Rules of Procedure

Conflict of Interest Policy

Adopted by the Board of Directors on September 25, 2024

Applicability and Summary

This Conflict of Interest Policy (the “Policy”) applies to all participants, members, staff and members of the Board of Directors (the “Board”) of The OWASP Foundation (“OWASP). By participating in OWASP activities, each individual doing so (each a “Participant”) agrees to comply with this Policy.

Failure to comply with this Policy can have significant implications for OWASP and its Participants (even Participants who are in compliance with the Policy), including but not limited to jeopardizing OWASP’s tax exempt status, potential sanctions against those failing to comply, unnecessary delays, costs and expenses for OWASP and its Participants, rejection, discontinuation or changes to OWASP work, activities, or decisions, or requirements to repay amounts paid in conflict or interest situations.

Critical aspects of this Policy include the following:

  • Declare all perceived or actual conflicts of interest
  • Manage actual and perceived conflicts of interest by stepping away from associated discussions and decision-making, and making required disclosures in accordance with this Policy
  • If in doubt about whether something constitutes a conflict of interest, disclose and ask for advice.

Note: Conflicts of interest (even if only perceived) may reflect adversely upon OWASP, the person(s) involved, and/or the institutions with which they are affiliated. Certain conflicts (or failure to disclose such conflicts) may involve fraudulent or otherwise illegal conduct, and may put you or OWASP at legal risk.

ARTICLE I

PURPOSES

This Policy has been adopted by the Board to protect the interests of OWASP when it is contemplating entering into transactions or arrangements that might benefit the private interest of an Interested Person (defined below), or which might result in a possible transaction inconsistent with OWASP’s tax exempt legal status or applicable law involving an Interested Person, including but not limited to so-called “excess benefit transactions.” Any of the foregoing could potentially jeopardize OWASP’s tax exempt status, and even the appearance of conflicts (where no actual conflict exists) can have negative consequences for OWASP and others involved.

Every OWASP director, principal officer, member of a committee with Board delegated powers, or employee owes a duty of loyalty to OWASP and must carry out their responsibilities honestly and transparently while ensuring they avoid any conflict of interest or the appearance of a conflict of interest with OWASP. The duty of loyalty generally requires a person to prefer the interests of OWASP over their own interests or the interests of others when making decisions affecting OWASP, and to avoid acts of self-dealing.

The purpose of this Policy is to educate Interested Persons and others on what may constitute a conflict of interest, to assist Interested Persons in identifying and disclosing potential conflicts of interest, and to help ensure the avoidance of conflicts of interest wherever possible. This Policy is also intended to help ensure transparency and that the actions of OWASP can clearly serve the OWASP mission. This Policy is intended to supplement but not replace any applicable laws governing conflict of interest applicable to nonprofit and tax-exempt organizations. In the event of an inconsistency between the requirements and procedures prescribed in this Policy and those existing under applicable laws, such laws shall prevail.

ARTICLE II

DEFINITIONS

2.1 Interested Person

“Interested Person” means any director, principal officer, member of a committee with Board delegated powers, or employee of OWASP who has a Financial Interest (defined below).

2.2 Financial Interest

“Financial Interest” means any of the following, to the extent held directly or indirectly by the person in question, whether through business, investment, Family Member, or otherwise:

  1. An ownership or investment interest in any entity with which OWASP has a transaction or arrangement,
  2. A compensation arrangement with OWASP or with any entity or individual with which OWASP has a transaction or arrangement, or
  3. A potential ownership or investment interest in, or compensation arrangement with, any entity or individual with which OWASP is negotiating a transaction or arrangement.

The term “compensation” includes remuneration as well as gifts or favors that are not insubstantial.

The term “Family Member” includes a person’s spouse, child (natural or adopted) or step-child, parent or step-parent, in-law (father, mother, brother or sister in-law), grandchild, grandparent, brother, sister or half/step brother or sister, and any person with whom such person or such person’s Family Member shares living quarters under circumstances that closely resemble a marital relationship or who is financially dependent on such person.

A Financial Interest is not necessarily a conflict of interest. Under Article III, Section 2, a person who has a Financial Interest may have a conflict of interest only if the Board (or an OWASP committee to which the Board has delegated authority to make such determination (each a “Conflict Committee”) determines that a conflict of interest exists.

ARTICLE III

PROCEDURES

3.1 Duty to Disclose

In connection with any actual or possible conflict of interest, an Interested Person must disclose the existence of the Financial Interest and all associated material facts to the Board and, if applicable, the members of the applicable Conflict Committee.

3.2 Third Party Disclosure

All Board members, employees, community members, and others are encouraged to notify the Board if they become aware or any undisclosed Financial Interest or other conflict of interest (and associated material facts) on the part of any Interested Person.

3.3 Determining Whether a Conflict of Interest Exists

In the event the Board becomes aware of any actual or perceived conflict of interest, the Board shall first determine whether to delegate determination as to whether a conflict of interest exists to an applicable Conflict Committee, after which, the Board (or such Conflict Committee) shall hold a meeting to discuss the matter with the applicable Interested Person(s), and such Interested Person(s) may make a corresponding presentation.

