Governance/OWASP Committees

OWASP Global Committees 2.0 Operational Model

Passed by a vote of the OWASP Board of Directors on December 19, 2018.

I. Introduction

The OWASP Global Committees empower members of the community to help shape OWASP and make the best decisions for the Foundation. The goal of the Global Committees 2.0 plan is to streamline the process for any member of the OWASP community who has an idea to improve the Foundation, to have a vehicle to act upon the idea and successfully implement it.

'''II. High-Level Proposal'''

OWASP’s committees participate in key aspects of our Foundation. This may include Chapters, Projects, Conferences, Governance, and other topics to be determined later. The key difference between the proposed committees and those of OWASP past will be in the empowerment to take action. OWASP believes that Committees should be empowered to vote on change, at any time, that is within the stated scope of the committee. If a committee wishes to change their scope, the committee should add the proposed change to the next BoD meeting for discussion. Once the BoD approves this change, the committee should bring the proposed change to the OWASP Community for feedback.

'''III. Committee Creation'''

At any point in time, a community member may propose a new committee via the OWASP mailing lists including other mediums such as slack to ensure greater community coverage,stating their rationale and the desired scope for creating a new committee. After this discussion, with majority support from those who responded on these communications and no major arguments against, the OWASP Board of Directors (BoD) will determine whether there is a conflict of interest with any existing committees and whether the formation of that committee and its desired scope is in line with OWASP’s goals.

If no conflict is determined to exist, the Board, at the next BoD meeting will invite community discussion and vote on its formation. Once a majority vote is established, the BoD will initiate a public call for OWASP members interested in committee membership, via the OWASP Community mailing list, with a four-week time window. At this point, the committee will be formed once it receives at least five OWASP member applicants. These OWASP member applicants will be granted committee membership on successful completion of the proposed committee.

A committee should have also a board with at least 5 members, each one having a specific role. Common roles:

·       Organization: Secretary, PR/Marketing, Web, Membership, Finance & Meetings/Conferences, although specific roles can be created at the discretion of the committee

'''IV. Committee Scope'''

The scope of an OWASP committee is established during the initial proposal for the new committee. This scope should be submitted as a draft to the BoD for discussion purposes prior to the committee formation. The Board will assess if this scope is in line with OWASP’s goals and may seek alterations where necessary.

Conflict

In the event that a community or staff member believes that a committee has taken actions outside of its scope, has abused the committee’s scope, or would like to adjust the scope of a committee, then they may state their rationale and desired response via the OWASP Leaders List. After a community discussion, the community or staff member will request that the OWASP Board of Directors establish the validity of the scope disagreement or proposed scope amendment. A majority vote of the Board is required to modify the scope of any OWASP committee.

If there is a conflict within the committee, the conflict should be brought to the OWASP Compliance Committee who will rule on the conflict based on available evidence and where necessary interviews with the relevant personnel.

Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.

V. Committee Membership

Any OWASP community member is welcome to participate in and provide feedback to an OWASP committee. Committee membership (voting privileges and leadership responsibilities), however, is limited to those who meet the following criteria:

1) Individual must be an OWASP member in good standing; or

2) Individual must have the written endorsement of either a current committee member or an OWASP Board member; or

3) Individual must demonstrate a history of at least three months participation in the committee for which they are applying for membership.

Any person who satisfies the above criteria may, by way of the public committee communication medium outlined in section VIII below, request to be granted membership to the committee. The committee will then conduct a vote on the applicant, via the same medium, and if the majority of members agree, they will be granted committee membership as well.

Active committees are responsible for conducting a poll of members, at least every six months, by the committee staff liaison, asking each if they would like to continue to serve on the committee. Committee members who respond “No” or who do not respond at all during a two-week time window will be removed from membership by the committee.

A member of a committee leadership team may have their membership removed for reasons of inactivity over a period of at least six months or misconduct as determined by a unanimous vote of the remaining members of the committee. If the committee feels that they do not have the required capability to deal with this misconduct, they may submit the case and all relevant documentation to the compliance committee for review.

