Merge branch 'master' of https://github.com/OWASP/www-policy

index.md

@@ -19,6 +19,7 @@ Policies and Procedures adopted by the Global Board for OWASP Operations. Last e
 </ul>
 
 ## Guidebooks
+
 Handbooks to help Chapter, Project, and Event Leaders in their volunteer work.
 {% assign pages = site.pages | sort: 'title' | limit: 1000 %}
 <ul>
@@ -30,6 +31,7 @@ Handbooks to help Chapter, Project, and Event Leaders in their volunteer work.
 </ul>
 
 ## Contract and Agreement Templates
+
 {% assign pages = site.pages | sort: 'title' | limit: 1000 %}
 <ul>
 {% for page in pages %}
@@ -40,13 +42,15 @@ Handbooks to help Chapter, Project, and Event Leaders in their volunteer work.
 </ul>
 
 ## Others
+
 - [Employee Handbook](/www-policy/employee)
 
 ## TODO
-- Contact Us (responsivness to tickets, SLA, submitting complete information, submitting accurate information)
-- Membership - terms, discounts, submitting accurate info, pricing, honorary process, peference for Foundation events (like PRoject Summits etc
+
+- Contact Us (responsiveness to tickets, SLA, submitting complete information, submitting accurate information)
+- Membership - terms, discounts, submitting accurate info, pricing, complimentary membership process, preference for Foundation events (like Project Summits etc
 - Advertising
-- Travel Assistance Program - member, workflow, limits, 
+- Travel Assistance Program - member, workflow, limits
 - Local Partnerships
 - Mailing Lists
 - Elections

operational/committees.md

@@ -4,11 +4,11 @@ title: Committees Policy
 layout: col-document
 document: Rules of Procedure
 tags: Rules of Procedure
-notice: 2020-10-20
+notice: 2024-05-29
 
 ---
 
-Adopted by the Board on October 20, 2020
+{% include draft-notice.html %}
 
 ## Introduction
 
@@ -22,8 +22,6 @@ Committees are working committees, and not advisory boards, although they may pr
 
 The Committees Policy establishes “standing committees” per the Robert’s Rules of Order, Newly Revised, 12th Ed (50:7) (RONR), and contemplates empowering the Committee to act within its defined charter scope once established. Committees are free to adopt RONR 12th edition or later if they so choose to run meetings or resolve disputes, but they are not required to do so.
 
-To allow the Compliance Committee to become a formal Committee under this policy various exclusions to this policy are documented. This is due to the knowledge, skills, and the fact that it has historically been extraordinarily difficult to recruit qualified members to the Compliance Committee.
-
 ## Lifecycle
 
 ### Forming a Committee
@@ -81,8 +79,6 @@ Committee officers cannot be officers of another Committee, the Global Board, or
 
 The OWASP Foundation may nominate a staff member to attend the new committee meetings and work with the Committee Chair on committee activities, as available. The Staff Liaison is not a full-time staff member for the committee but will assist the committee on a best efforts basis.
 
-Compliance Committee Exclusion: To maintain arm’s length independence from the Foundation, the Compliance Committee can choose a staff member, or choose to not have one.
-
 ## Establishment of the Committee
 
 The Committee will consult with the Foundation Executive Director to review the proposed charter scope and the membership details of the proposed Committee leaders. The Executive Director will suggest improvements to the Charter to align the Charter’s scope with OWASP’s mission and the current Board’s strategy, and ensure qualified professionals review all provisions with financial, legal, organization risk, or regulatory requirements.
@@ -125,8 +121,6 @@ Elections for Committee leadership shall be held simultaneously as Board electio
 
 If no nominations for replacement officers are received, in and in the case where Committee officers wish to as an officer, the OWASP Board can approve an extension of any existing officers’ term on a case-by-case basis, to allow the Committee to continue running.
 
-The Compliance Committee has no term limits and is not required to hold elections as candidates must have certain skills and as it is particularly difficult to recruit Compliance Committee members.
-
 ## Dissolving a Committee
 
 The goal of this section is not to close committees, but to ensure that all committees are active. Inactive committees are a burden on governance and will be dissolved as a last resort.
@@ -144,8 +138,6 @@ Inactive committees are defined as one or more of the following:
 
 The Foundation will automate checks to determine committee activity, and thus Committees are required to use the owasp.org website, and our meeting organization tool to assist with that automation. Once discovered, the Foundation will notify the Board, and the Committee has 30 days to rectify the inactivity.
 
