Whistleblower & Anti-Retaliation Policy (DRAFT)
This is a DRAFT or SUBSTANTIALLY MODIFIED existing policy currently in an open review period.
Members are invited to provide feedback on this draft policy until February 12, 2021. The Policy Review Team will respond to comments mailed from your owasp.org email address to this address.
OWASP Whistleblower & Anti-Retaliation Policy
The OWASP Foundation requires Board members, employees, and volunteers to observe high standards of business and personal ethics in the conduct of their duties and responsibilities. As employees and representatives of the OWASP Foundation, we must practice honesty and integrity in fulfilling our responsibilities and comply with all applicable laws and regulations. The purpose of this policy is to encourage any concerned parties to come forward with credible information on illegal practices or violations of adopted policies of the organization. The policy specifies that the organization will protect the individual from retaliation and identifies the appropriate procedure(s) for reporting these issues.
I. Reporting Responsibility
This Whistleblower Policy is intended to encourage and enable employees and others to raise serious concerns internally so that the OWASP Foundation can address and correct inappropriate conduct and actions. It is the responsibility of all board members, employees, and volunteers to report concerns about violations of the OWASP Foundation’s code of ethics or suspected violations of law or regulations that govern the OWASP Foundation’s operations.
II. No Retaliation
It is contrary to the values of the OWASP Foundation for anyone to retaliate against any board member, employee, or volunteer who in good faith reports an ethics violation, or a suspected violation of law, such as a complaint of discrimination, or suspected fraud, or suspected violation of any regulation governing the operations of the OWASP Foundation. Anyone who retaliates against someone who has reported a violation in good faith is subject to discipline up to and including termination of employment, removal from office, and revocation of membership.
III. Initiating an Informal Complaint
OWASP encourages participants and members who have concerns about breaches of policy, Code of conduct violations, or similar, to report the incident as soon as possible to stop the behavior from happening. Wherever possible, please make an informal complaint in the first instance with local chapter, project, or event leaders before escalating to a formal complaint, particularly around matters of personal safety or harrassment. OWASP does not tolerate unethical behavior, violence, harrassment, or bullying behavior, or breaches of the OWASP Code of Conduct or Event Code of Conduct. If the matter is an emergency or a member or participant feels unsafe, please call local law enforcement immediately before making an informal or formal complaint.
A. Employees. The OWASP Foundation has an approved Staff Handbook covering the Foundation’s employment and HR policies, including complaints, whistleblowing policies and processes. Foundation staff wishing to make a complaint or report should follow the policy and process as detailed in the most recently approved Employee Handbook, as published in OWASP’s HR portal. If an OWASP member or participant wishes to make an informal complaint relating to a staff member or Foundation process, please contact the OWASP Executive Director in the first instance, who will may escalate the issue to OWASP’s HR firm, the Board, or both, as the case requires. Staff are required to follow OWASP’s Code of Conduct, but informal complaints or whistleblower reports by the public about Foundation staff will be handled per the Staff Handbook.
B. Non-Employees. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the OWASP Compliance Team. This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chair of the Board or (another member of) the Compliance Team.
Please report incidents or concerns as soon as possible. Informal reports over one year of age are unlikely to be resolved to anyone’s satisfaction. Please proceed to a formal complaint if the incident or concern occurred more than a year in the past.
IV. Commitment to Peaceful Conflict Resolution
The OWASP Foundation recognizes that conflict between contributors participating in such a diverse community will happen from time to time. Our commitment is to attempt to prevent or resolve conflict before it escalates to the point of a formal complaint. Thus, if both parties agree, we will appoint either a neutral internal mediator (approved by both parties) or a neutral third-party mediator to help the parties reach a peaceful resolution. We strongly encourage all board members, employees, and volunteers to attempt mediation as a means for conflict resolution prior to submitting a formal complaint as outlined below.
V. Initiating a Formal Complaint
At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the OWASP Compliance Team. A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Team will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking). If the formal complaint relates to Foundation staff or procedures, the Compliance Team will forward the complaint to the Executive Director for resolution following the complaints or whistleblower process as set out in the latest approved Staff Handbook, and report the matter to the Board for oversight purposes.
Once a complaint has been determined as valid, the complainant is asked to cease direct contact with the individual whom they are making the complaint against. Attempts to facilitate direct contact, especially regarding the complaint in question, may result in the complaint being dismissed by a Compliance Officer. Currently, we also ask that the complainant refrain from speaking on the matter with anyone other than a Compliance Officer, to ensure the utmost amount of confidentiality and integrity on the matter. Disregarding this request may also result in the complaint being dismissed by a Compliance Officer. The Compliance Officer will notify the OWASP Foundation Board of Directors that a formal complaint has been filed, the date it was filed, the complainant’s name, and the party or parties named in the complaint.
Reports should be made in a timely fashion to assist in the rapid resolution of any complaint whilst details are fresh in everyone’s recollection and evidence is more likely to be available. Reports of incidents more than three years in the past will be evaluated, but there is no obligation under this policy to conduct a formal investigation due to the age of the complaint and likely lack of evidence or any actions to resolve the issue.
VI. Investigating a Formal Complaint
After a Compliance Officer has determined that a complaint is valid and has notified the OWASP Foundation Board of Directors as outlined above, they will initiate an investigation into the complaint. At this stage, a Compliance Officer, or their designee, will perform an interview of the complainant and any witnesses to the events alleged in the complaint. Additionally, a Compliance Officer will provide the subject of the complaint with a summary of the complaint against them (not an actual copy of the complaint) and allow them sufficient time to prepare for an interview with a Compliance Officer, or their designee. All interviews will be conducted either in a written question and answer format or recorded in an audio format to preserve evidence and ensure the objectivity and integrity of the investigation. All individuals involved in the investigation are expected to maintain confidentiality to the extent possible consistent with the need to conduct an adequate investigation and will refrain from speaking or posting publicly about the complaint or the investigation.
VII. Concluding an Investigation
Once a Compliance Officer is satisfied that they have spoken to all concerned parties and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Team. At this point, the investigation can be considered closed.
VIII. Determination by the Board
Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Team report, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Team. Appropriate corrective action will be taken if warranted by the investigation.
IX. Compliance Officer
The OWASP Foundation’s Compliance Officers are responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Team will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. Compliance Officers are empowered to conduct their investigations in isolation of the Board in order to maintain independence but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether a complaint can be considered valid for investigation though any individual may submit a complaint as noted above.
The Compliance Team shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved.
At least one Compliance Officer shall be identified by the Board of Directors and approved by a two thirds vote by January 1 of each year. A member of the OWASP Board of Directors may not also serve as the Compliance Officer during their tenure on the Board. If the Board of Directors is not able to affirmative two thirds vote on at least one Compliance Officer, a neutral, third-party executive ombuds service will be contracted to serve in this role.
The current Compliance Officers are:
X. Confidentiality
Violations or suspected violations may be submitted on a confidential basis by the complainant. Reports of violations or suspected violations will be kept confidential to the extent possible, consistent with the need to conduct an adequate investigation.
XI. Contact
The Complaint / Whistleblower / Compliance Team’s email address is: compliance ‘@’ owasp.org