From fa94e5a4c2c0f8b087a283a58908a25f78f0709e Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@users.noreply.github.com>
Date: Thu, 2 May 2024 12:11:31 +0100
Subject: [PATCH 1/3] Update whistleblower.md

Removed references to Compliance Committee and added code for generating Compliance Officer's list from a member.yaml file.
---
 operational/whistleblower.md | 45 +++++++++++++++++++++++++++++-------
 1 file changed, 37 insertions(+), 8 deletions(-)

diff --git a/operational/whistleblower.md b/operational/whistleblower.md
index 739808b..0c935bf 100644
--- a/operational/whistleblower.md
+++ b/operational/whistleblower.md
@@ -28,7 +28,7 @@ OWASP encourages participants and members who have concerns about breaches of po
 
 A. **Employees**. The OWASP Foundation has an approved Staff Handbook covering the Foundation's employment and HR policies, including complaints, whistleblowing policies and processes. Foundation staff wishing to make a complaint or report should follow the policy and process as detailed in the most recently approved Employee Handbook, as published in OWASP's HR portal. If an OWASP member or participant wishes to make an informal complaint relating to a staff member or Foundation process, please contact the OWASP Executive Director in the first instance, who will may escalate the issue to OWASP's HR firm, the Board, or both, as the case requires. Staff are required to follow OWASP's Code of Conduct, but informal complaints or whistleblower reports by the public about Foundation staff will be handled per the Staff Handbook.
 
-B. **Non-Employees**. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the [OWASP Compliance Committee](mailto:compliance@owasp.org). This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chair of the Board or the Compliance Committee.
+B. **Non-Employees**. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the [OWASP Compliance Team](mailto:compliance@owasp.org). This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chair of the Board or (another member of) the Compliance Team.
 
 Please report incidents or concerns as soon as possible. Informal reports over one year of age are unlikely to be resolved to anyone's satisfaction. Please proceed to a formal complaint if the incident or concern occurred more than a year in the past.
 
@@ -38,7 +38,7 @@ The OWASP Foundation recognizes that conflict between contributors participating
 
 ### V. Initiating a Formal Complaint
 
-At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the [OWASP Compliance Committee](mailto:compliance@owasp.org). A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Committee will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking). If the formal complaint relates to Foundation staff or procedures, the Compliance Committee will forward the complaint to the Executive Director for resolution following the complaints or whistleblower process as set out in the latest approved Staff Handbook, and report the matter to the Board for oversight purposes.
+At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the [OWASP Compliance Team](mailto:compliance@owasp.org). A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Team will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking). If the formal complaint relates to Foundation staff or procedures, the Compliance Team will forward the complaint to the Executive Director for resolution following the complaints or whistleblower process as set out in the latest approved Staff Handbook, and report the matter to the Board for oversight purposes.
 
 Once a complaint has been determined as valid, the complainant is asked to cease direct contact with the individual whom they are making the complaint against. Attempts to facilitate direct contact, especially regarding the complaint in question, may result in the complaint being dismissed by a Compliance Officer. Currently, we also ask that the complainant refrain from speaking on the matter with anyone other than a Compliance Officer, to ensure the utmost amount of confidentiality and integrity on the matter. Disregarding this request may also result in the complaint being dismissed by a Compliance Officer. The Compliance Officer will notify the OWASP Foundation Board of Directors that a formal complaint has been filed, the date it was filed, the complainant’s name, and the party or parties named in the complaint.
 
@@ -50,21 +50,50 @@ After a Compliance Officer has determined that a complaint is valid and has noti
 
 ### VII. Concluding an Investigation
 
-Once a Compliance Officer is satisfied that they have spoken to all concerned parties and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Committee. At this point, the investigation can be considered closed.
+Once a Compliance Officer is satisfied that they have spoken to all concerned parties and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Team. At this point, the investigation can be considered closed.
 
 ### VIII. Determination by the Board
 
-Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Committee report, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Committee. Appropriate corrective action will be taken if warranted by the investigation.
+Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Team report, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Team. Appropriate corrective action will be taken if warranted by the investigation.
 
 ### IX. Compliance Officer
 
-The OWASP Foundation’s Compliance Officers are responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Committee will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. Compliance Committee Officers are empowered to conduct their investigations in isolation of the Board in order to maintain independence but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether a complaint can be considered valid for investigation though any individual may submit a complaint as noted above.
+The OWASP Foundation’s Compliance Officers are responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Team will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. Compliance Officers are empowered to conduct their investigations in isolation of the Board in order to maintain independence but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether a complaint can be considered valid for investigation though any individual may submit a complaint as noted above.
 
