[Policy-Review] Board Director's Policy, Anti-Trust Policy, and Commitment Agreement

[Andrew van der Stock]

Hi Leaders and Global Board

Please review the following policies, which supersede the Elections Policy with a broader Board Directors' Policy. 

How long is the review open? Comments will be open for 21 days starting today, as per the Community Review Policy. The deadline for comments is midnight UTC October 31, 2025. 

How do I provide feedback? You may use the method documented in the DRAFT header to submit your comments from your OWASP email address, or log an issue or PR in the GitHub repo. Please give the issue or PR a name that includes "Directors Policy" so that we know to look for your feedback, as there are unrelated / older / other issues and PRs that may be present. 

Purpose of the changes. The current Board had undertaken a review of the Election policy and found that it doesn't have some of the requirements set out in our bylaws. As a result of that review, the more things that needed changing, the more it became about the Directors and less about the election. This is why it has been renamed. The review, led by Avi Douglen, has had many rounds of internal feedback from the Board, and now it's your turn. The Director's policy, in turn, addressed several other policies and documents, such as the Board of Directors' Commitment Agreement, which needed to be aligned or updated. These are detailed in the changelog below. 

When will it come into effect? Most likely after the first or second public Board meeting in November. Due to review processes and to ensure certainty for the 2025 candidates, these changes cannot be passed prior to the elections concluding, so they will not affect the 2025 election qualifications or voting method. The first election to be held under the revised policy will be in 2026. The PR for the bylaws and the new Antitrust Policy will apply as soon as it is passed. The revised Director's Agreement form is operational and will apply to the incoming 2026 Directors. We will obtain legal advice on whether we should require all Directors to sign the revised agreement, as it differs in requirements from the one they signed when they took their seats. The two Policy and bylaw amendments require a supermajority vote. The operational agreement will undergo a final round of legal review once comments are received and incorporated, before it takes effect.

Changelog:

Board Director's Policy. Avi Douglen has been the driving force behind these changes, and has gone through extensive review with the Board. If you have any questions relating to the Director's policy, Avi is your best bet. The main change to be highlighted includes:

- Voting method will change from first past the post to single transferable vote (STV), which  considering the often low voter turnout in most OWASP elections, should allow the community's voice to be heard more clearly, rather than a simple popularity contest. Hopefully, once people realize that their voices can be heard, more people will vote. 

- Qualifications are strengthened to ensure that candidates have ties with our community and demonstrated OWASP leadership credentials. 

- Additions the bylaws ask for in the policy

- Documenting many important topics for which we have historic conventions for. Previously, Boards have generally just voted the same way as previous Boards, without a policy framework

- much more besides. Worth reading the policy for all the details.

Anti Trust Policy. Our Board meetings open with an antitrust statement, and our previous (and this) Commitment agreement required compliance with an anti-trust policy, which does not exist. This now exists. 

A small PR for the bylaws to rename the elections policy to the Director's policy. This has no other policy or bylaw outcomes. 

Board of Directors' Commitment Agreement. I've updated the Board of Directors' Commitment Agreement (which is an operational document and not a policy, but supports the bylaws, the Board of Directors' policy, and our new antitrust policy). The main changes are:

• Started afresh with the most recent Board of Directors' Commitment policy written by our non-profit lawyers
• Added in anti-trust requirements and linked to the new anti-trust policy
• Aligned the policy settings in the Director's policy and the Commitment requirements so there is no confusion between the two
• Updated the onboarding reading materials and included Board Source training

This agreement will be used if the Board adopts the two policies and bylaws. If these policies are not passed, the agreement will undergo a legal review to ensure it conforms to our previous policies. The previously used agreement lacked many of the requirements outlined in the new bylaws, making this a comprehensive improvement over the old agreement. Additionally, we will be changing from using Wufoo forms to OWASP's e-Signature service for enhanced document retention and data protection reasons. 

Thanks,

Andrew van der Stock
Distinguished Lifetime Member

Executive Director, OWASP

+1 510 697 9315