September 2025 Agenda/Minutes

Meeting Details

Agenda

CALL TO ORDER

Board Members

  • Ricardo Griffith
  • Steve Springett
  • Harold Blankenship
  • Sam Stepanyan
  • Ashwini Siddhi
  • Avi Douglen - ABSENT
  • Diego Silva Martins

Guests

  • Andrew van der Stock
  • Dawn Aitken
  • Lauren Thomas
  • Hayden Corry
  • Starr Brown
  • Christian Capellan
  • Heather Kennedy
  • Chris Barbeau
  • Leea Hudson-Wilson
  • Gesmer Lawyers: Aaron Kriss and Russ Schossbach

CONFLICT OF INTEREST AND ANTI-TRUST STATEMENT

As the Board consists of individuals from many competing organizations, OWASP and its Board shall abide by all applicable anti-trust and competition laws. To avoid any perceived or actual conflict of interest, or anti-trust concerns under US federal, state, or regulations, only the published agenda shall be discussed or voted upon, or amended as below. If there are any conflicts of interest, Board members are expected to disclose the conflict of interest and must recuse themselves from discussion and voting.

CHANGES TO THE AGENDA

Changes to the agenda - unless otherwise prohibited by anti-trust or competition laws - including adding, altering, or tabling of motions is permitted by following Roberts Rules of Order (RONR 12th Ed) 41:63, which requires an affirmative two-thirds vote.

Ricardo proposed rearranging the agenda to allow guests (Finance and Legal Counsel) to present first. Sam requested adding two discussion points under Any Other Business:

  • Formation of an Audit Committee
  • Project Summit discussion

Both additions were accepted noting that no vote is necessary

APPROVAL OF MINUTES

Vote:

  • Steve Springett – Yes
  • Harold Blankenship – Yes
  • Sam Stepanyan – Yes
  • Ashwini Siddhi – Yes
  • Diego Silva Martins - Yes
  • Ricardo Griffith – Yes
  • Avi Douglen - ABSENT

Result: The Vote PASSES, 6–0 (1 absent)

PRE-READING MATERIAL

Finance Report by Chris Barbeau and Leea Hudson-Wilson - The Charity CFO

Chris Barbeau presented the August 2025 financial results:

Audit and Budget:

  • Audit is progressing well; all outstanding items have been provided
  • Draft audit expected before the next board meeting
  • FY26 budget process has begun with meetings held with Andrew and finance staff

Financial Summary (as of August 2025):

  • Ending Cash: $1.9M (slight decrease due to $136K Marriott DC payment for the November event)
  • Prepaid Expenses: Increased due to deposit for the next Global AppSec
  • Total Liabilities & Net Assets: $3.41M
  • August 2025 Revenue: $187K
  • August 2025 Expenses: $315K
  • Net Loss (August 2025): $120K
  • Year-to-Date (YTD) Net Gain: $523K (vs. $289K budgeted)
  • Cash on Hand: 5+ months
  • Uncategorised income reduced from $60K to $8K, largely resolved
  • Aged receivables (90-day) remain elevated but improving as collections continue

Discussion:

  • Sam raised questions regarding uncategorised income and aged receivables; both are being actively addressed
  • Dawn confirmed ongoing collection efforts and reconciliation with vendors

NEW BUSINESS

Discussion on the OWASP Commercial Entity with Gesmer Lawyers

Background Gesmer partners will be joining to discuss / answer questions on the formation of a commercial entity for OWASP

Aaron Kriss and Russ Schossbach joined the meeting to provide Legal guidance on forming a for-profit subsidiary (e.g., “OWASP Solutions”) owned by OWASP Foundation

Key Points:

  • Common structure: 501(c)(3) owning a for-profit subsidiary for non-mission-aligned activities
  • Purpose: Separate commercial ventures (training, consulting, certifications) that may not fit OWASP’s tax-exempt status
  • IRS requires operational independence between nonprofit and for-profit entities
  • Overlapping leadership is permissible but must avoid control conflicts
  • Delaware incorporation recommended

Discussion Highlights

  • Ownership: Typically wholly-owned subsidiary (100%)
  • Outside investment: Possible but uncommon; must consider investor expectations and ROI
  • Profit distribution: Board of subsidiary decides dividends; cannot be mandated by the non-profit
  • Donations from subsidiary to nonprofit allowed if independence is maintained
  • Licensing OWASP trademarks or content to the for-profit must align with OWASP’s mission and IRS compliance
  • Certification programs, training, and consulting may remain under nonprofit if directly mission-aligned
  • Lobbying by the for-profit possible but must remain independent
  • Merchandise sales taxable; manageable under nonprofit
  • Risk transfer (e.g., certification liability) could justify use of a subsidiary

Executive Director’s Report – Andrew van der Stock

Staffing:

  • Marketing role final candidate selected; awaiting offer confirmation
  • New hire based outside the U.S.

