Chapter Handbook/Chapter 5: Governance
On your chapter page, ensure you clearly identify who is the current leadership for the chapter or on the board of the chapter, including their phone numbers and/or email addresses. It is highly recommended to have at least (2) chapter leaders, but a group of leaders or chapter board are even better.
Additionally, post information on how people can get involved with the chapter planning, leadership, or decisions. What are you plans for the upcoming year? Are you looking for help with something particular? When are your elections held?
Chapter leaders serve as the main point of contact for the local chapter, and are responsible for ensuring that the local chapter fulfills its requirements, including planning at least two meetings per year.
- An Active Chapter Leader is a leader who is responsive to all requests within a reasonable amount of time, generally within 5-7 business days. Active chapter leaders must have their name and contact information clearly available on the Chapter wiki page.
- Preferably, a chapter should have as many organizers as possible. A single chapter leader has proven to be an anti-pattern for successful chapters. Running a successful chapter requires concerted effort all year long, and these duties should be split between whoever is willing to volunteer to take the load. High performing chapters often have three or more co-organizers that meet regularly to plan.
- Chapter Leader (or Coordinator): The only governance requirement for every chapter is to nominate a Chapter Leader, who is the central point of contact for the chapter and responsible to the OWASP Board. In case of dispute over the leader role, we suggest rotation over the 24 month term, if there are multiple candidates and no rotation agreement, elections should be held for a 24 months term (see elections below).
- Board: Chapters are free to decide on the number of role holders, their titles, how they are selected and for how long. We recommend that a chapter would have also a board with at least 3 members, each one having a specific role. Common roles:
- Organization: Secretary, PR/Marketing, Web, Membership, Finance & Meetings/Conferences
- Content: Education, Industry, Projects
- In case there are multiple candidates for a specific role, and no restructuring, rotation or teaming works, elections for the role should be held for a 24 months term.
In the course of time, a leader may want to move on and leave his/her role. While this chapter provides guidelines to the technical process to follow, we found in the past that the actual challenge is find the new leader, especially in chapters that lack a board. We strongly suggest that a chapter leader who wants to stop would try to find a successor among the active members of the chapter. Such a process has the best chance of ensuring the continuous success of the chapter.
In any case, please let us know of your wish to leave the job and let us help you in finding a successor.
It is always advisable to avoid elections. Running a chapter is a hard, volunteer job and sharing the load is always advisable. Since the chapter role structure is flexible, a proper chapter structure may help to avoid elections. However, if there is a lack of agreement between chapter members on structure, roles or any other issues an election for a role or a poll on any other subject may be required:
- A poll on a subject will be held if 10% of the chapter members request it.
- Elections for a role will be held if there are multiple candidates for a role at the end of the term for the role.
How should elections be held?
OWASP does not enforce any procedure for elections and polls. An agreement on procedure between candidates or suggestion makers is sufficient. If such an agreement is not reached, the following procedure should be followed:
- The subject and options for vote alongside the names of the people requiring the vote would be submitted to the OWASP Foundation.
- The OWASP Foundation will request confirmation by email from the people requiring the vote.
- Once confirmed, the OWASP Foundation will send the ballot to the chapter members setting a deadline.
- One results are in, the OWASP Foundation will notify chapter members of the results.
The procedure for election heavily involves the OWASP Foundation as we feel that if the chapter cannot get to an agreement even as to how to hold elections, central intervention is required.
While there is no requirement for Chapters to have their own bylaws or recommended template, if you do create bylaws, you should incorporate the following information as it applies in your country or region:
- The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
- Reference to the OWASP Foundation Bylaws, which is the primary governing document for the OWASP, as well andmandatory rules from this Handbook.
Chapter by-laws that currently exist have been posted in one central place on the wiki - https://www.owasp.org/index.php/Local_Chapter_ByLaws
If your chapter has by-laws already or adopts by-laws in the future, please post them to the wiki on the Local Chapter ByLaws page, or submit them through the contact us form.
While local chapters operate, for the most part, independently from the OWASP Foundation, they are not stand alone legal entities. Local OWASP Chapters are essentially small local “arms” or “branches” of the OWASP Foundation and must abide by any legal and financial duties or responsibilities imposed on the OWASP Foundation. Furthermore, local chapters and chapter leaders are governed by the OWASP Foundation through the Executive Director and the Global OWASP Board.
When there is a problem at the local level, at what point does the global organization step in? Chapters are encouraged to handle disputes locally, within their own governance structures. However, what should a chapter leader (or other community member) do if there appears to be a violation of OWASP principles or ethics? Or what if someone feels that the chapter leader him or herself is not following the rules or guidelines outlined in this handbook?
If you feel that a chapter leader is not acting in accordance with the chapter handbook, please follow the following hierarchy in escalating your concern:
- Bring your concern to the attention of the chapter leader or chapter board. If possible, make an attempt to handle the issue locally.
- If you are unable to resolve at the local level, please contact the Community Manager (through the contact us form).
- If the Community Manager is not able to handle your concern or you would like to challenge the feedback/decision of the Community Manager, the concern can be raised with the Global OWASP Board.
- If you feel an Code of Ethics violation has occurred, you may review the Whistleblower Policy for instructions on how to file a complaint.