After disclosure of the Financial Interest and associated material facts to the Board (and/or applicable Conflict Committee) and after any such discussion with the Interested Person, the Interested Person shall leave the Board (or if applicable, Conflict Committee) meeting, and the Board (or if applicable, Conflict Committee) shall discuss, determine, and vote upon whether a conflict of interest exists. If the Board (or if applicable, the Conflict Committee) determines that no conflict of interest exists, the transaction or arrangement that was the subject of the aforementioned disclosures may proceed (subject to any other process required by this Policy).

3.4 Procedures for Addressing the Conflict of Interest

  1. If the Board (or if applicable, the Conflict Committee) determines that a conflict of interest does exist, then the Chair of the Board (or of the Conflict Committee if applicable) shall, if appropriate, appoint a person (other than an Interested Person) or committee (that does not include Interested Persons) to investigate alternatives to the proposed transaction or arrangement subject to such conflict of interest.
  2. After exercising due diligence, the Board (or if applicable, Conflict Committee) shall determine whether OWASP can obtain with reasonable efforts a more advantageous transaction or arrangement from a person or entity that would not give rise to a conflict of interest.
  3. If a more advantageous transaction or arrangement is not reasonably possible under circumstances not producing a conflict of interest, the Board (or such Conflict Committee, if applicable) shall determine by a majority vote of the disinterested directors whether the transaction or arrangement that is subject to such conflict of interest is nonetheless in OWASP’s best interest, for its own benefit, and whether it is fair and reasonable to OWASP. In conformity with the above determination, it shall make its decision as to whether to enter into such transaction or arrangement.

3.5 Violations of the Conflict of Interest Policy

  1. If the Board (or a committee designated by the Board to make such determination) has reasonable cause to believe a Participant has failed to disclose any actual or possible conflict of interest, it shall inform the Participant of the basis for such belief and afford the Participant an opportunity to explain the alleged failure to disclose.
  2. If, after hearing the Participant’s response and after making further investigation as warranted by the circumstances, the Board or such committee determines the Participant has failed to disclose an actual or possible conflict of interest, it shall take appropriate disciplinary and corrective action. Any violation of this Policy is a serious matter and may constitute cause for removal from the Board, termination or suspension of OWASP membership or participation, termination of employment by OWASP, and/or the termination of any contractual relationship OWASP may have with an Interested Person or other party.

ARTICLE IV

RECORDS OF PROCEEDINGS

4.1 Minutes

In connection with matters relating to this Policy, the minutes of the Board and all committees with board delegated powers hereunder shall contain:

  1. The names of the persons who disclosed or otherwise were found to have a Financial Interest in connection with an actual or possible conflict of interest, the nature of the Financial Interest, any action taken to determine whether a conflict of interest was present, and the Board’s or such committee’s decision as to whether a conflict of interest in fact existed.
  2. The names of the persons who were present for discussions and votes relating to the transaction or arrangement, the content of the discussion, including any alternatives to the proposed transaction or arrangement, and a record of any votes taken in connection with the proceedings.

ARTICLE V

COMPENSATION

5.1 A voting member of the Board who receives compensation, directly or indirectly, from OWASP for services is precluded from voting on matters pertaining to that member’s compensation.

5.2 A voting member of any OWASP committee whose jurisdiction includes compensation matters and who receives compensation, directly or indirectly, from OWASP for services is precluded from voting on matters pertaining to that member’s compensation.

5.3. No voting member of the Board or any such committee who receives compensation, directly or indirectly, from OWASP, either individually or collectively, is prohibited from providing information to any committee regarding compensation.

ARTICLE VI

ANNUAL STATEMENTS

Each OWASP director, principal officer, member of a committee with governing board delegated powers, and employee shall annually sign a statement which affirms such person:

  1. Has read, understands, and agrees to comply with the Policy, and
  2. Understands that OWASP is a charitable organization and to maintain its federal tax exemption it must engage primarily in activities which accomplish one or more of its tax-exempt purposes.

ARTICLE VII

PERIODIC REVIEWS

To ensure OWASP operates in a manner consistent with charitable purposes and does not engage in activities that could jeopardize its tax-exempt status, periodic reviews shall be conducted. The periodic reviews shall, at a minimum, include the following subjects:

  1. Whether compensation arrangements and benefits are reasonable, based on competent survey information and the result of arm’s length bargaining.
  2. Whether partnerships, joint ventures, and arrangements with management corporations conform to OWASP’s written policies, are properly recorded, reflect reasonable investment or payments for goods and services, further charitable purposes and do not result in inurement, impermissible private benefit or in an excess benefit transaction.

ARTICLE VIII

USE OF OUTSIDE EXPERTS

When conducting the periodic reviews as provided for in Article VII, OWASP may, but need not, use outside advisors. If outside experts are used, their use shall not relieve the Board of its responsibility for ensuring periodic reviews are conducted. The Vice Chair and Executive Director are jointly responsible for annual periodic reviews to be conducted and presented to the Board by the end of Q4 each year.

Watch Star