-The Compliance Committee shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved.
+The Compliance Team shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved.
 
 At least one Compliance Officer shall be identified by the Board of Directors and approved by a two thirds vote by January 1 of each year. A member of the OWASP Board of Directors may not also serve as the Compliance Officer during their tenure on the Board. If the Board of Directors is not able to affirmative two thirds vote on at least one Compliance Officer, a neutral, third-party executive ombuds service will be contracted to serve in this role.
 
-The current Compliance Officers are: Fiona Collins
+The current Compliance Officers are:
+<section id="compliance-officers" class="corporate">
+<div>	
+ {% for member in site.data.members %}
+    <div class="member-container">
+        <hr/>
+        <div class="member-img-container">	
+            <div class="member-img" style="background-image: url(https://owasp.org/assets/images/{{ member.image }});"></div>
+        </div>
+        <div class="member-caption"><h2>{{ member.name }}</h2>
+            <hr><strong>{{ member.title }}</strong><br/>
+            <div class="member-location">{{member.location}}</div>
+            {% if member.twitter %}
+            {% assign arr = member.twitter | split: "/" %}
+            {% assign lastindex = arr.size | minus: 1 %}
+            <div class="member-location"><a href="{{member.twitter}}">@{{ arr[lastindex] }}</a></div>
+            {% else %}
+            <br/>
+            {% endif %}
+            {% if member.linkedin %}
+            <div class="member-location"><a href="{{member.linkedin}}">{{ member.linkedin }}</a></div>
+            {% else %}
+            <br/>
+            {% endif %}
+        </div><br/><br/>
+        <div class="member-info">{{ member.description }}</div>
+    </div>
+{% endfor %}
+</div>
+</section>
 
 ### X. Confidentiality
 
@@ -72,4 +101,4 @@ Violations or suspected violations may be submitted on a confidential basis by t
 
 ### XI. Contact
 
-The Complaint / Whistleblower / Compliance Committee's email address is: [compliance '@' owasp.org](mailto:compliance@owasp.org)
+The Complaint / Whistleblower / Compliance Team's email address is: [compliance '@' owasp.org](mailto:compliance@owasp.org)

From f85dfb5b16defdf7bd80c073d4e681bfbf39fdb8 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@users.noreply.github.com>
Date: Thu, 2 May 2024 13:11:42 +0100
Subject: [PATCH 2/3] Create members.yml

---
 _data/members.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 _data/members.yml

diff --git a/_data/members.yml b/_data/members.yml
new file mode 100644
index 0000000..f689343
--- /dev/null
+++ b/_data/members.yml
@@ -0,0 +1,10 @@
+- image: people/board-grant.png
+  name: Grant Ongers 
+  twitter: https://twitter.com/rewtd
+  linkedin: https://www.linkedin.com/in/rewtd/
+  location: United Kingdom 
+- image:
+  name: Rick Mello 
+  twitter:
+  linkedin: https://www.linkedin.com/in/rick-mello/
+  location: United States 

From 651665dc510b3b45134eb26bdda569f4dbb78d19 Mon Sep 17 00:00:00 2001
From: Grant Ongers <rewtd@users.noreply.github.com>
Date: Thu, 2 May 2024 13:15:27 +0100
Subject: [PATCH 3/3] Update whistleblower.md

---
 operational/whistleblower.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/operational/whistleblower.md b/operational/whistleblower.md
index 0c935bf..a31a4e1 100644
--- a/operational/whistleblower.md
+++ b/operational/whistleblower.md
@@ -74,7 +74,7 @@ The current Compliance Officers are:
             <div class="member-img" style="background-image: url(https://owasp.org/assets/images/{{ member.image }});"></div>
         </div>
         <div class="member-caption"><h2>{{ member.name }}</h2>
-            <hr><strong>{{ member.title }}</strong><br/>
+            <hr><strong>Compliance Officer</strong><br/>
             <div class="member-location">{{member.location}}</div>
             {% if member.twitter %}
             {% assign arr = member.twitter | split: "/" %}
@@ -89,7 +89,6 @@ The current Compliance Officers are:
             <br/>
             {% endif %}
         </div><br/><br/>
-        <div class="member-info">{{ member.description }}</div>
     </div>
 {% endfor %}
 </div>