Transparency Policy

=Transparency Policy=

Policy Status
"WORKING DRAFT - this is a working draft being discussed on the [Governance List]. When completed, this will be presented to the [Board of Directors] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members."

"O" is for Open: An introduction
The "O" in OWASP is for "Open" - Section 1.03 of the [OWASP Bylaws] defines the value "Open" to mean:

"'Everything at OWASP is radically transparent from our finances to our code.'"

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

Radical Transparency
OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:
 * 1) Public (most open)
 * 2) All OWASP members, staff, Board of Directors
 * 3) Some members and/or staff, Board of Directors
 * 4) Executive Director, Compliance Officer, Board of Directors
 * 5) Executive Director, Board of Directors
 * 6) Board of Directors (most restricted)

Exclusions from Radical Transparency
In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

Policy Violations
All members must comply with this policy, or will be subject to [disciplinary action], including suspension or revocation of membership, and/or exclusion from OWASP events, email lists, or other such action as determined.