-The Compliance Committee, as it is driven by complaints made by others, may not have any business to perform, and thus do not need to meet consistently, and they do not meet publicly. They are only required to submit a quarterly report to the Board stating any activity and remain responsive to the Community requests for investigations or rulings.
-
 ### Committee Scope and Devolved Powers to return to the Board upon dissolution
 
 Any scope or powers devolved to a committee shall be returned to the Board upon dissolution.
@@ -166,7 +158,7 @@ The Community may re-establish a dissolved Committee by following the same forma
 
 ### Dissolving due to Committee Mismanagement
 
-The Board, in its sole discretion, or after an upheld complaint to the Compliance Committee, can vacate some or all of a Committee’s leadership or dissolve a committee entirely. This covers:
+The Board, in its sole discretion, or after an upheld complaint via the [Whistleblower Complaint process](/www-policy/operational/whistleblower), can vacate some or all of a Committee’s leadership or dissolve a committee entirely. This covers:
 
 - Breaches of Code of Conduct or relevant sections of the Board of Directors Code of Conduct, or continuing conduct that is inconsistent with the OWASP mission.
 - Abuse of governance, such as violating the Board’s primacy for strategy, policy, and oversight, rejection of Foundation mandates for operational matters, or abuse of accountable projects, chapters, events, other Committees, the Foundation, or the Board.
@@ -184,14 +176,10 @@ Committee officers who are vacated or on the Committee at its dissolution shall
 
 Committee meeting agendas must be posted to the leaders list, and relevant other communication channels, such as social media or Slack channels to encourage public participation.
 
-The Compliance Committee does not hold public meetings and is exempt from this requirement.
-
 ### Publishing minutes or recordings
 
 The Committee must keep minutes of actions on the OWASP website. This can be in the form of a recording of the Committee meeting, or it can be a documented minutes prepared by the Secretary of the Committee.
 
-The Compliance Committee does not hold public meetings and is exempt from this requirement.
-
 ### Awards, Grants, and Scholarships
 
 Committees can access the Awards, Grants, and Scholarship policies, and must comply with the transparency requirements in those policies.
@@ -218,8 +206,6 @@ If the Committee wishes to fund an unbudgeted grant, committees should create a
 
 Committees who fail to provide an annual budget will be considered inactive and unable to spend under the expenses, travel, awards, grants, and scholarships. A budget containing zero expenses and income is permitted.
 
-The Compliance Committee is welcome to submit an empty budget if they plan on not attending Board meetings in person, otherwise they should submit a budget detailing that travel.
-
 ### Donations, Sponsorship, and Fundraising
 
 Committees are strongly encouraged to solicit donations, sponsorships and fundraise for the Foundation. Committees have access to the Donations and Sponsorships policies and must comply with these policies. Where a donation is likely to be restricted, the Committee must work with the Foundation to see if unrestricted donations with donation and expense transparency for the donor will suffice to minimize administrative overheads.
@@ -244,15 +230,12 @@ For the purposes of accountability and transparency, Committees should expect th
 
 ### Misconduct
 
-Committee members must abide by the OWASP Code of Conduct. A committee member can be reported to the Compliance Committee by OWASP members, other committee officers, Foundation staff, and the OWASP Board.
-
-In the unlikely event that the Compliance Committee has misconduct, this will be referred to the OWASP Chair for further action.
+Committee members must abide by the OWASP Code of Conduct. A committee member can be reported [via the Whistleblower complaint process](/www-policy/operational/whistleblower) by OWASP members, other committee officers, Foundation staff, and the OWASP Board.
 
 The OWASP Board may sanction, declare leadership vacant, or dissolve a Committee to resolve a misconduct claim.
-Conflict Resolution
 
-Internal disputes within the scope (for example, within projects and the Projects Committee), the Committee is the first level of dispute resolution using the OWASP Conflict Resolution policy. If the issue remains, the dispute should be escalated to the Executive Director, Compliance Committee, or the Board as required.
+### Conflict Resolution
 
-In the unlikely event that the Compliance Committee has conflict, this will be referred to the OWASP Chair for further action.
+Internal disputes within the scope (for example, within projects and the Projects Committee), the Committee is the first level of dispute resolution using the OWASP Conflict Resolution policy. If the issue remains, the dispute should be escalated to the Executive Director, [via the Whistleblower complaint process](/www-policy/operational/whistleblower), or the Board as required.
 
