Events Policy
Adopted by the Board on 28-Sept-2021
Events Policy
Background
Events at OWASP have a rich history and are fundamental to OWASP’s success. With this policy, Events are now first-tier activities at OWASP and can be run by two or more OWASP Members.
- Event team establishes an event leadership team with 2-5 OWASP members
- Create a profitable budget with realistic income, expenses, and quotes or contracts
- Apply for an event through OCMS, preferably at least 180 days prior to the event
- Foundation will process event approval, and if any, exemption approval to the Board
- If approved, OWASP Foundation signs event space and catering contracts
- Event team to recruit more organizers and volunteers, the more, the better
- Event team can start public marketing, promotion, CFPs/CFTs
- Event team to find sponsors. Foundation to sign sponsorship contracts
- Event team to divide up and work on event, local, logistic, and volunteer tasks for several months
- Event team to run the event with the help of organizers and volunteers
- Event team to submit and finalize all invoices and payments within 60 days
- Net profits are split and allocated within 90 days
- Take a break; you’ve earned it
Types of events
There are four major event types:
- Local events or activities, generally free or with a small admission fee and limited sponsorship, such as CTFs or labs, or a social event
- AppSec Days, replacing the previous “regional event” type, generally a larger charged event with sponsorships, including project summits, standards-setting, training, event, unconference, or another activity type
- Global AppSec, generally run by and for the OWASP Foundation
Normal meetings are out of scope
There is considerable overlap between larger meetings or activities and a local event. A normal chapter, project, or committee meeting does not require an event submission and does not require prior approval. Generally speaking, if a meeting or local event is free to attend, does not require sponsorship, and has expenses of less than $250, pre-approval or an OCMS event application is not required.
The following meeting types are not covered by this policy:
- Chapter meetings: a free and regularly scheduled activity led by Chapter leaders
- Project meetings or activity: a free and regularly scheduled project meeting, such as a working group or leadership meeting, led by project leaders or project volunteers
- Committee meetings: a free and regularly scheduled meeting of voting members of a Committee, and supported by our community
- Board meetings: a public general or public or private special meeting held by the Board of Directors.
Bartering sponsorships (say, where event space or food and beverage is covered by a sponsor) are encouraged to ensure that meetings and smaller events do not require pre-approval.
Community
Some primary drivers for OWASP events are that they should be fun, AppSec related, and safe to attend. Therefore, we require organizers of all event types, including OWASPx, to adhere to OWASP’s Code of Conduct and Event Code of Conduct.
OWASP Code of Conduct
All OWASP events must be conducted in a manner consistent with the OWASP Mission, Core Values, and Code of Conduct.
Event Code of Conduct
To ensure a safe, constant learning and networking experience, OWASP Events shall conform to the Conference & Event Attendee Policy and, in particular, its Anti-Harassment provisions.
Attendee Privacy
Organizers are required to follow the OWASP Foundation Privacy Policy and ensure that personal information is collected and stored in compliance with local laws and regulations like GDPR.
Participation in OWASP Events are subject to locally applicable data protection regulations (for instance, see GDPR). Where conflicting local regulations exist, the most restrictive should be observed.
Event Team Structure
Events can be run in many different ways, but to enable the proper functioning of expenses, budgets, and sponsorships, we categorize event organizers into two groups:
- Event Leaders, who must be OWASP members
- Organizers and volunteers who don’t need to be OWASP members.
We recognize that all successful events rely on the generous donation of time and resources from many leaders, organizers, and volunteers.
Leadership
Event leaders are OWASP leaders, with all that entails - a free owasp.org email, ability to claim expenses and submit budgets. Events must have at least two (2) and up to five (5) leaders. Leaders must be OWASP members to allow the use of the expenses policy and setting and using the event budget. Leadership is conferred after a successful event application process, and once granted, the event’s owasp.org page should have the list of active leaders in the event’s website on the leaders.md file.
Leaders are responsible and accountable for planning the event, drawing up and meeting the budget, and ensuring that the event is profitable. Leaders are likely to contribute well in excess of 40 hours organizing an event (usually far, far more) and perform hundreds of tasks, which is why they are considered OWASP Leaders, just like Chapter and Project Leaders.
