[Owasp-board] Discussion on motion for next Board meeting

Andrew van der Stock vanderaj at owasp.org
Wed Jun 14 02:00:43 UTC 2017

Hi there,

As part of the OWASP Top 10 track at the OWASP Summit, one of the outcomes
was to improve independence issues with the OWASP Top 10 project.

However, as Tom is often heard saying, we can't manage individual issues,
we need to manage to policy. The policy in this area is quite open, and
indeed, if we want to avoid the situation where the independence issue is
thrown at other flagships or even my stewardship of the OWASP Top 10
project, it needs to be addressed for all of the them or not at all.

I am proposing tabling a motion at the next Board meeting to update the
Projects Handbook to include improved governance for Flagship projects,
with independence in appearance and in actuality.

"The Board directs OWASP Foundation staff to make updates to the Project
Handbook as applicable to include two project leaders for Flagship
projects, with a period of public comment before it takes effect. The
updated guidelines should include:

   - Flagship Projects shall have two leaders from different organizations
   to avoid independence issues in appearance or in actuality
   - Lab Projects looking to be promoted to Flagship shall have two project
   leaders as per Flagship requirements to be eligible for promotion
   - If during a project review it is identified that a project leader has
   become dormant, or through project leader resignation or transfer, the
   project has a period of three months to identify as many project leaders as
   required to resolve the situation or risk being demoted to Lab status at
   the next project review
   - A grace period of until the end of 2017 shall apply to the new
   independence requirements to allow projects time to promote a second leader.

Foundation Staff are directed to work with affected Projects, including
ensuring timely processing of leadership promotion through the usual


Happy to take the Board's view on this important topic and any friendly
amendments. I'd also like to hear from Matt Tesauro, the OWASP Senior
Technical Coordinator, as this will impact their workload, especially over
the next few months.

A list of all Flagships include:

At this time, I'm not sure how many projects are affected by this change,
but it would definitely still include the OWASP Top 10. I will reach out to
see if I can find volunteers from within the existing project to help step
up with this process.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20170614/9e0e8540/attachment.html>

More information about the Owasp-board mailing list