Board Directors Policy (Draft WIP)

The OWASP Foundation (OWASP) is a community-led organization where some leadership roles are filled with individuals elected by Membership.

The OWASP Foundation leadership comes from the community and represents the entire community, and as such are elected by the community in a democratic and representative process. A diverse pool of candidates with a strong history of commitment to the mission of the Foundation is firmly encouraged to participate in the leadership of the OWASP Foundation.

Elections shall be conducted in a fair and transparent manner which includes:

• Sufficient notice period for nominations and voting;
• Clear director qualifications;
• Publicly available timelines;
• Open process for community to meet candidates;
• Secret ballots;
• Publication of full voting results.

This policy is established under section 3.12 (“Nomination and Election Procedures”) of the OWASP By-Laws (By-Laws), and defines both the necessary qualifications and requirements to nominate and be elected, as well as the elections procedure itself.

A. Qualifications and requirements

A.1. Candidate Qualifications

Candidates may nominate themselves via the nomination procedure defined below, only if they meet all of the following qualifications:

(a) Candidates must be OWASP Members in good standing, as defined by the By-Laws in Section 2. Candidates must have shown strong commitment to the mission of the Foundation. (b) In particular, candidates must maintain good standing as OWASP Members for twelve (12) months on “Membership Day” (see below). From “Membership Day” of the current year and throughout the election process, Candidates must maintain good standing as an OWASP Member of a class eligible to run for the Board (as defined by the By-Laws). Candidates may nominate themselves without a full year of Membership but must have completed a full year of continuous membership in good standing by “Membership Day” to be eligible as a valid Candidate in the election, and must maintain their Membership in good standing through the conclusion of the election process. (c) Candidates may self-nominate only. No third-party shall nominate another individual. (d) Candidates must show a history of active volunteer contribution to the OWASP Community. This can include any of the following or a combination thereof, for a period of at least 9 months in the preceding year, or 24 months in the previous 6 years.

1. Leadership of an active OWASP Chapter or OWASP Project  
2. OWASP Global AppSec conference organizer or CFP track lead  
3. OWASP local AppSec Days core organizing team  
4. OWASP Committee membership or chair or co-chair of an officially recognized Working Group
5. OWASP Compliance Officer  
6. Alternatively, three years accumulatively, in the previous 5 years, of verifiable volunteerism or ongoing contributions within the OWASP community, confirmed by OWASP Staff (e.g. via a leader testimonial).
7. Alternatively, equivalent amount of time contributing in a significant manner for another open-source cybersecurity community, confirmed by OWASP Staff, in addition to participation in at least a single OWASP Event, Chapter Meetup, or project contribution within the past 12 months.

(e) OWASP Foundation employees that are employed in a paid position, full time equivalent or exceeding two thirds of full time, may not be nominated as Candidate, nor serve as a Board Director, during their employment and for a period of 6 months, or longer as specified in the Staff Handbook as maintained by the Executive Director but not more than 18 months, after their last day as a paid Foundation employee. (f) Candidates should maintain a public facing persona, in English at a minimum, on any social networking platform (e.g. LinkedIn, or OWASP Glue Up). Candidates should be capable and willing to communicate with the Board, Staff, and community in (basic level) English, both in writing and verbally, as Board communications and discussions are held in English. (g) Candidates must commit to fulfill the Election process commitment (see Section B.1. below), and the Director Qualifications and Prerequisites (see below A.2) during their full term as a Director if they are elected. Candidates that do not fulfill their commitments shall not be eligible to participate in the Election as a Candidate.
Candidates should also join the general public Board meetings during or before the Election process as a non-voting guest, so as to understand the procedures, environment, and expectations. (h) A Candidate that has violated the Code of Conduct within the 4 years preceding “Membership Day”, and has been confirmed as such by the Compliance team or the Executive Director, shall be ineligible to run for the Board and may not be nominated. Multiple confirmed violations of the Code of Conduct shall cause the perpetrator to be ineligible for nomination for the Board indefinitely with no time limit.

A.2. Director Qualifications and Prerequisites

Basic Director qualifications and term limits are detailed in the By-Laws section 4.3 and take supremacy over this policy if there is any disagreement. These qualifications shall apply to all Board Directors, whether elected in an election of members, appointed by the Board, or any other form of becoming a Director on the Board. An affirmative vote by a supermajority of the remainder of the Board can approve a temporary exception from a specific qualification for a Director, allowing the Director to continue serving until the end of their current term. Such exceptions shall be granted sparingly and only upon clear demonstration of compelling justification.