Some of those responsibilities include:
- Ensure events are conducted in a manner consistent with the OWASP Mission, Principles, and Code of Conduct
- Comply with the OWASP Foundation Privacy Policy and ensure that personal information is collected and stored in compliance with local laws and regulations like GDPR.
- All event management logistics, budget management, website content, promotional items, site selection, catering, and venue
- Manage facility space allocation and programming layout
- Management of other meetings and receptions
- Graphical design of event including signage and print materials
- All other event-related activities not explicitly delegated and then accepted by OWASP Staff.
Local, AppSec Days, and OWASPx Event leaders are solely responsible for managing their respective Event.
Organizers
Organizers are responsible for working on and delivering event activities at the direction of Event leaders, such as reviewing papers, speaker/trainer liaison, sponsor liaison, event location and ground logistics, volunteer scheduling, and so on. Organizers are likely to perform many tasks on behalf of the event.
Events can have any number of organizers, but to promote accountability for deliverables, this policy recommends less than 20.
Volunteers
Volunteers are responsible for working on and delivering small parcels of event activities, such as proctoring rooms, taking a shift at the registration desk, and so on. Volunteers are generally local to the event itself and will likely work on only a limited number of tasks or activities.
Events can have any number of volunteers, but to reduce volunteer management and logistics, this policy recommends less than 50.
Event Teams are responsible for adequate staffing for their event, including organizers and volunteers from the local event community.
OWASP Foundation Event Team
The OWASP Foundation has a small Event team, who will be working with Event leaders to create a successful submission. They will provide the Board with any exemptions to vote on, and once completed, on the event approval process. The OWASP Foundation is responsible for signing contracts with event spaces, engaging with OWASP Foundation sponsors, processing expense claims, and paying invoices such as trainer payments or catering costs on behalf of the Event through the budget.
If an event wishes to have OWASP Foundation assistance, such as running the registration desk or running a training track, this is possible but has costs associated with it. Please work with the Foundation during the submission process to ensure that your requests can be met.
Some of the Foundation’s duties may include (and not limited to):
- Promoting or co-marketing the event once approved
- Signatory of Contracts and Agreements
- Securing necessary insurance given parameters provided by the Event Team
- Solicitation and securing event sponsors
- Processing of payments
- Accounting of profit and loss statement for the event
- Assisting with the running of a Board meeting at an AppSec Days event
- Running agreed project or training tracks
Leader, Organizer, and Volunteer Benefits
The policy recommends that in return for organizing and putting on an event, the following benefits should be applied:
- Leaders, organizers, volunteers, speakers, and trainers should have free access to the event
- All leaders, organizers, and volunteers should be given an event t-shirt or swag to help identify them for their efforts, and especially if they are present at the event to help attendees identify Event team members who may be able to assist them.
- Reasonable accommodation for parking or local transport, food, and beverages, especially if their duties require them to be present on a continuous basis
- At the discretion of Event leaders, access to event dinners and social events is highly recommended but not required.
Event leaders have in the past provided “free” OWASP membership to organizers or volunteers. Whilst admirable, OWASP funds paying for OWASP membership is prohibited by OWASP bylaws to prevent an appearance or actuality of conflict. That said, Event leaders can apply for an exemption with the event application. If an exemption is granted by the Board, a list of no more than 20 names should be provided for the exemption no later than 60 days after the end of the event. Per the bylaws, all such memberships do not confer voting rights and will last a single year unless an exemption is granted by the Board.
If an exemption is granted, any Membership fees will be deducted from the gross profits of the event at the membership fee due in the event’s country.
Foundation and Board Benefits
If the OWASP Foundation or Board attend the event, such as to assist with registration or holding a Board meeting, organizers shall give Foundation staff and the Board free access to the event. Access to event activities, such as the event dinner or social events, is recommended but not required.
Event lifecycle
An event team should be formed that plans out the event they wish to run, establish who is willing to volunteer from the community, who are the likely attendees and how many, determine a preferred location, catering if desired, A/V providers, and any hotel blocks required, have some preliminary discussions on costs with these vendors to be included in the budget. Apply for an event
All events, even small or virtual ones, require pre-approval through OWASP’s OCMS.
