Corporate and Social Responsibility (DRAFT WIP)

1. Purpose

This Corporate and Social Responsibility (CSR) Policy outlines The OWASP Foundation’s commitment to ethical conduct, responsible stewardship, and positive social and environmental impact. It provides a framework for integrating CSR principles into governance, operations, programs, partnerships, and decision‑making.

2. Scope

This policy applies to:

• Board members
• OWASP Foundation leadership and staff
• OWASP leaders, volunteers, contributors, and participants
• Contractors and consultants
• Partners, collaborators, and suppliers engaged in organizational activities

All individuals and entities acting on behalf of The OWASP Foundation are expected to uphold the standards set out in this policy.

3. Alignment With Mission and Values

The OWASP Foundation’s CSR commitments are grounded in its mission to serve the community with openness and transparency, innovation, global inclusiveness, and integrity. All OWASP activities must:

• Advance The OWASP Foundation’s charitable purpose (“No more insecure software”)
• Reflect its core values of stewardship, inclusivity, accountability, and community benefit
• Avoid activities that conflict with The OWASP Foundation’s apolitical, nonprofit status

4. Ethical Governance and Accountability

The OWASP Foundation is committed to:

• Complying with all applicable laws, regulations, and governance standards
• Maintaining transparent and ethical decision‑making processes
• Ensuring Board oversight of CSR commitments and performance
• Upholding high standards of conduct through the Code of Conduct, Conflict of Interest Policy, and related governance documents.

5. Environmental Responsibility

The OWASP Foundation seeks to minimize its environmental footprint by:

• Minimizing travel emissions through sourcing local speakers, trainers, and volunteers, holding virtual meetings where possible, and offsetting unavoidable travel emissions
• Reducing waste, energy use, and emissions in operations and events
• Prioritizing sustainable procurement and resource use
• Encouraging environmentally responsible behavior among staff, volunteers, and partners, including locally sourcing materials and services, reducing single-use plastics, and promoting digital collaboration to reduce travel needs
• Considering environmental impacts when designing programs, travel, and activities

6. Social Responsibility

The OWASP Foundation is committed to:

• Fostering a safe, inclusive, and respectful environment for all
• Promoting belonging, inclusion, and fairness within the application security community, particularly for underrepresented groups
• Ensuring fair labor practices and safe working conditions for its staff, volunteers, and contractors
• Upholding safeguarding standards for children and vulnerable people where applicable
• Engaging communities in ways that are culturally respectful and responsive
• Having a zero‑tolerance stance towards discrimination, harassment, exploitation, and abuse in all forms

The Code of Conduct and related policies provide guidance on expected behavior and standards of conduct. All personnel must report suspected misconduct immediately through established whistleblower reporting channels.

7. Responsible Financial Stewardship

The OWASP Foundation will:

• Use donor funds and resources responsibly, transparently, and in alignment with mission
• Maintain strong internal controls to prevent misuse of funds
• Ensure ethical fundraising practices consistent with regulatory and sector standards
• Avoid conflicts of interest in financial and procurement decisions

8. Human Rights and Community Impact

The OWASP Foundation respects and promotes human rights by:

• Ensuring programs and partnerships do not cause harm or perpetuate inequity
• Supporting the dignity, rights, and wellbeing of all individuals and communities served
• Incorporating community feedback into program design and evaluation
• Avoiding partnerships with entities that violate human rights or engage in harmful practices

9. Partnership and Supplier Standards

The OWASP Foundation expects partners and suppliers to:

• Operate ethically and in alignment with The OWASP Foundation’s values
• Comply with labor, environmental, and human rights standards
• Demonstrate transparency in their operations
• Avoid practices that could harm The OWASP Foundation’s reputation or beneficiaries

Where appropriate, The OWASP Foundation may conduct due diligence or require declarations of compliance.

10. Anti‑Corruption and Anti‑Bribery Commitments

OWASP maintains a zero‑tolerance stance towards corruption and bribery. The Board, OWASP Staff, Leaders and Participants, and suppliers must adhere to the highest ethical standards, avoiding any form of:

• Bribery
• Corruption
• Fraud
• Embezzlement
• Improper influence or inducements

OWASP’s Antitrust, Anti Corruption, and Competition Policy and related policies provide guidance on expected behavior and ethical standards. All personnel must report suspected misconduct immediately through established whistleblower reporting channels.

11. Data Privacy and Digital Responsibility

The OWASP Foundation is committed to:

• Protecting personal information in accordance with applicable privacy laws
• Ensuring secure handling, storage, and disposal of data
• Using digital tools and technologies ethically and responsibly
• Maintaining cybersecurity practices that safeguard organizational and stakeholder information

The Privacy Policy and related data protection measures are integral to OWASP’s CSR commitments in this area.

12. Transparency and Public Reporting

The OWASP Foundation will:

• Publish accurate and timely information about its activities, finances, and impact on a monthly basis through its Board meeting minutes, annual reports, and public disclosures
• Provide annual reporting to members, donors, and the public through the publication of an annual impact report containing financial statements
• Disclose CSR‑related commitments, progress, and challenges where appropriate

13. Mechanism for Reporting Non‑Compliance (Whistleblower Policy)

Concerns about breaches of this policy—including unethical behavior, misconduct, or non‑compliance—may be reported through OWASP’s Whistleblower Policy. This mechanism allows for confidential reporting of concerns without fear of retaliation.

14. Implementation and Responsibilities

• Board of Directors: Provides oversight, ensures alignment with mission and governance standards, and reviews CSR performance.
• Executive Leadership: Integrates CSR principles into strategy, operations, and risk management; ensures compliance across the organization.
• Directors and OWASP : Implement CSR practices within their areas, monitor compliance, and support staff and volunteers.
• Staff and Volunteers: Uphold the policy in daily activities and report concerns or breaches.
• Partners and Suppliers: Comply with relevant sections of this policy as a condition of engagement.

15. Review Periods

This policy will be:

• Reviewed every two years, or sooner if required by regulatory changes or organisational needs
• Updated to reflect evolving best practices in governance, sustainability, and social responsibility
• Approved by the Board of Directors following each review cycle