[Owasp-board] Code of conduct for OWASP events

Andrew van der Stock vanderaj at owasp.org
Fri Feb 27 03:13:02 UTC 2015


Hi folks,

It's way, way, way past time for discussions to start as we are running
several global branded events in 2015 and NONE of them have a code of
conduct or anti-harrassment policy and already two of our three or four
events have either zero or only one woman speakers, despite AppSec EU
having over 120 CFP submissions.

If you believe things are fine or that is just how our industry is, that
ship sailed back in 1950. Let's get to a consensus and work towards fixing
this problem.

We have almost certainly started to sign up sponsors, vendors, and CFPs are
open, so we have to do something now before we can't until 2016. Inaction
allows the status quo to thrive, and it's really unacceptable.

LatAm Tour 2015: Speaker agreement: Nothing. No women speakers.
https://www.owasp.org/images/4/4f/AppSec_Latam_2015_Speaker_Agreement.pdf

LatAm Tour 2015: Instructor agreement: Nothing. No women instructors as far
as I can tell
https://www.owasp.org/images/f/fa/LatamTour_2015_Training_Instructor_Agreement.pdf

LatAm Tour 2015: Sponsor opportunities. Nothing
https://www.owasp.org/images/5/5f/Latam_Tour_2015_Sponsorship_Opportunities.pdf

AppSec EU 2015: Nothing in our speaker, sponsor, or vendor information.
Just one woman co-speaker selected from 120 submissions. Really? In 2015?
http://2015.appsec.eu/wp-content/uploads/2014/12/AppSec-Eu_Research-2015_Amsterdam_Sponsor-document.pdf

AppSecUSA 2015 code of conduct: Nothing.

AppSecUSA 2015 vendor form: Nothing.
https://docs.google.com/forms/d/1Mh7PoELRg1fyc9NHQVrzHrmEh3yEh3qPljKa93oISjc/viewform

AppSecUSA 2015 speaker agreement form: Nothing
https://2015.appsecusa.org/c/wp-content/uploads/2015/02/AppSec-USA-2015_Speaker-Agreement.pdf

Maybe now you can see the problem. It shouldn't be up to the organizers of
each year to determine and include these policies, they should be overlays
for all our events, like our Code of Ethics is.

Despite all this doom and gloom, our anti-harassment policy for OWASP
AppSec USA 2014 is okay. It's not surprising that there were women speakers
at this event, but only just barely: five women speakers out of 78 (6%),
including Kate who talked about starting a chapter. This is actually our
best representation for all the events I looked at.

AppSecUSA 2014 Code of conduct:
https://www.owasp.org/index.php/AppSec_USA_2014/Conference_Policies#Anti_Harassment_Policy

It should be linked to in all speaker agreement, the vendor and sponsorship
agreements. I am very disappointed that none of the events in 2015 seem to
be using it.

Other code of conducts you may be interested in:

Linux.conf.au is the only global Linux conference Linus attends every year.
http://linux.conf.au/cor/code_of_conduct

Black Hat did not implode with this code of conduct:
https://www.blackhat.com/code-of-conduct.html

KiwiCon's Code of Conduct is antipodean direct:
https://www.kiwicon.org/faq/code-of-conduct/

They kicked out speakers Ben Nagy and the Grugq last year, so it's not just
ASCII art.

I wanted to share with you BruCon's Code of Conduct as they started with
the Ada Initiative in 2013, and then modified it after it was used against
them.

At the very least, I'm looking for the Board to discuss this issue at our
next Board meeting, and I'd like for us to vote on the following as a
package:

* We make AppSec USA's 2014 Code of Conduct / Anti-harassment policy the de
facto starting point for all our conferences, globally.

* Adopt a reference in the standard OWASP Speaker's agreement form that
points to this policy

* Add in a reference to the standard OWASP vendor / sponsor agreement form
that points to this policy, as well as prohibiting sexualized staff members
(booth babes and the fictitious booth dudes).

* Require the LatAm Tour, AppSec EU and AppSec US 2015 organisers to use
these updated policies, which will almost certainly entail getting back to
the already chosen speakers, sponsors and vendors and getting them to
re-agree to it. As it was already policy in 2014, this shouldn't be too
much of a stretch as it was most likely overlooked or forgotten.

For AppSec USA 2015 and beyond, we really need to get them to encourage
submissions from women. If a conference gets zero CFP submissions by women,
you will have zero talks by women. I do not believe for a second there are
zero women in our industry. We need to stop being passive about this, and
start recruiting women to submit talks.

* Require conference committees to send out invitations to as many women
speakers as possible there is diversity in submissions.

* We should also help with helping folks create solid CFPs that are more
likely to succeed if submissions are to be chosen solely by merit. I don't
think this should be restricted to just women, but should also include
first time speakers, who often struggle to get their first speaking gig at
a large conference.

I would like to get us to talk about the best way to achieve a desired
outcome - what is the desired percentage of talks that should be given by
women, how we will achieve that goal, and when shall we achieve that goal?

thanks,
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150227/cedf03c2/attachment.html>


More information about the Owasp-board mailing list