Event approval is contingent upon:
- A complete submission including a complete budget and all required exemptions
- The proposed event is aligned with our mission
- 2-5 event leaders (organizers and volunteers can be later)
- A complete, profitable budget including quotes from major expense categories, such as event locations and catering, and income categories including local and global sponsorships
- Dates do not conflict with nearby local or regional events or OWASP Foundation events.
You may make changes from submission until approval, and this policy encourages you to work with the Foundation for a successful event, including obtaining sponsorships.
Any exemptions required from this policy or the speaker’s agreement must be listed in the event application.
Timelines
Events take time to plan, organize, and promote. All event types require event pre-approval before the event to ensure that local or regional events do not clash with each other or Foundation events, as well as to ensure that the events have time to be organized properly, and shared services provided by the Foundation such as social media promotion, contract signing, insurance, virtual services, and so on can be provided.
The following minimum timelines apply:
- Local and OWASPx events: 90 days prior to the event
- AppSec Days: 180 days prior to the event
- Global events: 360 days prior to the event
Event teams must coordinate with the OWASP Foundation to ensure that there are no other nearby or global events or activities that would drain attendees from both events. Events within 30 days of an AppSec Global event will likely need to be rescheduled, as being too close to the AppSec Global event will likely result in poor attendance for both events.
No more than 30 days following the submission of a completed event submission, the Director of Events and Corporate Support or their designated representative shall approve or deny an Event Application. If rejected, the team shall be given additional time to improve the application or resolve issues as long as the deadlines above are met.
Events contingent on exemptions being passed by the Board require an additional 45-60 days for approval due to Board meeting schedules.
If selected, the Event Team must acknowledge receipt of and their agreement with these policies and any granted exemptions.
Pre-approval budgeting
For successful event pre-approval, Event teams must construct a profitable budget that covers the minimum requirements of each budget type. Budget templates are available in the Events in a Box.
Larger AppSec Days should plan well ahead, including the need to submit their event proposal and budget to the Foundation’s annual global budget the prior year to ensure that there are funds set aside for the event.
A budget must contain a list of potential contracts, along with any financial obligations and when expenses or revenue are due or expected.
All event types require a budget to be submitted, and only profitable events will be approved. Once approved, Event teams will be held to meeting this initial budget, so completeness and accuracy will help Event Teams run a profitable event.
OWASPx events hold events using their finances and at their own risk, so OWASP funds are not required for event approval but are recommended to assist first-time organizers in running a successful event.
Site Selection and Venue
Cities and venues for OWASP Global AppSec events should be selected through a Request for Proposal (RFP) process. Criteria for selection will include but will not be limited to:
- Accessibility
- Local community/security community presence
- Venue availability
- Value for attendees
If the event team needs assistance negotiating preliminary contract terms, the OWASP Foundation has experienced event staff who can join calls and help negotiate terms and conditions, as well as find or suggest alternative vendors who might be better value. The earlier an event team reaches out if they need help, the more likely a better deal, greater discount, or increased value can be found. Only the Executive Director can sign contracts - event teams cannot do so on behalf of the Foundation. For more information, please consult the Events In a Box handbook.
Vendor selection
All vendors, such as hotels, event spaces, A/V companies, CTF platforms, and more, should be selected through the Request for Proposal (RFP) process. Vendors are selected based on the value provided to the event.
Speakers and Trainers
Speaker Selection
Organizing teams should select speakers or trainers through a blind review process to ensure the highest integrity, transparency, and objectivity in its selection. All calls for papers, training and registration must be open and promoted to the public. If you need assistance with a blind paper selection process, please review the Events in a Box handbook, or contact the OWASP Foundation or the Events Committee for further information.
Keynote, Speaker, and Training Agreements
Presenters at OWASP Events must sign and adhere to the terms of the speaker/trainer agreement. This agreement forms part of this policy, so exemptions or amendments will need to be approved by the OWASP Board using the exemption process detailed above.
Failure by presenters to execute this agreement within seven days of the event results in their session being canceled.
The speaker agreement details all permissible payments and reimbursements for speakers and trainers.