-After mediation, the decision of the Compliance Committee, Executive Director, or Board is final and binding.
+After mediation, the decision of the Compliance Team, Executive Director, or Board is final and binding.

operational/events.md

@@ -338,7 +338,7 @@ Events should negotiate with and encourage paid trainers to donate a portion of
 
 The event team may establish a discount code to provide complimentary registration for paid events, but this should be financially responsible and not exceed 20% of the total tickets available. If the desire is to run a mostly free event with more than 20% of tickets being complimentary, contact the OWASP Foundation to find sponsors for the event so it can be free for all attendees.
 
-If speakers or trainers need an assistant to run their session, a limited number of complimentary discount codes may be given to the trainer to give to nominated assistants to assist them throughout their talk or training session. Assistants who are simply sitting in on the class as a complementary attendee should instead be processed through the Awards and Scholarships policy so as to not disadvantage others, improve transparency, and to ensure that the complementary attendee, if selected under an open and fair selection process, has full access to the entire event, and not just the session or training class.
+If speakers or trainers need an assistant to run their session, a limited number of complimentary discount codes may be given to the trainer to give to nominated assistants to assist them throughout their talk or training session. Assistants who are simply sitting in on the class as a complimentary attendee should instead be processed through the Awards and Scholarships policy so as to not disadvantage others, improve transparency, and to ensure that the complimentary attendee, if selected under an open and fair selection process, has full access to the entire event, and not just the session or training class.
 
 Complimentary registration should not be offered for training where a trainer fee is being paid without prior agreement from the trainer. Scholarships (see above) should be budgeted instead. 
 

operational/membership.md

@@ -11,7 +11,7 @@ Adopted by the Board on 20-Oct-2020
 
 ## Overview
 
-The OWASP Foundation is a member-led organization. Members serve as Board Members, Leaders, and volunteers for our community. Members have a vote in the election of OWASP Leaders. Membership is a privilege guided by the [Code of Conduct](/www-policy/operational/code-of-conduct), which has dues set by the OWASP Board of Directors, and are detailed below. Discounts are available for students, multi-year memberships, and for people living in developing economies. Complementary membership is available for active leaders, and Honorary Lifetime Membership may be granted by the Board of Directors for extraordinary service to OWASP and its mission over a long period of time.
+The OWASP Foundation is a member-led organization. Members serve as Board Members, Leaders, and volunteers for our community. Members have a vote in the election of OWASP Leaders. Membership is a privilege guided by the [Code of Conduct](/www-policy/operational/code-of-conduct), which has dues set by the OWASP Board of Directors, and are detailed below. Discounts are available for students, multi-year memberships, and for people living in developing economies. Complimentary membership is available for active leaders, and Distinguished Lifetime Membership may be granted by the Board of Directors for extraordinary service to OWASP and its mission over a long period of time.
 
 ## Membership
 
@@ -47,15 +47,15 @@ Individuals can only become members of the OWASP Foundation by completing the [M
 - Only qualifying individuals will be eligible for Complimentary, Regional, and Student Memberships.
 - Once paid, Membership Dues are not prorated, nor can they be canceled once purchased.
 
-The OWASP Foundation is the exclusive grantor of OWASP Memberships. No person or entity can act as a membership agent or grant Honorary or Complimentary memberships except for the OWASP Board of Directors.
+The OWASP Foundation is the exclusive grantor of OWASP Memberships. No person or entity can act as a membership agent or grant Distinguished Lifetime Membership or Complimentary memberships except for the OWASP Board of Directors.
 
 The Foundation will revoke fraudulent membership submissions without notice and no refund. Memberships and member benefits are not transferrable.
 
 ## Individual Membership Types
 
 **One or Two-Year** Dues $50 and $95 for each respective period. Individuals can choose either a single or two-year membership. Members will begin to receive renewal email reminders as early as 60 days before renewal. The OWASP Foundation will do its best to notify members of impending renewals. It is the sole responsibility of the Member to monitor their membership status.
 
