November 2025 Agenda/Minutes

Meeting Details

• Date: 25 November 2025
• Time: 0900 AM EST, UTC 1400 convert
• Location: Remote
• Video Recording

Agenda

CALL TO ORDER

Board Members:

• Ricardo Griffith
• Steve Springett
• Harold Blankenship
• Sam Stepanyan
• Ashwini Siddhi (arrived a few minutes LATE, but was marked as PRESENT)
• Avi Douglen
• Diego Silva Martins

Guests:

• Andrew van der Stock
• Dawn Aitken
• Lauren Thomas
• Hayden Corry
• Starr Brown
• Christian Capellan
• Heather Kennedy
• Stacey Ebbs
• Marisa Fagan
• Arkadii Yakovets
• Grant Ongers
• Chris Barbeau
• Leea Hudson-Wilson

CONFLICT OF INTEREST AND ANTI-TRUST STATEMENT

As the Board consists of individuals from many competing organizations, OWASP and its Board shall abide by all applicable anti-trust and competition laws. To avoid any perceived or actual conflict of interest, or anti-trust concerns under US federal, state, or regulations, only the published agenda shall be discussed or voted upon, or amended as below. If there are any conflicts of interest, Board members are expected to disclose the conflict of interest and must recuse themselves from discussion and voting.

• OWASP Conflict of Interest Policy
• Director’s Commitment Agreement

Note: Ashwini announced that she needs to upload her updated Conflict of Interest Disclosure Form due to a change of employment.

CHANGES TO THE AGENDA

Changes to the agenda - unless otherwise prohibited by anti-trust or competition laws - including adding, altering, or tabling of motions is permitted by following Roberts Rules of Order (RONR 12th Ed) 41:63, which requires an affirmative two-thirds vote.

Andrew: Two motions were missing from the published agenda and required a 2/3 vote to be added:

• Motion to Amend the Bylaws (related to Board of Directors policy updates)
• Motion to Approve the Antitrust Policy

Additional change:

• MITRE CAPEC item postponed because MITRE has not yet provided official information.
• Preliminary 2026 Budget Draft discussion postponed, pending staff completion.

Vote to Approve Agenda Adjustment (Avi: sponsor, Steve: second):

• Steve Springett - YES
• Harold Blankenship - YES
• Sam Stepanyan - YES
• Ashwini Siddhi - YES
• Avi Douglen - YES
• Diego Silva Martins - YES
• Ricardo Griffith - YES

Result: The Vote PASSES, 7–0

Avi noted that a link in the anti-trust policy was broken and needs to be fixed.

APPROVAL OF MINUTES

• Previous Meeting Minutes - October 2025

Vote:

• Steve Springett: YES
• Harold Blankenship: YES
• Sam Stepanyan: YES
• Ashwini Siddhi: ABSTAIN
• Avi Douglen: YES
• Diego Silva Martins: YES
• Ricardo Griffith: YES

Result: The Vote PASSES, 6–0 (1 abstain)

PRE-READING MATERIAL

• OWASP Foundation Board Summary
• Finance Management Report - video
• Finance Management Report - PDF
• Finance Cash Flow Forecast
• Finance Aged AR Summary

Committee Reports - TABLED

Izar Tarandach and Aruneesh to provide an update on the Marketing Working Group or Committee. - TABLED for December

UPDATE from Andrew:

• Andrew invited Izar, Stacey, Aruneesh and Petra to support forming the Marketing working group.
• Formal structure will be presented to the Board in December.
• Andrew will create working group project spaces and work with Christian to add Working Groups to the Committees page on the legacy website due to continued delays with the new website.

Management Reports

• OWASP Foundation Board Summary
• Finance Management Report - video
• Finance Management Report - PDF
• Finance Cash Flow Forecast
• Finance Aged AR Summary

Andrew van der Stock - Executive Director

• IRS Form 990 filed on time and accepted by IRS
• Audit draft complete; clean audit opinion received
• Final audit package expected within 1–2 weeks
• Harold to review and sign management representation documents
• Need documented payroll process and addition of a second approver (likely the 2026 Treasurer)
• Andrew demonstrated payroll procedures during audit
• Director of Corporate Relations job listing is now live on LinkedIn (closes Dec 5)
• Andrew & Harold will conduct interviews in December
• OWASP Operations Europe Belgian entity is now registered
• Aram and Maxim are in the process of appointing accountants and opening a bank account
• New Board members onboarding: Updated commitment agreements sent to new and returning Board members
• BoardSource may block retakes; Andrew will provide PDF alternatives
• Andrew to refresh the staff handbook and assign end-of-year security/HR training modules.