Budgets, Expenses, and Financial Controls
OWASP Events are stand-alone profit and loss centers, which requires them to be sustainable and profitable so that the profits from the event can be reinvested in next year’s event, as well as directed investments into OWASP’s core mission.
Most events will be required to submit a budget as part of the approval process using vendor quotes, likely costs, and income, based upon realistic assumptions, and we recommend creating a budget regardless of the event size. As a non-profit organization, OWASP must demonstrate to regulators, tax agencies, sponsors, and potential donors, that funds are used wisely and frugally to deliver our mission, and we do that by approving events with a profitable budget and then working with event teams to ensure that the budget is met or exceeded.
Please refer to Events in a Box handbook to find how to find the suitable template and create a sustainable budget for your event type.
Responsibility and accountability
Exercising all necessary due diligence and care, Event Leaders shall manage the finances of OWASP events. These efforts shall always be evaluated for their transparency and integrity.
Initial Seed Funding
For the last 20 years, OWASP has funded deposits and installment payments from general revenue, and attempted to recover the deposits from profits. This was ad hoc and not well understood by many, as many did not understand that the Foundation could help Event teams start new events even without available funds. This directly led to limited growth in new events, which hampered our mission and the growth of OWASP.
This policy creates an Events Initial Seed Funding pool, with an amount set aside by the Global Board in the annual budget. New local or AppSec Days events may access this fund to start up a new Local or AppSec Days event. When funds run out, it will either need topping up by a grant, or events will need to wait until the following year to re-apply for seed funding.
Initial seeding of an event requires a successful Event submission. Approval of events is contingent upon a realistic event budget that is designed to be sustainable and profitable. Events aiming to run every year must retain sufficient profits to run the event the following year, such as event location booking fees. For more information, please see the “Investing in the future” below.
Global events are budgeted by the Foundation each year and do not have access to initial seed funding.
Event Budgets
Budgets for all events will be developed based on vendor and venue proposals, along with forecasted revenue.
Local and AppSec Days events that have forecasted expenses greater than $5,000, must submit their budget as part of the Event Application Process within the timelines set out in this policy. Global Event budgets shall be presented to the Board of Directors for its approval no later than 12 months prior to the start of the event.
If an event requires large upfront payments that cannot be covered from the seed fund or a prior year’s funds, the event can submit the likely expense to be in the global OWASP budget approval for the following year, or ask for a Board vote to grant the funds if the event is to be held within this financial year. Requisitioning pre-event spending must be completed as part of the approval process and within the timelines outlined in this policy.
Once approved by the Director of Events and Corporate Support or their designate, the Foundation will be the sole executor of instruments that contractually and financially obligate the OWASP Foundation to execute events.
Income, donations, bartering, sponsorships
All income, donations, ticketing, sponsorships, bartering arrangements, funds, and expenses must be through the Foundation for financial transparency, tax, and regulatory compliance reporting purposes.
Expenses
All expense reimbursements and payments will be paid in accordance with the expense policy, with particular attention to the following:
Budgeted expenses are eligible for reimbursement as per the approved budget, but where an expense is less than the budget, the lower of the two will be reimbursed.
When any expense other than airfare is expected to exceed $2,500, an invoice must be requested from the vendor so the Foundation can remit payment directly.
Invoices from vendors should have Net 60 terms, and the OWASP Foundation will make the best effort to pay within the current Service Level Agreement. Variations from these terms require approval by the Executive Director or their designate.
Invoices received within 30 days when payment is required cannot be guaranteed to be paid on time. Unbudgeted expenses must follow the Expense policy, including any pre-approvals as required by that policy, and any temporary expense constraints. Events must not exceed $2,500 in total per event without Executive Director or Board approval depending on the amount. Failure to do so may result in your reimbursement request being denied.
Invoices and expense reimbursements will be denied if submitted more than 60 days following the event. Event teams are responsible for covering any denied expenses due to delays in submitting invoices or expense claims.
Travel
All travel for events is governed by the Speaker’s Agreement and the OWASP Travel Policy. In all cases, due to the fact that travel discourages investments in local capabilities and talent, and its very poor return on investment for mission funds, travel and accomodation must be pre-approved and is very unlikely to be approved.
