Board of Directors Commitment Agreement (Draft WIP)

This is a DRAFT or SUBSTANTIALLY MODIFIED existing policy currently in an open review period.

Members are invited to provide feedback on this draft policy until October 31, 2025. The Policy Review Team will respond to comments mailed from your owasp.org email address to this address.

Note: this is the text of a form that will be digitally signed by each new Board member prior to taking their seat using OWASP’s e-signature service.

OWASP FOUNDATION – BOARD OF DIRECTORS COMMITMENT AGREEMENT

As a member of the Board of Directors of the OWASP Foundation, I understand that I am a director of a Delaware nonprofit corporation and I have a legal and ethical responsibility to ensure that the organization does the best work possible in pursuit of its mission and strategic goals. I believe in the purpose and the mission of the organization, and I will act responsibly and prudently as its steward.

In preparation for my term as a board member, I have read and understand the board orientation materials listed below:

General Information about the Role and Responsibilities of Nonprofit Board Members:

  1. The Little Book of Boards: A Board Member’s Handbook for Small (and Very Small) Nonprofits by Erik Hanberg

  2. Nonprofit Kit for Dummies 6th Edition

  3. Board Source Online Training

  4. Robert’s Rules of Order - either the concise version or the complete version

Organization specific information:

  1. OWASP Foundation Bylaws
  2. Code of Conduct
  3. Board Code of Conduct
  4. Antitrust Policy
  5. Conflict of Interest Policy and Annual Conflict Questionnaire
  6. OWASP’s financial reports and IRS 990 (Tax filings) for the most recent two years available.

I have been provided with the following information or documents:

  1. Foundation Board of Director Liability Insurance Policy (available upon request from the OWASP Foundation)
  2. List of current board members and employees with contact information (provided privately to Board members only)
  3. Board meeting schedule for upcoming calendar year
  4. Board Member Information
  5. Board Google Groups
  6. OWASP Governance Landing Page

As part of my responsibilities as an OWASP Director:

  1. I have read and acknowledge the Board Code of Conduct and the Code of Ethics.

  2. I understand that I have a fiduciary duty to act in an objective, responsible, honest, trustworthy, and efficient manner without placing the organization under unnecessary risk. As part of this duty, I will act in good faith for the good and benefit of the organization, rather than for the benefit of myself or my employer.

  3. I have completed the conflict of interest statement and will continue to update it in a timely fashion if my circumstances change, such as change of job(s) or duties, investments, Board or other advisory memberships, and other interests as they might affect the OWASP Foundation.

  4. I will act in the best interests of the organization, and recuse myself from discussions and votes where I have a perceived or actual conflict of interest. I will raise any potential conflicts of interest proactively to allow a discussion by the Board to decide on if I am conflicted. If in doubt, always declare the potential conflict of interest and let the remainder of the Board decide as per the Conflict of Interest policy, if they too are unconflicted.

    For example, if the OWASP Board is discussing training splits and I often give paid training on OWASP topics or at OWASP events, this is an actual conflict of interest, and I should declare my interest. As another example, if I have a personal relationship (such as friendship or extensive business connections) with a firm or organization that has business before the Board, this could be seen by some as a perceived conflict of interest, and I will declare a potential conflict of interest.

  5. I will follow the Antitrust Policy at all times. If in doubt, I will raise any potential antitrust concerns to the Chair or Executive Director for advice.

I have possess all necessary qualifications and completed all necessary prerequisites:

To the best of my knowledge, I have read, acknowledged, and completed all necessary requirements of the Board Directors’ Policy section A.2 Director Qualifications and Prerequisites prior to taking my seat and voting as a Board member, including but not limited to:

  1. I am responsible for my good standing by maintaining valid voting membership for the duration of my term.

  2. I have completed any necessary onboarding paperwork, pre-reading, and training as set out above or required by the OWASP Foundation prior to taking my seat or voting.

  3. I have completed the necessary forms / paperwork authorizing background checks as required by the Executive Director. If there are negative findings, these will be reported to the current Chair for further consideration, including and up to declaring my seat vacant under the Vacancy section in the bylaws.

  4. To my knowledge, no other Director-elect or ongoing Director works at the same organization as myself, or if they do, I am eligible to be seated per the Board Directors’ policy method of selecting a successful candidate.

