OWASP Committees 2.0 Operational Model
Passed by a vote of the OWASP Board of Directors on July 16, 2014.
I. Introduction
There is a disconnect amongst OWASP Leadership in terms of determining who is empowered to make decisions for our organization. It is our belief that the Board has expressed the desire to empower our leaders, but has, at times, questioned the decisions made. The goal of the plan which follows is to empower all OWASP leaders who have an idea that merits action with the ability to act.
II. High-Level Proposal
OWASP will once again reinstate a committee structure for participation in key aspects of our organization. This may include Chapters, Projects, Conferences, Governance, and other topics to be determined later. The key difference between the proposed committees and those of OWASP past will be in the empowerment to take action. OWASP Committees may, at any time, conduct a vote to enact change within the stated scope of the committee without prior approval from the Board.
III. Committee Creation
At any point in time, a community member may propose a new committee via the OWASP Leaders List stating their rationale and desired scope for creating a new committee. After a community discussion, with perceived majority support and no major arguments against, the OWASP Board of Directors will establish whether there is a conflict of interest with any existing committees and whether the formation of that committee is in line with with OWASP goals. If no conflict is determined to exist, the Board will initiate a public call for OWASP members interested in committee membership, via the OWASP Community mailing list, with a seven day time window. So long as the committee receives at least five OWASP members applicants, the Board will vote on the committee creation. A majority vote of support from the Board is sufficient for establishment of a new committee with all OWASP member applicants being granted committee membership.
IV. Committee Scope
The scope of an OWASP committee is established during the initial proposal for the new committee. In the event that a community member believes that a committee has taken actions outside of it’s scope or would like to adjust the scope of a committee, then they may state their rationale and desired response via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will establish the validity of any scope disagreement or proposed scope amendment. A majority vote of the Board of Directors is required to modify the scope of any OWASP committee.
V. Committee Membership
Any community member is welcome to participate in and provide feedback to an OWASP committee. Committee membership (voting privileges and leadership responsibilities), however, is limited to those who meet the following criteria:
1) Individual must be an OWASP member in good standing. 2) Individual must have the written endorsement of either a current committee member or an OWASP Board member. 3) Individual must demonstrate a history of at least three months participation in the committee for which they are applying for membership.
Any person who satisfies the above criteria may, by way of the public committee communication medium outlined in section VIII below, request to be granted membership to the committee. The committee will then conduct a vote on the applicant, via the same medium, and if the majority of members agree, they will be granted committee membership as well.
Active committees are responsible for conducting a poll of members, at least every six months, asking each if they would like to continue to serve on the committee. Committee members who respond “No” or who do not respond at all during a seven day time window will be removed from membership.
A member of a committee leadership team may have their membership removed for reasons of inactivity over a period of at least six months or misconduct by a unanimous vote of the remaining members of the committee.
If at any point in time, for any reason, committee membership is less than five people, then the committee leadership must initiate a public call for OWASP members interested in committee membership with a seven day time window. All qualified applicants must be accepted to join the committee as committee members. If there are not at least five committee members at the end of the seven day window, the committee will automatically be removed due to a lack of participating interest with that committee’s functions being reassumed by the OWASP Board of Directors.
Committee members are required to report any infractions of OWASP Foundation policies and procedures to the OWASP Board of Directors.
VI. OWASP Staff Participation
The OWASP Foundation will provide a designated staff member to support each active committee from an operational perspective. The staff member may participate in the committee as a community member, but will not serve as a voting member of the leadership team due to a potential conflict of interest. Participating staff are required to report any infractions of OWASP Foundation policies and procedures, by the committee, to the OWASP Board of Directors. The committee leadership team will be invited to provide feedback for the assessment of their assigned staff member by being invited to provide an annual evaluation of their committee related activities, capability and professionalism.
VII. OWASP Board Participation
Members of the OWASP Board of Directors are allowed to become committee members, but participate as normal committee members with no special powers either expressed or implied. While Board member participation in committees is encouraged, Board members must refrain from taking an active leadership role for the committee.
VIII. Committee Communication
All committees are required to hold their discussions in the open in order to enable participation by any member of the community. All official committee discussions (written and verbal) must be archived in a publicly accessible location so that the community may observe committee actions at any point in time. Use of the OWASP Force Portal for Committees is strongly encouraged as it provides logical conversation grouping, an archive of conversations, document attachment capability, participation metrics, and more, but other technologies may be used as long as it is agreed upon by all committee members and all relevant information is linked from the respective Committee wiki page. Committees that wish to solicit assistance from outside participants for committee activities are strongly encouraged to do so using the OWASP Initiatives framework.
Committees are required to notify the OWASP Community, via the OWASP Leaders List, in writing of any official votes and provide a written summary of actions taken on a minimum of a monthly basis. Committee decisions are considered official once a record has been published to the community. The Board is responsible for reviewing committee actions and ensuring that the committee is acting within it’s pre-defined scope and in accordance with the OWASP Foundation Bylaws as well as all other applicable policies and procedures.
IX. Committee Organization
All committees are responsible for being self-organized. The includes determining their own leadership structure, coordinating committee meeting schedules at least monthly, taking and publishing notes of committee meetings, assembling monthly action summaries, culling inactive committee members, and ensuring compliance within the defined scope and various OWASP policies and procedures.
X. Committee Removal
If at any point in time an OWASP Leader believes that a committee is no longer necessary or that the scope of one committee conflicts with the scope of another, they may bring up this concern via the OWASP Leaders List. After a community discussion, the OWASP Board of Directors will hold a vote on the committee removal. A ⅔ majority vote of the Board is required for the removal of a committee.
XI. Empowerment
As the goal of this proposal is the empower our leaders to be able to take action on behalf of the organization, no Board vote is necessary for any initiative of the committee provided that the following is true:
1) The action is within the stated scope of the committee.
2) If money is required, the action follows the guidelines set forth in the Community Engagement Funding document.
3) No contracts are being executed by the committee on behalf of the OWASP Foundation.
4) The action is in line with the OWASP Foundation Code of Ethics and is pursuant to OWASP’s mission.
If any of these is not true, then the OWASP Board of Directors should be consulted for approval prior to the committees execution.
XII. Accountability
Because the committee is acting on behalf of the OWASP Foundation, but as a separate entity from the OWASP Board, the committee members are expected to conduct their actions with regard to the OWASP Mission, the OWASP Code of Ethics, and the Board’s annual strategic goals. The committee and it’s members will ultimately be held accountable for any actions that are not in line with these key principles or that are outside of the pre-determined scope of the committee. Perceived violations should be brought to the attention of the OWASP Leaders List along with all substantiating evidence. After a community discussion, the Board may veto the actions of the committee by a majority vote of the Board of Directors.
XIII. Conclusion
We believe that empowering our volunteers to take action is core to the execution of OWASP’s mission. With the above committee structure, we believe that the right pieces will be in place to provide the organization with effective governance as well as checks and balances to ensure unbiased operation. We hope that you will agree that executing on this is in the bests interests of the future of the OWASP Foundation.