Rationale: OWASP Local, Regional, and Global Events have helped develop the skills of many famous speakers and trainers, who then go on to have an amazing career as a result. We want all speakers and all trainers from all over the world to be able to experience this by discouraging travel and encouraging local skill development.
Speaker and Trainer Fees
All speaker and trainer fees and splits are governed by the Speaker and Trainer’s Agreement, and in the unlikely case of travel or accomodation being approved, the OWASP Travel policy. For the purposes of this policy, the event/OWASP split is net the the trainer fee and travel (if any), and kept with the event’s P&L until the net profit is determined after all income and expenses have been finalized.
Speaker’s Gifts
The event team may optionally budget for and give out small gifts to speakers and trainers, primarily if speaker gifts are a common local custom.
The gift should be a small token representing the event, local region, or country that is reasonably priced and included in the submitted budget. Speaker’s gifts must not take the form of cash, cash equivalents, money transfers, or payment instruments such as pre-paid debit or gift cards. Review and adhere to travel restrictions when planning gifts, such as not giving away illegal items, bio material, or gifts that are unable to travel in the cabin of a plane.
Keep in mind that not all speakers can accept gifts for various reasons, including those in government and finance industries. Always inquire and check before planning and buying speaker gifts.
Insurance
All OWASP events must possess the correct insurance. The OWASP Foundation will provide the Event team with a quote for insurance.
Sponsorships
The OWASP Foundation is the exclusive sponsorship agent of all OWASP Events. At the Director of Events and Corporate Support’s discretion, the OWASP Foundation may provide services to Event Teams to identify, solicit, contract, invoice, and collect sponsorship revenue.
In collaboration with the Foundation, Event Teams can develop a collection of sponsorship opportunities that offer unique value to partners when supporting these events. Event Teams acknowledge that their events’ pricing and benefits must be compatible with offerings for Global AppSec events.
From time to time, the OWASP Foundation may offer “bundled” sponsorships that may include benefits delivered through larger AppSec Day events. Both the OWASP Foundation and these Event Teams will make a best-case effort to always ensure each partners’ satisfaction with their sponsorship.
Ticketing
All ticketing or registration shall be done through OWASP managed services, regardless if a fee is charged. This is for tax and non-profit compliance reasons, as our systems permit group registrations, and provides a receipt or invoice, as well as the ability for the Foundation to refund ticket holders if the event is canceled.
For tax and non-profit compliance reasons, ticketing systems may not collect charitable gifts. If organizers wish to ask attendees to donate, they should encourage that through the standard donation process at https://owasp.org/donate. This process allows donors to receive a receipt they can use during tax preparation to claim a tax deduction.
OWASP Member Discounts
For paid events, event teams are encouraged to provide and promote OWASP Member discounts. A typical amount is usually 20% off, or sufficient that the cost of OWASP membership is covered by the discount. Member discount code budgeting should ensure that discounted ticket prices still cover the costs associated with the event.
Discount codes
For paid events, event teams can provide a discount code to encourage early bird registration or partner discounts.
Discount code requests shall be provided no later than 15 days before the opening of event ticketing. Each event has a revenue forecast built on a particular number of tickets sold at various discounts. Discount code budgeting should ensure that discounted ticket prices still cover the costs associated with the event.
Bundling OWASP Memberships
Under OWASP bylaws and various privacy laws, OWASP memberships may not be offered for “free” (even on an opt-out basis) but can be bundled with the event’s price on an opt-in basis. The price differential for the bundle is the same as the class of OWASP membership being offered.
Where an event has an OWASP Member discount, bundled ticket and membership price should be the OWASP Member registration fee and the relevant membership fee. If no membership discount is offered, the overall price should be the registration fee and the relevant membership fee. There can be no discount applied to OWASP membership other than a registration discount for OWASP members to the event. The membership fee will be moved from the event’s profit & loss to pay for OWASP Membership, minus any ticketing fees so as to not disadvantage the event’s profitability.
For more details relating to offering and pricing bundled memberships, please refer to the Events In a Box Handbook.
Event teams are responsible for forwarding a final membership report to the OWASP Foundation no later than the start of the event so that all memberships can be processed with sufficient time for any member discounts to be applied.