1. Elected Candidates and appointed Directors must be in good standing as OWASP Voting Members (e.g., as a paid Individual Member or Distinguished Lifetime Member, or as defined in the By-Laws Section 2.1) prior to taking their seat for their term by January 1 of the calendar year following their election, or prior to their defined start date if appointed by the Board to take over a vacancy. Directors must maintain their Voting Membership in good standing throughout their term.
2. Elected Candidates and appointed Directors must complete all necessary onboarding processes and paperwork, including undertaking Board training, obtaining necessary reading materials, signing the Board of Directors Commitment Agreement, completing their Conflict of Interest register, and agreeing to the Board Code of Conduct, and any other tasks (Director Prerequisites), prior to taking office. Active Directors must also maintain their Conflict of Interest Register honestly and up to date.
3. Elected Candidates and appointed Directors must pass undergo thorough background checks, to be defined by the Executive Director and supervised by the Chair of the Board, prior to taking their seat.
4. No two Directors may serve concurrently on the Board of Directors while employed by the same company, corporation, or other employer, and shall be deemed a conflict. No two Directors may serve concurrently on the Board of Directors while also serving as a Director, Advisor, or Officer of the same company, corporation, association, or other external organization, and shall be deemed a conflict.
   An Elected Candidate or appointed Director in conflict with another Director shall not assume office while the conflict is unresolved. If two Elected Candidates are in conflict with each other, the Candidate with the higher vote count shall be eligible to take office.

An incumbent Director who acquires an affiliation creating such conflict, through choice or circumstance, shall have one month to resolve the conflict, after which, if unresolved, their position shall be deemed vacant. In exceptional circumstances, the remaining unconflicted Board members may, by a supermajority vote, approve a temporary exception to this resolution for a specific conflict, allowing both Directors to continue serving until the end of their current terms. Such exceptions shall be granted sparingly and only upon clear demonstration of compelling justification.

Candidates and Directors who fail to satisfy these Director Qualifications and Prerequisites shall be ineligible to be seated as a Board Member or to vote at Board meetings. In the event a Candidate and Director fail to satisfy such Director Qualifications or Prerequisites by the first public Board meeting of the calendar year, or the first public Board meeting after the defined start date if appointed by the Board, the incoming Board shall follow the disqualification and vacancy processes in the By-Laws (sections 4.5 and 4.6) to vacate and fill the position.

A.3 Director Commitment

Per section 4.3 (c) of the By-Laws, the following attendance commitment and other prerequisites are set by the Board:

1. Directors must attend at least 75% of general Board meetings in the calendar year. This includes Board Summits. Board prep calls, special board meetings, and other ad hoc meetings without quorum or voting requirements do not count towards attendance.
2. Directors should attend at least two in-person special Board meetings (“Board summits”) annually. These are generally but not exclusively held at Global AppSec events and at an additional location in the first quarter of the calendar year. If they cannot attend in person, Directors should attend virtually. These summits count toward attendance requirements.
3. Directors should expect international travel at least two times a year, and should maintain a valid passport and be eligible to apply for any necessary visa or travel authorization.
4. Directors should attend remote meetings with their cameras enabled and must agree to the meetings being recorded.
5. In addition to regular Board meetings, special Board meetings, and Board summits, and advance preparation for each, Directors should invest sufficient time for Board work, e.g. to liaison with their assigned committees, define policies and initiatives, meet with staff and community, perform research, and execute additional tasks as may be assigned by the Chair.

If these requirements are not being met for an extended period, then the Board may invoke sections 4.5 and 4.6 of the By-Laws to remove a Director and fill the resulting vacancy.

A.4. Additional Officer Qualifications

Certain OWASP Board Officer positions, notably Treasurer, may require Directors to execute various additional agreement(s) prior to assuming the duties of office, such as becoming a signatory on OWASP’s financial accounts, co-approver in accounting systems, and so on. Failure to execute those agreement(s) or obtain sufficient access shall result in a removal motion under section 6.4 of the By-Laws, and subsequent removal from the officer position. The Officer vacancy process (section 6.2) shall then occur to find a replacement officer.

The Chair and Vice-Chair should hold meetings with the Executive Director at least once a month, aside from general Board meetings, and may meet individually with staff in coordination with the Executive Director. The Chair of the Board, elected by the Board Directors, should have at least one year of experience serving as a Director on the Board.

All other privileges and duties of said Officers are defined in By-Laws Sections 6.5, 6.7, and 6.8.

A.5. Officer Term of Office

As per sections 6.3 and 6.4 of the By-Laws, officers (Chair, Vice Chair, Treasurer, and Secretary) shall be elected by a majority vote of their fellow Directors generally for a term of one year at the first special or general Board meeting in each calendar year.

Officers shall hold office from the date they are elected to their role until removed or replaced by the Board, if their term does not expire before then.