Lack of Participation

If at any point in time, for any reason, committee membership is less than five people, then the committee leadership must initiate a public call for OWASP members interested in committee membership with a four-week time window. All qualified applicants must be accepted to join the committee as committee members. If there are not at least five committee members at the end of the four-week time window, the committee will lose its authoritative function, and will function only as in an advisory capacity. All related decision-making will automatically be re-assumed by the OWASP Board of Directors. Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.

'''VI. OWASP Staff Participation'''

The OWASP Foundation will provide a designated staff member to support each active committee from an operational perspective. The staff member may participate in the committee as a community member, but will not serve as a voting member of the leadership team due to a potential conflict of interest. Participating staff are required to report any infractions of OWASP Foundation policies and procedures, by the committee, to the OWASP Board of Directors. The committee leadership team will be invited to provide feedback for the assessment of their assigned staff member by being invited to provide an annual evaluation of their committee related activities, capability and professionalism.

'''VII. OWASP Board Participation'''

Members of the OWASP Board of Directors are allowed to become committee members, but participate as normal committee members with no special powers either expressed or implied. While Board member participation in committees is encouraged, Board members must refrain from taking an active leadership role for the committee.

'''VIII. Committee Communication'''

All committees are required to hold their discussions in the open in order to enable participation by any member of the community. All committee discussions (written and verbal) must be archived in a publicly accessible location so that the community may observe committee actions at any point in time. Use of the OWASP Force Portal for Committees is strongly encouraged as it provides logical conversation grouping, an archive of conversations, document attachment capability, participation metrics, and more, but other technologies may be used as long as it is agreed upon by all committee members and all relevant information is linked from the respective Committee wiki page. Committees that wish to solicit assistance from outside participants for committee activities are strongly encouraged to do so using the OWASP Initiatives framework.

Committees are required to notify the OWASP Community, via OWASP mailing lists including other mediums such as slack to ensure greater community coverage, in writing of any official votes and provide a written summary of actions taken on a minimum of a monthly basis or as necessary. Committee decisions are considered official once a record has been published to the community. The BoD is responsible for reviewing committee actions and ensuring that the committee is acting within its predefined scope and in accordance with the OWASP Foundation Bylaws as well as all other applicable policies and procedures.

'''IX. Committee Organization'''

All committees are responsible for being self-organized. This includes determining their own leadership structure, coordinating committee meeting schedules at least monthly, taking and publishing minutes of committee meetings, assembling monthly action summaries, culling inactive committee members, and ensuring compliance within the defined scope and various OWASP policies and procedures.

X. Committee Removal

If at any point in time an OWASP Leader believes that a committee is no longer necessary or that the scope of one committee conflicts with the scope of another, they may bring up this concern via the OWASP Leaders List. After a community discussion, the OWASP BoD will hold a vote on the committee removal. A ⅔ majority vote of the Board is required for the removal of a committee.

'''XI. Empowerment'''

As the goal of this proposal is to empower the community to make decisions for the betterment of the Foundation, no Board vote is necessary for any initiative,  provided that the following is true:

1) The action is within the predetermined scope of the committee;

2) The action does not directly affect other OWASP functions such as projects

3) If money is required, the action follows the guidelines set forth in the Community Engagement Funding document;

4) No contracts are being executed by the committee on behalf of the OWASP Foundation; and

5) The action is in line with the OWASP Foundation Code of Ethics and is pursuant to OWASP’s mission.

If any of these is not true, then the OWASP BoD should be consulted for approval prior to the committee’s execution.

'''XII. Accountability'''

Because the committee is acting on behalf of the OWASP Foundation, but as a separate entity from the OWASP BoD, the committee members are expected to conduct their actions with regard to the OWASP Mission, the OWASP Code of Ethics, and the BoD’s annual strategic goals. The committee and it’s members will ultimately be held accountable for any actions that are not in line with these key principles or that are outside of the predetermined scope of the committee. Alleged violations should be brought to the attention of the OWASP Leaders List along with all substantiating evidence. After a community discussion, the Board may veto the actions of the committee by a majority vote of the BoD.

'''XIII. Conclusion'''

We believe that empowering our volunteers to take action is core to OWASP’s mission. With the above committee structure, we believe that the right pieces will be in place to provide the Foundation with effective governance as well as checks and balances to ensure unbiased operation. We hope that you will agree that executing on this is in the best interests of the future of the OWASP Foundation.