Election notifications. It should be made clear to attendees that if they need to maintain their membership for standing in a future Global Board election or a desire to vote in an imminent election, they should use the standard membership process to renew or join, and then buy tickets to the event at the member price.
Scholarship registrations
OWASP’s mission is to provide application security training, career development, and skills development to everyone who wants to do so, including under-served, under-represented, or disadvantaged individuals. Event teams are encouraged to set aside a budget to cover small and financially responsible complimentary or reduced-cost tickets for scholarships under the Awards, Travel Assistance, and Scholarships policy.
Awards and Scholarships established by the Event are for that event only and are not transferrable. If unused and if time permits, Event Leaders should either designate a new winner or scholarship recipient using the same selection criteria as the original winner or recipient. Where an award or scholarship is unusued at the conclusion of the event, it shall be considered void.
Events should negotiate with and encourage paid trainers to donate a portion of their attendance or fee to permit scholarships, and include the trainers on the selection panel with a published and transparent rubric so that they have a say in who is selected.
Complimentary Tickets
The event team may establish a discount code to provide complimentary registration for paid events, but this should be financially responsible and not exceed 20% of the total tickets available. If the desire is to run a mostly free event with more than 20% of tickets being complimentary, contact the OWASP Foundation to find sponsors for the event so it can be free for all attendees.
If speakers or trainers need an assistant to run their session, a limited number of complimentary discount codes may be given to the trainer to give to nominated assistants to assist them throughout their talk or training session. Assistants who are simply sitting in on the class as a complementary attendee should instead be processed through the Awards and Scholarships policy so as to not disadvantage others, improve transparency, and to ensure that the complementary attendee, if selected under an open and fair selection process, has full access to the entire event, and not just the session or training class.
Complimentary registration should not be offered for training where a trainer fee is being paid without prior agreement from the trainer. Scholarships (see above) should be budgeted instead.
If the event is a paid event, the event team, event volunteers, speakers, trainers, OWASP Foundation staff, and Board members are eligible for complimentary tickets to the main event. They are not eligible for complimentary access to training unless agreed with the trainer.
Marketing
Event Teams are responsible for marketing and promoting their event, using chapter announcements, community chat, social media, and coordinating with the OWASP Foundation to boost their message to hundreds of thousands of followers.
OWASP Events shall include OWASP Branding
Events should use OWASP’s name, logo, and branding prominently on their Events website, social media, and other marketing within OWASP’s branding guidelines.
All approved Events, including OWASPx events that have paid the OWASPx licensing fee, have a license to use all OWASP registered trademarks for that approved event only.
Event approval is required before marketing can commence
Promoting events prior to approval has caused OWASP in the past to lose precious mission funds, goodwill, such as voiding contracts, paying cancellation and penalty fees, refunding tickets, and several speakers and trainers who have said they will not work with us again.
Event teams are responsible for marketing and promoting only approved events, including calls for training, calls for papers, activities, sponsors, and so on. You may announce in general terms a “save the date” that the event is coming up but take no actions that would require the Event team or OWASP itself to back out of any contractual or implied commitments, move dates or locations, or disappoint speakers or trainers, or similar.
Any unapproved event being promoted could lead to the event not being approved and will affect the Event team’s ability to apply for future events.
Website
Event teams are responsible for ensuring event website content is hosted within the owasp.org website or a sub-domain, regularly updated and well maintained, including the current schedule and program, speaker or trainer bios, who is involved in the Event team, valid registration, and ensuring of logos and so on are appropriately promoted in a vendor-neutral fashion.
Event teams are responsible for listing their event in the upcoming events area of the main OWASP website to promote and ensure the discoverability of the event.
External, unaffiliated websites that do not prominently display the OWASP logo, event sponsors, or link back to OWASP’s official website are not permitted and may be grounds for cancellation of the event or not running the event in future years.
Recording Events
Recording events is strongly encouraged. Event recordings should be made available to members soon after an event and to the public within six months of the event. Events are responsible for running their own Event channel, named “OWASP <Event Name”> so that the public can find the recordings and hopefully learn more about your event and attend in the future. A low-cost recording solution is documented in the Events in a Box. Event teams are custodians - and not owners - of the video accounts and need to be shared with all current and future leaders. Event teams must pass the accounts to the next Event team. Failure to pass on or share accounts may lead to leadership being revoked or future events being denied.