Website Migration

  • Nearing completion; final QA and staging checks in progress
  • Migration aims for a modern marketing-focused site
  • Minor outstanding items: committees page and www-community migration

Audit & Budget

  • Audit on track; FY26 budget work underway with Harold

Working Groups

  • Automation for creation and tracking being implemented via Google Workspace and GitHub

Belgian Entity (OWASP EU):

  • Awaiting Belgian government approval for new entity
  • Old entity winding down; awaiting coordination from legacy directors

Membership:

  • September membership drive performing well; above budgeted targets

H-1B Visa Update:

  • Recent USCIS changes ($100K filing proposal) highlight benefit of OWASP’s remote-first employment model

Board Elections:

  • Candidate pages hosted on GitHub; some technical issues addressed by Dawn and Andrew
  • Ricardo confirmed all candidate pages are now accessible and merged

Upcoming Events – Lauren Thomas

Global AppSec DC:

  • Sponsorships sold out
  • Registration pacing identical to prior year (~240 six weeks out)
  • Active LinkedIn campaigns targeting regional attendees

AppSec Days:

  • Singapore: Good attendance, sponsorship exceeded targets
  • Israel: Small loss; next year’s event planned with improved profitability measures

Future Planning:

  • Full 2026 events calendar to be shared with exhibitors at DC for early sponsor budgeting

Board thanked Lauren and the events team for their continued strong performance

Motion to optimize the Community Review Policy process

Background

The Community Review Policy process gives 21 days for public comment and a subsequent 30 days for the Policy Review Team to consider the comments and make a recommendation to the Board. This can lead to a long delay in approving policies. This amendment would parallelize the public comment period and the Policy Review Team review period, reducing the overall time to approve policies.

Motion: “Resolved, that the Community Review Policy be amended to conduct the public policy review period and the Policy Review Team review period concurrently.” - DEFERRED

Sponsor: Ricardo Griffith Second: Avi Douglen

Motion tabled, discussion took place instead

Discussion:

  • Ricardo proposed streamlining to accelerate policy publication
  • Sam suggested data analysis of past policy reviews before making changes
  • Andrew recommended ensuring adequate pre-reading and public communication
  • Board agreed to defer decision pending data

Discussion chapter leader orientation course

Background Sam Stepanyan will discuss the chapter leader induction/orientation course and training, with a view to starting a Working Group to create the course.

Objective:

Introduce a mandatory orientation training for new (and eventually existing) Chapter Leaders to ensure compliance and consistency.

Key Features

  • Video-based learning modules with a short quiz.
  • Topics: OWASP mission, chapter operations, event policies, sponsorship, expenses, and use of shared tools (Zoom, Slack, etc.).
  • Passing the quiz is a prerequisite for signing the Chapter Leader Agreement.

Board Discussion:

  • Harold: Supported; noted it will require policy amendment to enforce.
  • Steve: Supported; asked about tracking effectiveness and tool requirements.
  • Diego: Suggested extending to all existing chapter leaders.
  • Ashwini: Supported; emphasized keeping training concise and recurring annually.
  • Andrew: Recommended pilot phase, then integrate into annual leader confirmation process.

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

Deferred Items (Not Discussed):

Due to time constraints, the following AOB items proposed in the Changes to The Agenda were not taken up and are deferred to a future meeting:

  • Formation of an Audit Committee (sponsor: Ricardo Griffith)
  • Project Summit discussion (sponsor: Sam Stepanyan)

Motion to change the date & time of October 2025 Board Meeting

Background: The October Board meeting is currently scheduled for October 28th, 2025 at 9am US Eastern Time. The Board wishes to change the date & time of the meeting to November 5th to be held in person at the OWASP Global AppSec DC 2025 Conference.

Motion: “Resolved: The October 28, 2025 Global Board Meeting is delayed by 8 days to Wednesday, November 5, 2025 at 5:00 PM US Eastern Time, to be held in person at the Global AppSec DC Conference. The November 25, 2025 meeting is unchanged.”

Please Note: the meeting date was mistakenly read out as November 4th when it should be November 5th.

Sponsor: Ricardo Griffith Second: Diego Silva Martins

Vote:

  • Steve Springett – Yes
  • Harold Blankenship – Yes
  • Sam Stepanyan – Yes
  • Ashwini Siddhi – Yes
  • Diego Silva Martins – Yes
  • Ricardo Griffith – Yes

Result: Motion passed unanimously (6 Yes, 0 No, 1 Absent).

Executive Session

Background The Board will go into executive session to discuss sensitive matters.

ADJOURNMENT

Adjournment motion

The next general Board meeting is on November 5, 2025 at 5:00 PM US Eastern Time.

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Ricardo Griffith Second: Diego Silva Martins

Watch Star