This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transparency Policy"
m (minor rewording of the policy violations section based on a suggestion from Josh Sokol) |
m (cleanup of links) |
||
| Line 2: | Line 2: | ||
==Policy Status== | ==Policy Status== | ||
| − | <blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the | + | <blockquote>'''WORKING DRAFT''' - this is a working draft being discussed on the [https://lists.owasp.org/mailman/listinfo/governance Governance List]. When completed, this will be presented to the [https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project#2014_Global_Board_Members Board of Directors] for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.</blockquote> |
=="O" is for Open: An introduction== | =="O" is for Open: An introduction== | ||
| − | The "O" in OWASP is for "Open" - Section 1.03 of the | + | The "O" in OWASP is for "Open" - Section 1.03 of the [https://www.owasp.org/images/9/92/April2014OWASPFoundationByLaws.pdf OWASP Bylaws] defines the value "Open" to mean: |
<blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote> | <blockquote> "Everything at OWASP is radically transparent from our finances to our code."</blockquote> | ||
| Line 46: | Line 46: | ||
== Policy Violations == | == Policy Violations == | ||
| − | All members must comply with this policy, or will be subject to | + | All members must comply with this policy, or will be subject to [https://www.owasp.org/index.php/Governance/Whistleblower_Policy disciplinary action], including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined. |
Revision as of 14:34, 19 June 2014
Transparency Policy
Policy Status
WORKING DRAFT - this is a working draft being discussed on the Governance List. When completed, this will be presented to the Board of Directors for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.
"O" is for Open: An introduction
The "O" in OWASP is for "Open" - Section 1.03 of the OWASP Bylaws defines the value "Open" to mean:
"Everything at OWASP is radically transparent from our finances to our code."
This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?
This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.
Radical Transparency
OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.
There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.
Levels of information restriction:
- Public (most open)
- All OWASP members, staff, Board of Directors
- Some members and/or staff, Board of Directors
- Executive Director, Compliance Officer, Board of Directors
- Executive Director, Board of Directors
- Board of Directors (most restricted)
Exclusions from Radical Transparency
In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.
| Exclusion | Notes |
|---|---|
| Staff records as maintained for Human Resources purposes | Restricted to just staff and BoD members with a legitimate need to access records. Must never be disclosed unless permission is given from the staff member that the record pertains to. |
| Information pertaining to legal action, or pending legal action | Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel. |
Policy Violations
All members must comply with this policy, or will be subject to disciplinary action, including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.