Social media
Event teams are encouraged to have their own social media accounts named “OWASP <Event Name>” so that the events can easily be found. Event teams are custodians - and not owners - of the event’s website and social media accounts.
Event teams must pass the accounts to the next Event team. Failure to pass on or share accounts may lead to leadership being revoked or future events being denied.
Campaign promotion and scheduling
Event teams are to coordinate with the OWASP Foundation to promote their posts on our various platforms. We encourage Event teams to coordinate and schedule posts well in advance to ensure that event promotions are not lost in other activities on that day.
OWASP has access to various social media management tools. Events are encouraged to work with the Foundation to utilize these rather than pay for their own.
Swag and Member stickers, coins, or pins
Swag, if offered, should be financially responsible, environmentally friendly, in line with our mission, and not difficult or bulky to transport or prohibited to travel (such as lock picks, liquids, or knives). Swag for virtual events is strongly discouraged as shipping and handling costs can easily wipe out the profitability of any event, no matter the size.
Please work with the Foundation to obtain a supply of membership pins, both individual and lifetime. These should only be handed out to OWASP Members of the appropriate membership type.
We encourage events to hand out OWASP, event, or membership stickers, pins, or coins as a marketing cost, but please ensure that costs for these are financially responsible. For example, giving away a $25 t-shirt for a $50 event does not make sense. Designs are maintained in the Events In a Box, so you can have these items made locally to reduce costs.
Enhancing our mission through profit sharing
Profits must be reinvested in our mission under the direction of the Event team. Unlike in previous policies, this policy actively encourages the event team to direct net profits towards their preferred mission. The only unacceptable use of profits is to not use them, which is prohibited by non-profit compliance rules and frowned upon by donors and sponsors.
Investing in the future
We wish to see the running of more events and for those events to grow and run time and time again. For many years, the OWASP Foundation has seeded events from general revenue and recovered deposits from event profits, but this hasn’t resulted in more events. Seeding will not change in this policy, but what will change is the idea of re-investing profits to run future events. This will allow more events to be seeded every year, which will grow our mission globally.
In the first few years of an Event under the policy, or until fully funded, OWASP will set aside 50% of the Event Team’s net profit split to fund next year’s deposits and installments, leaving the residual to the Event team to split as they see fit. These future event funds are not in general revenue but categorized solely to that event. Once the event deposit is fully funded year to year, the full profit split becomes available to the Event team. It may need topping up from time to time to cover increases in costs or as the event grows.
If an event team hasn’t held an event for a period of two years, the OWASP Foundation will call for new leadership of the Event team to see if new leadership wishes to run that event within six months of the call for new leadership. If no leadership can be found, the funds held on behalf of the event will revert to general revenue to seed and fund more events and help with our entire mission.
Local and AppSec Days
Local and AppSec Day event team leaders will be polled to direct or split 80% of the net profits of their event:
- Invest in our mission. This option provides funds to cover expenses for the next time, as well as help all chapters, projects, and committees to do more mission, and it helps bootstrap many more events. This is the preferred option simply because it requires the least administrative overhead and allows all of OWASP to grow and do more.
- Invest in next year’s event. You can allocate up to 30% of your profits to next year’s event to allow your event to grow organically. This is a good choice for events where it is likely that you will see a 20-40% growth in attendees next year.
- Invest in grants, scholarships, or awards. The Event will be listed as a benefactor of the grant, scholarship, or award. This could be used towards next year’s CTF prizes, travel, and accommodation for a number of attendees, or fund a grant.
Grants designed to fund one or more chapters, projects, or events must be used within twelve months as per the Grant policy, with defined milestones and outcomes. Any unspent funds will be reverted to the mission after twelve months.
Where an event has a long-term profit (defined as over 12 months), they will be asked to choose from this list again until the profit is just sufficient to pay deposits and installments for the next event.
If event leaders do not specify a profit destination or have residual unspent funds after 90 days, any residual event profits will be pooled back into our mission, as per the first bullet point.
