Overview

The OWASP Foundation (OWASP) is a community-led organization where some leadership roles are filled with individuals elected by Membership. While the following policy is specifically written for Board of Directors Elections, it should be used as a model for other OWASP elections. Elections should be conducted in a fair and transparent manner which include:

• Sufficient notice period for nominations and voting
• Concise candidate and electorate qualifications
• Publicly available timelines on the OWASP website
• Open process for community to meet candidates
• Private method of voting
• Publication of full voting results

This policy is established under section 3.12 (“Nomination and Election Procedures”) of the OWASP By-Laws (By-Laws).

Process

No later than two months prior to an election, a timeline will be publicly available that is minimally shared on the OWASP website. On the nearest business day, the timeline will include notices, important dates, and milestones to be published on the OWASP website prior to the election process starting.

For the OWASP Board of Directors those annual milestones are:

• Call for Candidates, August 15
• Candidate Registration Deadline, August 31
• Candidates announced to the community, September 10
• “Membership Day,” September 30
• Election Voting Opens, October 15
• Election Voting Closes, October 30
• Results announced to the community no later than the first business day after November 3

Elections shall include a method for the electorate to get to know the candidates and their position on topical matters. For the Board of Directors election, this method will minimally include a (1) two week call for questions from the community where a final list sorted by popularity for up to six questions will be provided to candidates, and (2) each candidate will post an online video linked on the Foundation’s website to a candidate community page.

Email sent to Members shall be the official and primary communication method to engage candidates and Members for OWASP elections. Members shall receive no less than three (3) email notices for the following: (1) call for candidates, (2) call for questions, (3) notice that to vote you must be a Member, and (4) notice to vote. Timelines for elections may include courtesy notices through other channels including social media and mailing lists; however, they are not required and should not be expected for official communications from the OWASP Foundation to Members and the community at large.

Voter Qualifications

Membership class voter qualifications are defined in the By-Laws in section 2.3 (b). Individual members who are in good standing (see By-Laws section 2.2(b)) on September 30 each calendar year are eligible to receive a secret ballot and vote in the OWASP Foundation Board of Directors election.

Candidate Qualifications

The OWASP Foundation sources its leadership from the community in a democratic process. Diversity candidates are strongly encouraged to participate in the leadership of the OWASP Foundation.

Candidate qualifications are outlined by the By-Laws in section 2.3 (a). Candidates must be OWASP Individual Members in good standing with a strong commitment to the mission of the Foundation.

Candidates must maintain good standing as OWASP Individual members from September 30 the prior calendar year through the conclusion of the election process. Candidates may be nominated via the nomination process above without having attained the full year of Individual membership but must meet the requirement of a full year of continuous membership by September 30 to be eligible to be on the ballot sent to members and must maintain their Individual membership in good standing through the conclusion of the election process.

Director Qualifications

Director qualifications and term limits are detailed in the By-Laws section 4.3 and take supremacy over this policy if there is any disagreement.

Successful Candidates must be in good standing as OWASP Individual members prior to taking their seat for their term by January 1 of the calendar year following their election, or part thereof if appointed by the Board to take over a vacancy. Directors must maintain their Individual membership in good standing throughout their term.

Successful Candidates must complete all necessary onboarding processes and paperwork, including undertaking Board training, obtaining necessary reading materials, signing the Board of Directors Commitment Agreement, completing their conflict of interest register, and agreeing to the Board Code of Conduct, and any other tasks, prior to taking their seat (Director Qualification Prerequisites).

Candidates and Directors who fail to satisfy the above Director Qualification Prerequisites will be ineligible to be seated or vote at Board meetings. In the event a Candidate and Director fails to satisfy such Director Qualification Prerequisites by the first public Board meeting of the calendar year, the incoming Board shall follow the disqualification and vacancy processes in the By-Laws (sections 4.5 and 4.6) to vacate and fill the position.

Director Attendance and Other Requirements

Per section 4.3 (c) of the By-Laws, the following attendance and other requirements are set by the Board:

• Directors must attend at least 75% of general Board meetings in the calendar year. Board prep calls, special board meetings, and other ad hoc meetings without quorum or voting requirements do not count towards attendance.
• Directors should make plans to attend at least two in person general Board meetings annually, generally held at Global AppSec events. If they cannot attend in person, they should attend virtually. These meetings count toward attendance requirements.
• Directors are expected to attend remote meetings with their cameras enabled and agree to the meetings being recorded.

If these requirements are not being met for an extended period, then the Board may invoke sections 4.5 and 4.6 of the By-Laws to remove a Director and fill the resulting vacancy.

Officer Qualifications

Certain OWASP Board officer positions, notably Treasurer, may require Directors to execute various additional agreement(s) prior to assuming the duties of office, such as becoming a signatory on OWASP’s financial accounts, co-approver in accounting systems, and so on. Failure to execute those agreement(s) or obtain sufficient access will result in a removal motion under section 6.4 of the By-Laws, and subsequent removal from the officer position. The Officer vacancy process (section 6.2) shall then occur to find a replacement officer.

Officer Term of Office

As per sections 6.3 and 6.4 of the By-Laws, officers (Chair, Vice Chair, Treasurer, and Secretary) shall be elected by a majority vote of their fellow Directors generally for a term of one year at the first special or general Board meeting in each calendar year.

Officers shall hold office from the date they are elected to their role until removed or replaced by the Board, if their term does not expire before then.

In the event an officer ceases to be a Director or otherwise becomes ineligible to serve as an officer (e.g. due to term expiration, term limits or not being re-elected), the office they hold becomes vacant. If the Chair position is vacant, the Vice Chair will step in. If both the Chair and Vice Chair, and/or the Treasurer roles are vacant, the Board must hold a special meeting as early as practicable to elect a new Chair and then conduct new elections for all open Officer positions.

Voting

Voting in elections shall be a secret ballot of Members. Balloting shall be open for no less than fourteen (14) and no more than (20) days. Voting closes at 11:59pm US-Pacific Time on the election voting end date. In the case of Board Elections, staff will ensure current Members of the Foundation receive a serialized ballot. Members can vote only once in each election per election cycle.

In situations where an election will be selecting from among more than one candidate for a position (as is the case in general Director elections), ballots will be designed to allow each elector to cast several votes equal to the number of open seats on the ballot. Electors are not required to cast the full number of votes allowed and can only vote for a single candidate once.

Results

All OWASP elections shall fully report the results of balloting in no more than three (3) days following the close of voting. Each candidate with each individual vote total, and in the case where the electorate can cast more than one vote, the cumulative total of all ballots cast will be listed in a publicly available manner that is minimally shared on the OWASP website.

The Executive Director or their designee shall certify an election result. Member voting history is private, so no one other than the Member shall know their own votes.

Fraud and unethical conduct

Fraudulent behavior, unethical conduct, or efforts to either suppress or inappropriately influence votes shall not be tolerated, as they are against the OWASP Code of Conduct. The disciplinary process detailed in the Code of Conduct will apply - up to and including being removed as an OWASP Member or having participation revoked by the Board.

Sole Election Policy

Regardless of the information presented throughout the OWASP website or conveyed by its leaders, members, staff, or Directors, subject to the By-Laws and OWASP Certificate of Incorporation, this Election Policy is the sole and authoritative policy for OWASP elections.