[Owasp-board] Code of conduct for OWASP events

Matt Konda matt.konda at owasp.org
Fri Feb 27 13:09:31 UTC 2015


I am supportive of advancing this and willing to help in a variety of ways
from finding examples, to asking people I know that have done it, to
meeting outside of our regular times, to helping to draft something.
Please don't hesitate to ask.  I've seen this kind of thing have a
surprising impact in the dev communities I am part of and I agree 100% that
its past time now.

However, I have also seen good faith efforts to do this fail when people
"who do this" are not involved.  Frankly, although I consciously try, I do
not have the sensitivity to everything I should and as a board we don't
exactly represent the people we're trying to write the policy for - so at
the least I think we should be humble and ask (and probably pay) for input.

In terms of things the board can do soon, I think:

   1. Support this effort financially or time-wise in terms of a minor
   budget allocation.
   2. Perhaps staff can coordinate parts of it to pull a draft together?
   3. Point to and publicize what we do have.  (Michael, that was an
   awesome turnaround)
   4. Encourage people to submit to CFP personally.
   5. What else?

Coming back to my previous email about process, I would think that 1+2
could be a simple voting item for the next meeting.  Of course, I'm open to
other approaches.

Again, I applaud the initiative and am supportive.  Thanks for leading us
in a good direction.