The OWASP Foundation uses its 20% split of net profits to fund OWASP’s mission by donating its split to general revenue to cover accountancy overheads, bank fees, Event staff time, and other costs.
Global Events
Global events are run by the OWASP Foundation, and profits from OWASP Global Events are invested as a matter of policy to general revenue to fund all of OWASP’s mission, chapters, projects, events, and committees. That said, Global events rely upon local organizers and volunteers.
Global event team organizers and volunteers will be polled to direct or split up to 10% of the net profits of a global event:
Invest in our mission. This option provides funds to cover expenses for the next time, as well as help all chapters, projects, and committees to do more mission, and it helps bootstrap many more events. This is the preferred option simply because it requires the least administrative overhead and allows all of OWASP to grow and do more. Invest in grants, scholarships, or awards. The Event will be listed as a benefactor of the grant, scholarship, or award. This could be used towards next year’s CTF prizes, travel, and accommodation for a number of attendees, or fund a grant.
Global events are funded by the OWASP Foundation through budget requests approved by the Board, so event growth funds are not applicable to Global events. If unspecified or unspent, any residual event profits will be pooled back into our mission, as per the first bullet point.
OWASPx Events investing into OWASP’s mission
OWASPx Events run their events at their own risk with their own funds and thus do not profit share with the OWASP Foundation outside of the initial OWASPx partnership and licensing agreement.
OWASP encourages OWASPx Events to donate to OWASP through the Donation page (https://owasp.org/donate) or fund OWASP grants, awards, travel assistance, or scholarships through those policies to help fund our mission and grow awareness of application security globally.
Governance
Contracting
Under the OWASP Signatory policy, all contracts must be signed and managed by the OWASP Foundation. Event leaders, other than OWASPx event leaders, cannot sign contracts or make arrangements with sponsors, or provide membership to organizers or attendees.
Exemptions
Exemptions permit Events to apply for Board approval for an exception to the Events policy or the Speaker’s Agreement to allow a local flavor or adhere to local customs. OWASP events should be unique, run by the community, and provide value for money.
By design, OWASP is not large enough to afford many common for-profit event incentives or benefits. Most attendees, speakers, and trainers understand OWASP’s mission, so please consider if you truly need an exemption or if it’s simply a “nice to have”.
Event teams should ensure that exemptions are aligned with our core values and volunteerism, limited in nature, consider OWASP’s financial position and any temporary restrictions, adhere to tax non-profit compliance requirements and provide transparency and integrity in spending funds.
Apply for one or more exemptions by logging a non-funding ticket at https://contact.owasp.org. Exemptions should be filed during the event application process and with sufficient time to ensure that all votes are concluded before the timelines for each event type expires.
Granted exemptions apply only to a single event. Exemptions for other or previous events do not imply exemptions will be granted for this event.
Exemptions will be split into a single topic per e-vote and presented to the OWASP Board. The Board may reach out to the Events team to understand, clarify, or improve the exemption before voting. To pass, exemptions to policy require the same vote majority as outlined in the bylaws in relation to altering policies.
Exemptions can add up to 60 days to the overall event approval process due to Global Board meeting schedules. Event teams should take conditional exemption approval and timelines into account when planning and budgeting to avoid disappointment.
Events seeking exemptions will only be approved after all desired exemptions have been granted or denied by the Board. A record of passed exemptions will be kept in the event’s shared drive.
Temporary restrictions take precedence
From time to time, in cases of budget or funding emergencies, or responding to natural disasters or pandemics, fraud, or other issues that pose an existential risk to the Foundation, the OWASP Foundation Executive Director may place temporary restrictions or allowances on events, such as restricting the size, adherence to local health guidelines, personal protective equipment being required during a pandemic or disease outbreak.
Any such allowances or restrictions shall be published in the same place as this policy and publicized to OWASP Leaders.
Temporary restrictions shall be reviewed and updated by the Executive Director at least once every 90 days to ensure that restrictions do not become permanent and thus bypass approved policies. Temporary restrictions that have not been reviewed within the last 90 days have no force.
Where a published temporary restriction is in place, it takes precedence over this policy until the temporary restriction is retracted or expires.
Where to find guidance - Events in a Box
For guidance and leading practices on starting and running successful events, please refer to Events in a Box.