Rules of Procedure

Working Groups Policy

Approved by the Board of Directors on 2025-05-28.

NB: Where the Committees policy and this policy disagree, the Working Group policy takes precedence until such time as the Committee Policy has been updated to reflect the new working group policy. This notice will be removed once the Committee Policy has been updated.

Purpose and Scope

Working Groups are critical operational units within OWASP, tasked with achieving targeted objectives that directly support OWASP’s strategic mission. These Working Groups complement Committees by focusing on functional outcomes that support the tactical objectives defined by Committees. This policy defines the creation, governance, leadership, participation, accountability, and lifecycle management of OWASP Working Groups.

Establishment of Working Groups

Working Groups are proposed by OWASP Members. Proposals to create a Working Group must be clearly aligned with OWASP’s strategic priorities and demonstrate tangible benefit to the OWASP community.

Proposals must be submitted in the form of a Scope and Program of Work and submitted to the OWASP Executive Director. The Scope and Program of Work shall clearly describe:

  • Working Group purpose and rationale
  • Scope of work, goals, and key deliverables
  • Milestones and timelines for key activities

Approval is documented formally, and Working Groups are notified promptly upon establishment.

Leadership and Governance

Each Working Group must have one Chair or up to two Co-Chairs, providing balanced leadership, continuity, and domain-specific expertise. Chairs must be active OWASP members. Chairs hold responsibility for ensuring effective Working Group operations, maintaining clear documentation, transparent decision-making, and strategic alignment with OWASP’s mission.

Vetting and Appointment

Operational responsibility for vetting potential Working Group Chairs lies with the OWASP Executive Director or an appointed staff representative. Candidates must demonstrate sufficient expertise, relevant professional experience, and alignment with OWASP’s core values.

The Executive Director is responsible for confirming appointments of Working Group Chairs following successful vetting, formally documenting decisions, and communicating appointments clearly to all parties involved.

Working Group Participation

Participation in Working Groups is open to anyone with relevant interest and willingness to actively contribute, including non-members of OWASP. Working Group Chairs are responsible for clearly communicating participant expectations, maintaining a welcoming environment, and ensuring adherence to OWASP’s Code of Conduct.

If a participant is found to be in violation of the Code of Conduct, the Working Group Chair may recommend to the Executive Director that the participant be removed from the Working Group. The Executive Director will make a final decision on the removal of the participant.

Operations and Decision-Making

Working Groups must maintain transparent, consensus-driven decision-making processes. Regular meetings shall be scheduled with clear agendas distributed in advance, concise documentation of decisions, and prompt follow-up of assigned actions. Meetings should be action-oriented, inclusive, and public.

Working Group documentation, including minutes, decision logs, and relevant deliverables, must be transparently maintained in OWASP’s designated repositories, ensuring ongoing accessibility and accountability to the OWASP community.

Reporting and Accountability

Working Group Chairs are required to submit quarterly Chairs Reports to the Executive Director and OWASP Board, providing concise updates on achievements, challenges, and upcoming objectives.

The Chairs Report will directly inform decisions to be made by the Executive Director regarding Working Group continuation, modification, or sunset.

Lifecycle Management and Sunset Clause

Working Groups will be periodically reviewed by the Executive Director. Each Working Group must clearly define measurable success criteria in their Scope and Program of Work.

Evaluations determine:

  • Whether the Working Group continues as-is
  • If the Working Group pivots its objectives to meet changing OWASP strategic priorities
  • If the Working Group has completed its mission or no longer aligns strategically, thus triggering a sunset decision

Decisions regarding lifecycle status must be formally documented and communicated transparently to the Working Group and broader OWASP community. If the Executive Director determines that a Working Group is not meeting its scope or objectives, the Executive Director may recommend to the OWASP Board that the Working Group be disbanded.

Communication and Community Engagement

Open and regular communication with the OWASP community is mandatory for all Working Groups. Chairs shall maintain transparent communication channels via OWASP platforms, such as the website, newsletters, and community forums.

Working Groups shall:

  • Frequently publish updated progress and deliverables
  • Conduct periodic community engagement and outreach activities
  • Actively solicit community feedback to inform Working Group activities
Watch Star