Rules of Procedure

Mailing Lists

Adopted by the Board on 20-Oct-2020


The OWASP Foundation maintains Mailing Lists for its community to, among other things, manage Projects, share information about Chapters, collaborate on OWASP activities, communicate with subgroups like the Board of Directors, and discussions amongst Leaders. Mailing lists are the preferred collaboration channel for OWASP activities.

While outlined in further detail below, the key points of using Mailing Lists are:

  • Participation and posting on Mailing Lists must follow the Code of Conduct
  • The default setting for Mailing Lists is unmoderated, and public
  • All domain lists are publicly viewable by everyone on the web
  • Nearly all lists with domain lists are open for membership. Notable exceptions are leaders@ and global-board@
  • Leaders@ and global-board@ membership is curated, and posting is limited to members

Social Media like Twitter and Facebook and messaging/collaboration tools like Slack are supplemental, not replacement channels for email communications between the community and the OWASP Board of Directors, Chapters, Projects, Committees, teams, and Members.

Creating and Removing Lists

Staff selected by the Executive Director shall administer OWASP Mailing Lists. Upon request, Leaders can be assigned as Group Manager(s). Each Chapter, Project and Committee shall have a list created for the group no later than ten days following its official formation as defined by its launch on the OWASP Foundation website. At their sole discretion with oversight from the Executive Director, Mailing List Administrators can create additional Mailing Lists upon request.

All Mailing Lists created in the domain shall have the default settings defined later in this policy, and the file of the group, leaders of the group shall be allowed to be Group Managers of the list. Deviations from these settings require approval by the Executive Director.

Mailing Lists will be considered abandoned if there are no posts within the past 18 months. From time to time, staff will audit Mailing List use, and Group Managers of abandoned Mailing Lists will be requested to justify continued use of the Mailing List. Following a 30-day waiting period, either approval by Group Managers to close or no response by any Group Manager will result in the closing of the Mailing List to future postings. The OWASP Foundation may remove or close entirely and archive abandoned Mailing Lists at its sole discretion.


Participating in Mailing Lists is a privilege which can be revoked at any time and without notice. Generally, anyone can join any mailing list in the domain with two exceptions: (1) the global-board, and (2) leaders lists.

The community can locate all OWASP Mailing Lists (groups) at Visitors can view historical conversations on public lists, search lists, and content, where applicable, join a list, and control their email settings. Google makes the best effort to deliver email from Mailing Lists, but users may need to configure their inbox and spam filter/folder to ensure expected timely delivery of messages. The OWASP Foundation is not responsible for delivery or delays associated with content from Mailing Lists.

Membership can be requested, and either the Group Owner(s) or Group Manager(s) shall grant membership to a Mailing List within seven business days of the request provided the requestor meets the membership requirements if any.

Users of OWASP Mailing Lists shall use their real-life identity and anonymous unverified identities are prohibited. Upon request, Members of Mailing Lists, shall provide within seven days of said request, proof of identity to Group Owner(s). Failure to provide adequate credentials for proof of identity will result in the Member being removed then banned from all OWASP Mailing Lists, and at the sole discretion of the Group Owner(s), all content posted by the Member being permanently removed.

Egregious single or repeated violations of the Code of Conduct shall result in members suspension and subsequently banned from Mailing Lists. Suspension or banning members is at the sole decision of the Executive Director.

Regarding the two controlled lists, the following are their additional membership requirements:

  • Global-board. Membership of this Mailing List is controlled to include current Board members, recently elected incoming Board Members, the Executive Director, and the Chief Financial Officer of the Foundation. While membership is controlled, all content posted to this mail list is public for anyone on the internet to read.
  • Leaders. Membership of this Mailing List is controlled to active Leaders in the Foundation, including Project, Chapter, and Committee Leaders as listed in their respective file on the website. Incoming and departing Leaders are expected to voluntarily request membership to the list or personally opt-out of the list. While membership is controlled, all content posted to this mail list is public for anyone on the internet to read.

From time-to-time Mailing, List membership shall be audited by Group Owner(s), and Individuals who do not meet list membership requirements shall be removed from the respective list with no notice and at any time.


Generally, you must be a member of a list to post to an OWASP Mailing List. All use of and behavior on Mailing Lists, mainly posting, shall conform to the OWASP Foundation Code of Conduct. Posts and other behaviors related to Mailing Lists that violate the Code of Conduct should be reported to the Group Owner(s) and Group Manager(s) for Moderation up to and including removal of the post and if any resulting threads, along with banning of the individual who made the post on all OWASP Mailing Lists.


The default setting for Mailing Lists is not moderated. At the sole discretion of Group Owner(s) and subject to oversight by the Executive Director, Mailing Lists can be set to moderated at any time and without notice. Behaviors and posting in violation of the Code Conduct that are reported to Group Owner(s) is an example of behaviors that shall result in moderation.

When Mailing Lists are set to Moderated, Group Owner(s) will review pending posts weekdays during normal business hours, meaning posts may be held as pending for as long as 72 hours during normal non-U.S. holiday work weeks. Posts that do not conform to the Code of Conduct will not be approved during periods of Moderation. Where appropriate, Group Owner(s) who reject posts during Moderation shall, at the request of the posting Member, within seven days provide a written response related to the decision to deny.

Members of Moderated Lists can request Group Owner(s) to remove Moderation every ten days; however, each request does not guarantee a return to normal moderation settings.

Mailing List Default Settings

While circumstances may dictate modifications, all domain Mailing List other than those Controlled lists mentioned above shall have the following default settings:

  • Who can see the group: Anyone on the web
  • Who can join the group: Anyone on the web can ask
  • Allow external members: On to allow people outside the organization to request membership.
  • Who can view conversations: Anyone on the web
  • Who can post: Group Members
  • Who can view members: Group Owners
  • Conversation History: On
  • Who can moderate content: Group Managers
  • Who can moderate metadata: Group Managers
  • Who can post as a group: Group Managers
  • Message Moderation: No Moderation
  • New Member Restrictions: No posting restrictions for new members
  • Group Email Language: English
  • Who can manage members: Group Managers
  • Who can modify roles: Group Managers

The community is invited to report deviations from the Mailing Lists defaults to Mail List Administrators.


Use of OWASP Mailing Lists is not private, and data about you and your behavior is collected and used according to the OWASP Privacy Policy. Your email address may be publicly exposed to visitors. In most cases, Mailing Lists are set to public, meaning anyone on the internet can view your comments and your identity; this is by design. Specific lists are not public like those in the domain, but administrators and Group Owner(s) can always read and delete messages from any OWASP Mailing List without notice.

Sole Mailing List Policy

Regardless of the information presented throughout the OWASP website or conveyed by its Leaders, members, staff, or Directors, this page is also subject to the OWASP Foundation By-Laws and Articles of Incorporation. It is the sole and authoritative Mail List policy of the OWASP Foundation, Inc.

Member and Leader Defined

For the purposes of this policy, “member” unless occurring at the beginning of a sentence refers to individuals who join a list. “Member” refers to Members of the OWASP Foundation as defined in the Bylaws. Subject to the policies above, generally any one can become a member of a Mailing List; however, being a member of list is not the same as being a Member of the OWASP Foundation.