Policy Review of the Community Review Policy and call for volunteers

[Andrew van der Stock]

Hi Board and Leaders,

We regularly review our policies, and one of the most meta of reviews is the Community Review Policy. As this policy is how we typically set policies, I would like to give everyone extra time over the holidays to provide feedback, so feedback will close at the end of January 2026.

https://policy.owasp.org/operational/community-review-process

The primary issue is the construction of the policy review team. It should be reorganized as a working group, and it should not require seven members. At least three is fine. We've never had seven reviewers on the policy review team, and we've never had it in place by the dates specified in the policy. Therefore, in terms of our ability to adhere to our own policy, we need to review and modify that section. 

Additionally, the restrictions on where and who can comment on our policies should be reviewed, especially as we are soon to move to a new website that isn't backed by GitHub repos for much of the website, including policies, so we need to be review any language that implies comments via that mechanism.

Lastly, during our most recent policy review cycle, a comment was received regarding the transparency of changes and feedback processes. I want to discuss this, while not making it so onerous or prolonging the process so long that it becomes challenging to create, update, or retire policies.

Lastly, I'd like to call for additional volunteers for the policy review team. Ideally, we would like you to volunteer for a period of at least 12 months. If we have more than four volunteers, we will likely need to cap the total number at no more than seven members. I think the fairest approach is first-come, first-served. Currently, you must be an OWASP member to serve on the policy review team. That is something that the review can look at. For our own safety, policies should be reviewed and ratified by OWASP members; however, I believe contributions and feedback should be permitted from anyone. This is the sort of discussion that we need to have. 

thanks,

Andrew