On Fri, Feb 27, 2015 at 12:12 AM, Michael Coates <michael.coates at owasp.org>

> Andrew,
> (To address the policies comments)
> Here are the conference speaker policies. These policies address most of
> your comments already.We just need to make sure the policies are visible on
> the conference website and not just on the owasp wiki and also in our terms
> and contracts.
> https://www.owasp.org/index.php/Governance/Conference_Policies
>  I'll fix AppSecUSA in just a moment.
> (Regarding diversity of speakers)
> Agree that more diversity in submission is better than less.
> * Require conference committees to send out invitations to as many women
> speakers as possible there is diversity in submissions.
> > I'm not sure what this means in practice. We're broadcasting out CFP far
> and wide. Perhaps the community can create a google spreadsheet with lists
> of ideas to advertise AppSec conferences. We can then make it standard
> practice for conferences to advertise CFP to everything on the list.
> * We should also help with helping folks create solid CFPs that are more
> likely to succeed if submissions are to be chosen solely by merit.
> > Certainly not against it. If a group wants to provide tips and
> techniques to make better CFPs then that's great. I don't think this should
> be a requirement or expectation of the conference organizers. They already
> have plenty of items on their plate.
> * what is the desired percentage of talks that should be given by women,
> how we will achieve that goal, and when shall we achieve that goal?
> > Discussion is good. We should always select the best talks for a
> conference. We should also always encourage a wide range of people to
> submit talks and help them submit good talks. In addition OWASP has such a
> range of speaking opportunities from global conferences to regional and
> local events there are numerous ways for people to build their speaking
> skills This however is separate from target percentages which I don't
> believe would have the net effect you're hoping for.
> --
> Michael Coates | @_mwc <https://twitter.com/intent/user?screen_name=_mwc>
> OWASP Global Board
> Join me at AppSecUSA <http://AppSecUSA.org> 2015 in San Francisco!
> On Thu, Feb 26, 2015 at 7:13 PM, Andrew van der Stock <vanderaj at owasp.org>
> wrote:
>> Hi folks,
>> It's way, way, way past time for discussions to start as we are running
>> several global branded events in 2015 and NONE of them have a code of
>> conduct or anti-harrassment policy and already two of our three or four
>> events have either zero or only one woman speakers, despite AppSec EU
>> having over 120 CFP submissions.
>> If you believe things are fine or that is just how our industry is, that
>> ship sailed back in 1950. Let's get to a consensus and work towards fixing
>> this problem.
>> We have almost certainly started to sign up sponsors, vendors, and CFPs
>> are open, so we have to do something now before we can't until 2016.
>> Inaction allows the status quo to thrive, and it's really unacceptable.
>> LatAm Tour 2015: Speaker agreement: Nothing. No women speakers.
>> https://www.owasp.org/images/4/4f/AppSec_Latam_2015_Speaker_Agreement.pdf
>> LatAm Tour 2015: Instructor agreement: Nothing. No women instructors as
>> far as I can tell
>> https://www.owasp.org/images/f/fa/LatamTour_2015_Training_Instructor_Agreement.pdf
>> LatAm Tour 2015: Sponsor opportunities. Nothing
>> https://www.owasp.org/images/5/5f/Latam_Tour_2015_Sponsorship_Opportunities.pdf
>> AppSec EU 2015: Nothing in our speaker, sponsor, or vendor information.
>> Just one woman co-speaker selected from 120 submissions. Really? In 2015?
>> http://2015.appsec.eu/wp-content/uploads/2014/12/AppSec-Eu_Research-2015_Amsterdam_Sponsor-document.pdf
>> AppSecUSA 2015 code of conduct: Nothing.
>> AppSecUSA 2015 vendor form: Nothing.
>> https://docs.google.com/forms/d/1Mh7PoELRg1fyc9NHQVrzHrmEh3yEh3qPljKa93oISjc/viewform
>> AppSecUSA 2015 speaker agreement form: Nothing
>> https://2015.appsecusa.org/c/wp-content/uploads/2015/02/AppSec-USA-2015_Speaker-Agreement.pdf
>> Maybe now you can see the problem. It shouldn't be up to the organizers
>> of each year to determine and include these policies, they should be
>> overlays for all our events, like our Code of Ethics is.
>> Despite all this doom and gloom, our anti-harassment policy for OWASP
>> AppSec USA 2014 is okay. It's not surprising that there were women speakers
>> at this event, but only just barely: five women speakers out of 78 (6%),
>> including Kate who talked about starting a chapter. This is actually our
>> best representation for all the events I looked at.
>> AppSecUSA 2014 Code of conduct:
>> https://www.owasp.org/index.php/AppSec_USA_2014/Conference_Policies#Anti_Harassment_Policy
>> It should be linked to in all speaker agreement, the vendor and
>> sponsorship agreements. I am very disappointed that none of the events in
>> 2015 seem to be using it.
>> Other code of conducts you may be interested in:
>> Linux.conf.au is the only global Linux conference Linus attends every
>> year.
>> http://linux.conf.au/cor/code_of_conduct
>> Black Hat did not implode with this code of conduct:
>> https://www.blackhat.com/code-of-conduct.html
>> KiwiCon's Code of Conduct is antipodean direct:
>> https://www.kiwicon.org/faq/code-of-conduct/
>> They kicked out speakers Ben Nagy and the Grugq last year, so it's not
>> just ASCII art.
>> I wanted to share with you BruCon's Code of Conduct as they started with
>> the Ada Initiative in 2013, and then modified it after it was used against
>> them.
>> At the very least, I'm looking for the Board to discuss this issue at our
>> next Board meeting, and I'd like for us to vote on the following as a
>> package:
>> * We make AppSec USA's 2014 Code of Conduct / Anti-harassment policy the
>> de facto starting point for all our conferences, globally.
>> * Adopt a reference in the standard OWASP Speaker's agreement form that
>> points to this policy
>> * Add in a reference to the standard OWASP vendor / sponsor agreement
>> form that points to this policy, as well as prohibiting sexualized staff
>> members (booth babes and the fictitious booth dudes).
>> * Require the LatAm Tour, AppSec EU and AppSec US 2015 organisers to use
>> these updated policies, which will almost certainly entail getting back to
>> the already chosen speakers, sponsors and vendors and getting them to
>> re-agree to it. As it was already policy in 2014, this shouldn't be too
>> much of a stretch as it was most likely overlooked or forgotten.
>> For AppSec USA 2015 and beyond, we really need to get them to encourage
>> submissions from women. If a conference gets zero CFP submissions by women,
>> you will have zero talks by women. I do not believe for a second there are
>> zero women in our industry. We need to stop being passive about this, and
>> start recruiting women to submit talks.
>> * Require conference committees to send out invitations to as many women
>> speakers as possible there is diversity in submissions.
>> * We should also help with helping folks create solid CFPs that are more
>> likely to succeed if submissions are to be chosen solely by merit. I don't
>> think this should be restricted to just women, but should also include
>> first time speakers, who often struggle to get their first speaking gig at
>> a large conference.
>> I would like to get us to talk about the best way to achieve a desired
>> outcome - what is the desired percentage of talks that should be given by
>> women, how we will achieve that goal, and when shall we achieve that goal?
>> thanks,
>> Andrew
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20150227/67772a34/attachment-0005.html>

More information about the Owasp-board mailing list