  • Publicly list their owasp.org contact information on the OWASP website.
  • Consistently maintain OWASP website information.
  • Be responsive to all requests generally within 5-7 business days.
  • Commit to serve for a minimum term of 24 months.
  • Administer fair and open elections as often as once every 24 months for Leadership roles in their group.
  • Encourage consensus in decision-making and when not possible administer voting among OWASP Members.

Consensus Driven

The Foundation strives to operate in a consensus-driven decision making environment. Groups are encouraged to negotiate a common ground with regard to decisions and policy. However, at times it may be necessary to vote on decisions. Only OWASP Members have voting rights and all matters will be decided on a simple majority. Due process is expected and stakeholders should be given sufficient notice of upcoming decisions which might require a formal vote.

Disputes

Leaders are required to govern their group in accordance with OWASP Foundation policies. When their are violations, please follow the following hierarchy when escalating concerns:

  1. Bring your concern to the attention of your group’s Leaders or Leadership team.
  2. If you are unable to resolve at the local level, please contact staff through the Contact form.
  3. If staff is unable to handle your concern or you would like to challenge their feedback/decision, the concern can be raised with the OWASP Board of Directors.

If you feel an Code of Ethics violation has occurred, you may review the Whistleblower Policy for instructions on how to file a complaint.

Section 3: Administration

OWASP.org Email Accounts

Leaders will be provided an Owasp.org email account and shall this address for all OWASP related matters. The email address of Leaders shall listed on the OWASP website. By using the OWASP email address, Leaders ensure vendor neutrality, protect their own privacy, and allow for identity portability within the OWASP community.

Website

Leaders, along with support from staff, shall maintain their groups’ web page on owasp.org. The OWASP website shall be the primary authoritative information source for OWASP Projects and Chapters. Other services such as LinkedIn, Facebook, Twitter, Ning, etc. maybe used but are additive not a replacement for the OWASP website. A group’s webpage shall minimally include:

  • Group leadership with contact information
  • Link to the group’s Mailing List (Google Group)
  • For Chapters, its Meetup Page

The OWASP Foundation uses Github to host group pages and content. Please use the Contact Us form if you need assistance with access to the OWASP Github repo.

Mailing Lists

OWASP Mailing Lists (Google Groups) shall be the primary and archival communication channel of OWASP group activites. Mailing Lists are discoverable, have open membership, and no posting restrictions; however, all participants shall follow the OWASP Code of Conduct. Violators of the Code of Conduct shall not be tolerated and displinary action, with consequences including up to expulsion from the Mailing List and suspension of OWASP Membership. Certain mailing lists for staff operations shall be non-public.

Social Media

All social media channels used by OWASP groups must abide by the OWASP Principles and Code of Ethics. Any person who posts or moderates OWASP branded social media must execute and abide by the OWASP Social Media Agreement.

Social Media accounts associated with OWASP Projects, Chapters, or groups are controlled by the OWASP Foundation. While the Leader, or in rare cases members, may create an account and manage its day-to-day operations, credentials including passwords and recovery emails must be transferred when there is a change of leadership.

Group members shall not be required to sign up for any social media account to get access to meeting notices or other group information. Should a group choose to terminate its use of a platform, it should close the account and alert the Foundation using the Contact Us form. Abandoned social media accounts are those that have not had a post for over six months, and control of these accounts may be requested by the Foundation for termination.

Domain Names

Leaders can request the OWASP Foundation register a domain name for their Chapter, Project, or group. While discouraged, Leaders may register a domain name for their Chapter, Project, or group. Domain names must be transferred when there is a change of leadership for the group. In either case, custom domain names shall point to the corresponding page on the Foundation website for the group, and if maintained by a Leader, its use shall be registered with the Foundation.

Section 4: Meetings

Regular Meetings

Leaders shall host group meetings no less than four times a year. Chapter Meetings must be in-person. OWASP meetings are free and open to anyone for anyone to attend, regardless of whether the attendee is a member of the OWASP Foundation. All channels of communication must be free and open, not requiring a paid subscription to consume. This includes but not limited to the OWASP Mailing Lists (Goolge Group), Meetup for Chapter Meetings, Slack, and with social media platforms like like Twitter and Facebook.

Meeting Notice

Leaders shall post notice of meetings no less than two weeks prior to a meeting. The minimual acceptable channels for this posting is the group’s main webpage on owasp.org and the OWASP Mailing List (Google Groups), or in the case of Chapter the OWASP Mailing List can be replaced with an OWASP Meetup account.

Member Privacy

The privacy of OWASP Members or meeting attendees must be protected at all times. Leaders shall not disclose names, email addresses, or other identifying information about OWASP Members or meeting attendees. Only aggregate statistics can be referenced. At the sole descretion of the attendee, they may share their own contact information voluntarily with third parties at meetings, such as in the case of Chapter Meeting raffle.

Vendor Neutrality

Proceedings of the OWASP Foundation including, but not limited to, Projects, Chapters, Events, and our website shall always maintain vendor neutrality (act independently). Leaders shall ensure groups maintain this non-commerical principle in our work.

Section 5: Finance & Expenses

From time to time in the course of a group’s activities, leaders may incur expenses which maybe reimbursable by the OWASP Foundation. Generally the Foundation will reimburse leaders for fair and reasonable expenses. Prior to incurring expenses, Leaders must review the Expense Policy for complete details.

Guiding Principles

  • Participation in OWASP activities, except Conferences and Trainings, is free and at no cost.
  • Leaders shall not accept finances/funds into any bank account other than the OWASP Foundation.
  • Group finances and expenses shall be managed in a transparent fashion.
  • Donations may only be processed via the OWASP Foundation Donation Form.
  • Certain donations can be restricted or may be listed as supporting the group.

Donations

Leaders are encouraged to have supporters visit their respective Chapter or Project page and then click the DONATE button to connect gifts to their group. At the time of the donation, the donor may elect to attribute their gift to the referring OWASP website page as indicated by its title.

Recognizing Supporters. Leaders are responsible for recognizing Supporters of their group. Recognition for monetary donations is outlined in the Donation Policy and should be regularly maintained and updated as frequently as possible.

Direct Support. Supporters may elect to pay directly for group needs like signage, food, venue, etc. In these cases, the respective transaction is not a gift to the OWASP Foundation nor does it need to be tracked by Leaders.

Charging for Events

OWASP does not charge people to attend chapter, group, or project meetings. Conferences and Training events may have a registration fee.