Transparency Policy

Jump to: navigation, search

Transparency Policy

Policy Status

WORKING DRAFT - this is a working draft being discussed on the Governance List. When completed, this will be presented to the Board of Directors for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.

"O" is for Open: An introduction

The "O" in OWASP is for "Open" - Section 1.03 of the OWASP Bylaws defines the value "Open" to mean:

"Everything at OWASP is radically transparent from our finances to our code."

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

Radical Transparency

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:

  1. Public (most open)
  2. All OWASP members, staff, Board of Directors
  3. Some members and/or staff, Board of Directors
  4. Executive Director, Compliance Officer, Board of Directors
  5. Executive Director, Board of Directors
  6. Board of Directors (most restricted)

Exclusions from Radical Transparency

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

While OWASP excludes the following information from public disclosure, OWASP will disclose information when compelled by a legally-binding court order.

Exclusion Notes
Staff records as maintained for Human Resources purposes Restricted to just staff and BoD members with a legitimate need to access the records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
Information pertaining to legal action, or pending legal action Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
Information pertaining to a whistlerblower complaint, ethics complaint, or similar, including the allegation, the investigation, and the outcome. Restricted to just the Compliance officer, BoD members, Executive Director, and select staff when required. Must never be disclosed publicly either before, during, or after the processing of the complaint via the Whistlerblower policy. Should the complaint be made public, then the Board of Directors may choose which information, if any, to release based on the situation and the best interest of the organization.
Information covered under a Non-Disclosure Agreement (NDA). OWASP should strive to avoid NDAs, but when an NDA is required, that information must be protected per the terms of the NDA. The Board of Directors must always be a party to the NDA, at a minimum. Restricted to just the parties covered by the NDA.
Sensitive data, such as tax ID numbers of individuals, credit card numbers, home addresses, phone numbers, and similar must not be disclosed except as authorized by the owner of the data. Restricted to just staff and/or BoD members with a legitimate need to access the data.
Contents of individual OWASP email accounts. Restricted to the person assigned to the OWASP email account.

Policy Violations

All members must comply with this policy, or will be subject to disciplinary action, including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.