In the event an officer ceases to be a Director or otherwise becomes ineligible to serve as an officer (e.g. due to term expiration, term limits or not being re-elected), the office they hold becomes vacant. If the Chair position is vacant, the Vice Chair shall act as Chair. If both the Chair and Vice Chair are vacant, the Secretary shall act as Chair. If both the Chair and Vice Chair and the Secretary roles are vacant, the Board must hold a special meeting as early as practicable to elect a new Chair and to conduct new elections for all open Officer positions. In this event, the Executive Director shall act as Chair until the new Chair is elected posthaste.

B. Election Process

B.1. Candidate Statement

Elections shall include methods for the electorate to hear from the candidates and be informed of their relevant contributions, strategic intentions, and positions on topical matters.

These methods shall minimally include a Candidate page on the OWASP Elections website, detailing their background, professional biography, and plans. The Candidate must also post on their Candidate page answers to standard Candidate questions, to be defined by the OWASP Executive Director.

Additionally, the methods shall include an open call for questions from the community, with a final list sorted by popularity and up to six questions to be provided to candidates, to which each candidate shall post their answers their candidate page on the OWASP Elections website, together with an online video with the Candidate describing their positions.

OWASP should also hold an open online and video-recorded Town Hall and/or facilitated Debate, for the electorate to hear directly from each of the Candidates. Candidates should actively participate in this Town Hall or Debate.

B.2. Election Timeline

No later than two months prior to an election, a Call for Candidates shall be published and made publicly available and discoverable (e.g. on the OWASP Elections website at a minimum). This Call for Candidates shall include a specific timeline, announcement schedule, important dates, and milestones.

These election milestones are the following, or closest business day:

• Call for Candidates published, August 15
• Candidate Registration Deadline, August 31
• Qualification verification, September 1-10
• Candidates announced to the community, September 10
• Community Questions collection, September 15-30
• “Membership Day”, September 30
• Candidates answering questions and providing video, October 1-15
• Town Hall / Candidate Debate, October 1-15
• Election Voting Opens, October 15
• Election Voting Closes, October 30
• Results announced to the community no later than the first business day after November 3
• Directors take office, January 1

B.3. Voter Requirements

Membership class voter qualifications are defined in the By-Laws in section 2.1 (a). Voting Members who are in good standing (see By-Laws section 2.2(b)) on “Membership Day” each calendar year are eligible to vote in the OWASP Foundation Board of Directors election.

Community members shall receive the following notifications according to the above Timeline, via email and other channels: (1) call for candidates; (2) call for questions; (3) notice of Voter Requirements; (4) “Membership Day” deadline; (5) list of eligible Candidates with links to their Candidate pages; and (6) notification to vote.

B.4. Voting

Voting in elections shall be a secret ballot of Voting Members. Balloting shall be open for no less than fourteen (14) and no more than (20) days. Voting closes at 11:59pm UTC on the election voting end date. Staff shall ensure current Voting Members of the Foundation receive a serialized ballot. Voting Members can vote only once in each election per election cycle.

Ballots shall be counted using ranked choice or preferential counting method (e.g. STV, “Single Transferrable Vote”). Voting Members may cast a single vote accordingly, ranking their preferred candidates. During the ballot counting, the votes will be counted according to alternative preferences as defined by the counting method.

B.5. Results

OWASP Staff shall report the full results of the election within no more than three (3) business days following the close of voting. This must include, at a minimum, the number of votes cast for each individual Candidate, and the cumulative total of all ballots cast. This shall be published in a publicly available and discoverable manner (e.g., on the OWASP Elections website).

The Executive Director or their designee shall certify the election result. Voting history is private, and no one other than the Voting Member shall know their own votes.

B.6. Candidate Onboarding

After the Election, elected Candidates must prepare for their term prior to taking office. This includes all necessary onboarding processes and paperwork, as well as required background checks, as noted in Section A.2. above. This also includes required pre-reading to be defined from time to time, such as Rules of Order and OWASP policies. Elected Candidates should expect at least eight hours of pre-reading.

Additionally, elected Candidates should join the general public Board meetings in the intervening months between their Election and the start of their term. Elected Candidates must attend at least one public Board meeting before the start of their term. This is considered shadowing the Board, and for any motion in the meeting the Chair of the Board should call on elected Candidates present in the Board meeting as a shadow vote. (However, this shadow vote is non-binding and is not counted towards the motion.)

Elected Candidates should meet with the Executive Director and with the Chair of the Board, in the intervening months between their Election and the start of their term, to discuss expectations and their goals.

B.7. Fraud and unethical conduct

Fraudulent behavior, unethical conduct, or efforts to either suppress or inappropriately influence votes shall not be tolerated, as they are against the OWASP Code of Conduct. The disciplinary process detailed in the Code of Conduct shall apply, up to and including being removed as an OWASP Member or having participation revoked by the Board.