Rules of Procedure

Mailing Lists

Adopted by the Board on 20-Oct-2020


The OWASP Foundation maintains Mailing Lists for its community to, among other things, manage Projects, share information about Chapters, collaborate on OWASP activities, communicate with subgroups like the Board of Directors, and discussions amongst Leaders. Mailing lists are the preferred collaboration channel for OWASP activities.

While outlined in further detail below, the key points of using Mailing Lists are:

  • Participation and posting on Mailing Lists must follow the Code of Conduct
  • The default setting for Mailing Lists is unmoderated and public
  • All domain lists are publicly viewable by everyone on the web
  • Nearly all lists with domain lists are open for membership. Notable exceptions are [email protected] and [email protected]
  • [email protected] and [email protected] membership is curated and posting is limited to members

Social Media like Twitter and Facebook along with messaging/collaboration tools like Slack are supplemental not replacement channels for email communications between the community and the OWASP Board of Directors, Chapters, Projects, Committees, teams, and Members.

Creating and Removing Lists

Staff selected by the Executive Director shall administer OWASP Mailing Lists. Upon request, Leaders can be assigned as Group Manager(s). Each Chapter, Project, and Committee shall have a list created for the group no later than ten days following the official formation of the group as defined by its launch on the OWASP Foundation website. At their sole discretion with oversight from the Executive Director, Mailing List Administrators can create additional Mailing Lists upon request.

All Mailing Lists created in the domain shall have the default settings as defined later in this policy. Leaders of the group as defined in the file of the group, shall be allowed to be Group Managers of the list. Deviations from these settings require approval by the Executive Director.

Mailing Lists will be considered abandoned if there are no posts within the past 18 months. From time-to-time staff will audit Mailing List use and Group Managers of abandoned Mailing Lists will be requested to justify continued use of the Mailing List. Following a 30-day waiting period, either an approval by Group Managers to close or no response by any Group Manager will result in the closing of the Mailing List to future postings. At its sole discretion, the OWASP Foundation may choose to entirely remove or simply close and archive abandoned Mailing Lists.


Participating in Mailing Lists is a privilege which can be revoked at any time and without notice. Generally anyone can join most every Mailing List in the domain with two exceptions: (1) the global-board, and (2) leaders lists.

The community can locate all OWASP Mailing Lists (groups) at There visitors can view historical conversations on public lists, search lists and content, where applicable join a list, and control their email settings. Google makes a best effort to deliver email from Mailing Lists, but users may need to configure their inbox and spam filter/folder to ensure expected timely delivery of messages. The OWASP Foundation is not responsible for delivery or delays associated of content from Mailing Lists.

Membership can be requested and either the Group Owner(s) or Group Manager(s) shall grant membership to a Mailing List within seven business days of the request provided the requestor meets the membership requirements, if any.

Users of OWASP Mailing Lists shall use their real life identity and anonymous unverified identities are prohibited. Upon request, Members of Mailing Lists, shall provide within seven days of said request, proof of identity to Group Owner(s). Failure to provide adequate credititals for proof of identity will result in the Member being removed then banned from all OWASP Mailing Lists, and at the sole discretion of the Group Owner(s), all content posted by the Member being permanently removed.

Egregious single or repeated violations of the Code of Conduct shall result in a member being suspended or banned from Mailing Lists. Suspension or banning members is at the sole decision of the Executive Director.

With regard to the two Controlled lists, following are their additional membership requirements:

Global-board. Membership of this Mailing List is controlled to only include current Board members, recently elected incoming Board Members, the Executive Director, and Chief Financial Officer of the Foundation. While membership is controlled, all content posted to this mail list is public for anyone on the internet to read.

Leaders. Membership of this Mailing List is controlled to active Leaders in the Foundation which includes Project, Chapter, and Committee Leaders as listed in their respective file on the website. Incoming and departing Leaders are expected to voluntarily request membership to the list or personally opt-out of the list. While membership is controlled, all content posted to this mail list is public for anyone on the internet to read.

From time-to-time Mailing List membership shall be audited by Group Owner(s) and Individuals who do not meet list membership requirements shall be removed from the respective list with no notice and at any time.


Generally you must be a member of a list to post to an OWASP Mailing List. All use of and behavior on Mailing Lists, and in particular posting, shall conform to the OWASP Foundation Code of Conduct. Posts and other behaviors related to Mailing Lists that violate the Code of Conduct should be reported to the Group Owner(s) and Group Manager(s) for moderation up to and including removal of the post and if any resulting threads, along with banning of the individual who made the post on all OWASP Mailing Lists.


The default setting for Mailing Lists is not moderated. At the sole discretion of Group Owner(s) and subject to oversight by the Executive Director, Mailing Lists can be set to moderated at any time and without notice. Behaviors and posting in violation of the Code Conduct that are reported to Group Owner(s) is an exampple of behaviors that shall result in moderation.

When Mailing Lists are set to Moderated, Group Owner(s) will review pending posts weekdays during normal business hours meaning posts may be held as pending for as long as 72 hours during normal non-U.S. holiday work weeks. Posts that do not conform to the Code of Conduct will not be approved during periods of Moderation. Where appropriate, Group Owner(s) who reject posts during moderation shall, at the request of the posting member, within seven days provide a written response related to the decision to deny.

Members of Moderated Lists can request Group Owner(s) to remove Moderation every ten days; however each request does not guarantee a return to normal moderation settings.

Mailing List Default Settings

While circumstances may dictate modifications, all domain Mailing List other than those Controlled lists mentioned above shall have the following default settings:

  • Who can see the group: Anyone on the web
  • Who can join the group: Anyone on the web can ask
  • Allow external members: On to allow people outside the organization to request membership.
  • Who can view conversations: Anyone of the web
  • Who can post: Group Members
  • Who can view members: Group Owners
  • Conversation History: On
  • Who can moderate content: Group Managers
  • Who can moderate metadata: Group Managers
  • Who can post as group: Group Managers
  • Message Moderation: No Moderation
  • New Member Restrictions: No posting restrictions for new members
  • Group Email Language: English
  • Who can manage members: Group Managers
  • Who can modify roles: Group Managers

The community is invited to report deviations from the Mailing Lists defaults to Mail List Adminstrators.


Use of OWASP Mailing Lists is not private and data about you and your behavior is collected and used according to the OWASP Privacy Policy. Your email address may be publicly exposed to visitors and in most cases Mailing Lists are set to public meaning anyone on the internet can view your comments and your identity. This is by design. Certain lists, like those in the domain, are not public but administrators and Group Owner(s) can always read and delete messages from any OWASP Mailing List without notice.

Sole Mailing List Policy

Regardless of the information presented throughout the OWASP website or conveyed by its Leaders, members, staff or Directors, this page while also being subject to the OWASP Foundation By-Laws and Articles of Incorporation, is the sole and authoritative Mail List policy of the OWASP Foundation, Inc.

Member and Leader Defined

For the purposes of this policy, “member” unless occurring at the beginning of a sentence refers to individuals who join a list. “Member” refers to Members of the OWASP Foundation as defined in the Bylaws. Subject to the policies above, generally any one can become a member of a Mailing List; however being a member of list is not the same as being a Member of the OWASP Foundation.