[Owasp-board] Unbranded and Cobranded chapters

Andrew van der Stock vanderaj at owasp.org
Sat Sep 23 19:22:31 UTC 2017

Hi there

I would to get a sense for the Board’s view on if OWASP should vacate chapter leadership in any chapter that no longer brands itself as an OWASP chapter. For example, the Sydney chapter no longer uses our branding and has a link from their chapter page to their new meetup page.  They have not met since as OWASP since at least 2014. Effectively, we have another community benefiting from a one way flow of traffic. 

Our chapter handbook states that any chapter that does not meet four times in 12 months is disbanded. Chapter leaders also need to be members (honorary is available) and signed a leadership agreement and be in Salesforce to ensure chapter leadership comply with our code of ethics and chapter guidelines. 

In this case, I would like to offer the following ideas and see what you think for a consensus vote at the next Board meeting. 

* All chapter leaders should be members, signed the leadership agreement, and be in Salesforce as the chapter leader as per the Chapter handbook. This is already policy. Any chapter that hosts meetings outside of this norm should not be eligible for funding nor should they be on our website or claim to be OWASP chapters. I’d like to ensure our bylaws and the chapter handbook state this clearly.   

* Chapters need to ensure they either have details up on the wiki (default policy and guideline requirement today) or a pointer to a Meetup which is primary branded OWASP or under the OWASP Meetup Pro umbrella account. Chapters that don’t meet this requirement should not be funded. I’d like the chapter handbook to state his clearly, along with how to correctly use our brand. 

* Carrot first. Staff to conduct an audit to identify and reach out to affected chapters to try to rectify the situation over a no more than say 30 day period, offering help to become honorary members, help to come into alignment with existing policy, sign necessary paperwork, get into SalesForce, bring them up to $500 if less than $500, and bring them into alignment with updated branding rules, and offer to take their Meetup into our Meetup Pro account to take Meetup yearly fees off the table. 

* If no agreement can be made, the chapter is disbanded and we ask them to remove any OWASP references so we can cleanly restart a new chapter with fresh leadership

* For chapters that OWASP is not the primary branding (I.e. OWASP Cityname but instead “Security Meetup”), they can remain but they would not be eligible for funding. I know many smaller regional cities hold joint events, but we should not fund these events. We can enter into partnership agreements with other organizations to share costs, or no costs, but not all costs. Otherwise, what is happening to BSides will happen (already has happened!) to us. 

* Where a divorce is inevitable and there’s a chapter balance of less than $500, I’m happy enough to pay it out and start again with fresh leadership. Above $500, we need to negotiate because it is  *OWASP* *members* who helped create that balance, or it might have been previous OWASP chapter leadership who held a great local event. Only OWASP members should be given the benefit of OWASP chapter funds and OWASP’s hard work, not the splinter group.  This stick should be the last alternative, but I can see it might already be too late for some groups. 

I want as many chapters who are on the cusp of not being OWASP any more, to come back in. If they want out, that’s disappointing but great communities celebrate growth, but we are OWASP and it’s time for us to get our chapter, branding, funding and mindshare back. As Directors we have a duty to uphold our bylaws and financial responsibilities to all our members and not some external organization or splinter group. 


At the very least, I will be asking Tiffany to disband OWASP Sydney. I used them as a clear cut case / straw man with a larger balance, but I want to get the policy response correct before we ask staff to conduct a full chapter audit. 

OWASP Sydney have not met the basic requirements for meeting for three+ years, do not brand as us, and don’t have any current leadership. They have a chapter balance of $1200 and have not spent anything as far as I can tell since I became Treasurer, so a good case can be made that no funds need to be made available. They have already used our good will, brand, and name to create a different group. Thoughts welcome. I’d be happy to sit down with whomever looks after the Sydney meet up to discuss (see below). 

I am amenable to friendly improvements and amendments, working through other cases, working with affected chapters to see a working rebranding and a working divorce test cases before we update bylaws and guidelines, because we need to get the balance right and making it BAU for staff to operationalize. 


Sent on a mobile device. Apologies for auto-incorrect and questionable punctuation. 

More information about the Owasp-board mailing list