I will abide by this Director Commitment agreement, by:

  1. I will interpret the organization’s work and values to the community, represent the organization, and act as a spokesperson, only when authorized by the Board of Directors or when called upon in my role as an Officer or Director of OWASP.

  2. I will stay informed about what’s going on in the organization and exercise my duty of care as a Director of OWASP. I will ask questions and request information in connection with exercising such fiduciary duties.

  3. I will participate in and take responsibility for making decisions on issues, policies and other board matters.

  4. I will work in respectfully and in good faith with staff and other board members as partners towards achievement of our goals.

  5. I will attend at least 75% of twelve monthly public board meetings annually. These are nearly all held virtually, with the exception of two public Board meetings held at the Global AppSec conferences. When meeting virtually, my camera will be enabled, and I agree to the meetings being recorded and published.

    Minutes will be recorded by the Secretary, and published publicly for the community to review, including the results of all motions.

  6. I will attend as many special meetings as I reasonably can accommodate. Special meetings are nearly always virtual. When attending virtually, my camera will be enabled, and agree that the meeting will be recorded.

    Due to the sensitive nature of most special meetings, recordings will be only made available to the Board. If a special meeting is to be published publicly, this needs to be approved by a majority vote during the special meeting.

    Minutes will be recorded by the Secretary and published for the Board to review, including the results of all motions. If a motion can be published publicly, it needs to be motioned to be included in the list of public motions.

  7. I expect to travel internationally up to twice a year, and thus I will maintain my passport and work with the OWASP Foundation to obtain any necessary visas.

  8. I will attend at least 66% of the Board summits every year in person. If I am unable to attend a Board Summit in person, I will make every effort to attend virtually, with my camera enabled. I agree that these summits will be recorded, and recordings and outcomes/minutes published privately for the Board to review.

    If these summits are scheduled with sufficient time as per the bylaws and have quorum, votes can be taken as per a special meeting, but an agenda change must be motioned with a super majority to allow the vote to take place. Minutes will be recorded by the Secretary and published for the Board to review, including the results of all motions. If a motion can be published publicly, it needs to be motioned to be included in the list of public motions.

    Board summits are typically scheduled for a first quarter strategic goal setting event, and shorter summits in conjunction with Global AppSec conferences during the training days.

  9. I will prepare adequately for Board summits and meetings, help set the agenda during prep calls, I will read pre-reading material, be active in assigned liaison roles, meet with relevant stakeholders and staff as required, and be responsive to emails and Slack messages.

  10. If I don’t fulfill these commitments to the organization, I will expect the board chair to call me and discuss my responsibilities with me.

  11. I will comply with all applicable laws, including any applicable antitrust laws.

  12. I will not take any action that would cause the Foundation to be disqualified from exemption from federal income tax under section 501(a) of the Internal Revenue Code of 1986, as amended, or the corresponding provision of any future United States Internal Revenue law.

The Organization will be responsible to me in the following ways:

  1. I will be sent, without request, monthly financial reports and an update of organizational activities that allow me to meet the “prudent person” standards of the law.

  2. Opportunities will be offered to me to discuss with the executive director and the board chair the organization’s programs, goals, activities, and status; additionally, I can request such opportunities.

  3. Board members and staff will respond in a straightforward fashion to questions that I feel are necessary to carry out my fiscal, legal and moral responsibilities to this organization. Board members and staff will work in good faith with me towards achievement of our goals.

  4. The OWASP Foundation, Inc. will cover my travel, accommodation, and reasonable daily expenses per the travel policy for official Board travel such as in person Board Summits, in person Board meetings, and pre-approved Board activities, such as officially representing OWASP at a government event, standards body, or other conference.

  5. The OWASP Foundation, Inc. will assist me with visa assistance such as providing a visa letter and will reimburse reasonable visa fees for conducting official OWASP business on pre-approved trips, such as in person Board meetings.

  6. If the organization does not fulfill its commitments to me, I can call on the board chair and executive director to discuss the organization’s responsibilities to me.

I have read and acknowledged this Agreement and its contents, and agree to comply with all of its requirements, obligations, and duties.

Signed,

Member, Board of Directors

Date:

Watch Star