-**Lifetime Membership** When a member makes a time non-refundable $500 payment to the Foundation, they are granted a lifetime membership, which gives them all membership rights, including the ability to vote. Lifetime membership applies until the member passes away.
+**Lifetime Membership** When a member makes a one-time non-refundable $500 payment to the Foundation, they are granted a lifetime membership, which gives them all membership rights, including the ability to vote. Lifetime membership applies until the member passes away.
 
 **Student Membership** Dues $20 per year. Full-time students may apply for this discounted membership. Student Members cannot auto-renew.
 
@@ -69,7 +69,7 @@ The Foundation will revoke fraudulent membership submissions without notice and
 
 Complimentary Membership may be offered on an opt-in and automated basis to the top 5 active leaders of any chapter, project, event, or committee that supports the Foundation's mission and purpose, is in good standing subject to our Code of Ethics and has been in the top 5 position continuously for six months prior to applying for complimentary membership.
 
-Complimentary Membership is valid for one year. Leaders do not need to accept any offer of complementary leadership. Complimentary members in good standing for 12 months may stand for the Board, but if elected, must maintain good standing with paid Membership. Directors who are eligible through the above criteria must not accept Complimentary Membership during their term and maintain good standing with paid Membership.
+Complimentary Membership is valid for one year. Leaders do not need to accept any offer of complimentary leadership. Complimentary members in good standing for 12 months may stand for the Board, but if elected, must maintain good standing with paid Membership. Directors who are eligible through the above criteria must not accept Complimentary Membership during their term and maintain good standing with paid Membership.
 
 Active leaders can accept the complimentary membership using the standard "Join" or "Renew" OWASP membership form. Complimentary membership must be manually renewed each 12 months.
 

operational/program-team.md

@@ -66,7 +66,7 @@ Local Chapters (where applicable):
 
 - Supports logistic tasks on site before and during Event
 - Contributes knowledge about local cultural practices and local knowledge.
-- Provides timely ideas, suggestions for local services, catering, and complementary events.
+- Provides timely ideas, suggestions for local services, catering, and complimentary events.
 - Helps logistically at arrival of other team members, speakers, and guests.
 
 ## Compensation

operational/whistleblower.md

@@ -4,7 +4,7 @@ title: Whistleblower & Anti-Retaliation Policy (DRAFT)
 layout: col-document
 document: Rules of Procedure
 tags: Rules of Procedure
-notice: 2021-01-22
+notice: 2024-05-20
 
 ---
 
@@ -24,7 +24,7 @@ It is contrary to the values of the OWASP Foundation for anyone to retaliate aga
 
 ### III. Initiating an Informal Complaint
 
-OWASP encourages participants and members who have concerns about breaches of policy, Code of conduct violations, or similar, to report the incident as soon as possible to stop the behavior from happening. Wherever possible, please make an informal complaint in the first instance with local chapter, project, or event leaders before escalating to a formal complaint, particularly around matters of personal safety or harrassment. OWASP does not tolerate unethical behavior, violence, harrassment, or bullying behavior, or breaches of the OWASP Code of Conduct or Event Code of Conduct. If the matter is an emergency or a member or participant feels unsafe, please call local law enforcement immediately before making an informal or formal complaint.
+OWASP encourages participants and members who have concerns about breaches of policy, Code of conduct violations, or similar, to report the incident as soon as possible to stop the behavior from happening. Wherever possible, please make an informal complaint in the first instance with local chapter, project, or event leaders before escalating to a formal complaint, particularly around matters of personal safety or harassment. OWASP does not tolerate unethical behavior, violence, harassment, or bullying behavior, or breaches of the OWASP Code of Conduct or Event Code of Conduct. If the matter is an emergency or a member or participant feels unsafe, please call local law enforcement immediately before making an informal or formal complaint.
 
 A. **Employees**. The OWASP Foundation has an approved Staff Handbook covering the Foundation's employment and HR policies, including complaints, whistleblowing policies and processes. Foundation staff wishing to make a complaint or report should follow the policy and process as detailed in the most recently approved Employee Handbook, as published in OWASP's HR portal. If an OWASP member or participant wishes to make an informal complaint relating to a staff member or Foundation process, please contact the OWASP Executive Director in the first instance, who will may escalate the issue to OWASP's HR firm, the Board, or both, as the case requires. Staff are required to follow OWASP's Code of Conduct, but informal complaints or whistleblower reports by the public about Foundation staff will be handled per the Staff Handbook.