Stacey Ebbs - Marketing Report

Stacey introduced herself (week 3 at OWASP) and highlighted three initiatives:

• Giving Tuesday: Email + social campaign prepared. Board asked to boost visibility by sharing posts.
• Marketing Strategy to focus on:
  • Social media growth
  • Membership, donations
  • Corporate supporter program
  • Chapter and project visibility
• Marketing Strategy to be presented at December 16 Board Meeting
• 2025 Annual Report: To be published late January after financial numbers finalize. Board members may receive quote/interview requests

OWASP EU Entity

Aram and Maxim to complete:

• Banking setup
• Accounting system
• Bylaws registration

Finance Report by Chris Barbeau - The Charity CFO (Video Recording)

• Cash increased by ~$58,000 in October
• Net assets: ~$2.82M
• Retained income for October: $138,000
• Year-to-date net income: ~$380,000 running short against budgeted ~$509,000
• Conference income exceeds budget
• Corporate supporters revenue significantly under budget (–$242k).
• Total income: $4,086,000
• Conference expenses over budget, mostly Food & Beverage (inflation + venue constraints)
• Professional fees include $16,000 for Belgium/OWASP Europe entity setup
• 2026 Budget Draft presented: Staff input still required. Andrew and Lauren to continue work; goal for January approval

NEW BUSINESS

Discussion of the 2026 Budget draft - TABLED

Background Charity CFO and Andrew van der Stock will lead a discussion on the draft budget for 2026, including key initiatives, projected revenues, and expenses. This was tabled until the next board meeting

Motion to approve Board of Directors Policy - TABLED

Background Avi Douglen has led a proposed change to the Election policy, creating a Board of Directors Policy, creating a new draft policy for consideration. This policy has received feedback from the community, which has been incorporated into the current draft by the Policy Review Team. The new policy proposes stronger qualifications for candidates, conflict-of-interest clarifications, and ranked-choice voting (STV). The director qualifications in the new policy is not applicable to the 2025 elections for Director qualifications, but the new seating procedure will be used for the 2026 Directors.

Motion “Resolved, that the Board approves the Board of Directors Policy, replacing the existing Election Policy, effective immediately.”

• Draft Policy
• Feedback as a PR
• Feedback Summary

NB - Andrew: The following two motions also need to be added to the order of business to finalize the implementation:

Motions to amend the bylaws - TABLED : “Resolved, the OWASP Foundation Bylaws are amended to reflect the change from the Election Policy to the Board of Directors Policy, including removing references to the old Election Policy, effective immediately.”

• Bylaw Change Pull Request

Motion to approve the antitrust policy - TABLED “Resolved, that the Board approves the Antitrust Policy, which is required to ensure compliance with US antitrust laws, effective immediately.”

• Draft Antitrust Policy

Discussion: Extensive PR review and discussion occurred live, covering:

• Antitrust clarifications
• Candidate eligibility definitions
• Clarifying Code of Conduct violation handling
• Grant Ongers (Compliance Officer) was invited to contribute to the Code of Conduct discussion and he explained using a legal analogy: Just as someone is not guilty of a crime until they are found guilty, A Code of Conduct violation is not a violation unless the compliance process determines it occurred
• Background checks and jurisdictional feasibility
• Language proficiency requirement
• Cooling-off period for former staff
• Handling external contributors and exceptions

Motion to table the above three motions: Note: no sponsor/second needed for tabling motions

Motion:

To table the three Board of Directors Policy–related motions (Bylaws Amendment, Antitrust Policy Approval, and Board of Directors Policy Approval) until the December 2025 Board meeting, or to be decided earlier by an e-vote once the final policy text PDF is circulated.

Vote:

• Steve Springett – YES
• Harold Blankenship – YES
• Sam Stepanyan – YES
• Ashwini Siddhi - YES
• Avi Douglen - YES
• Diego Silva Martins – YES
• Ricardo Griffith – YES

Result: The Vote PASSES, 7–0

Discussion on infrastructure for working groups

Background Andrew van der Stock will lead a discussion on the formation of working groups within OWASP, their purpose, structure, and how they can contribute to the organization’s goals.

This item was already discussed by Andrew at the beginning of the meeting

Discussion on creation of an Audit Committee

Background Ricardo Griffith will lead a discussion on the potential formation of an Audit Committee within the Board of Directors to oversee financial reporting, compliance, and risk management.

Discussion

Ricardo actually presented the requirements for two committees:

Audit & Risk Committee (Board Committee):

• A board-level committee
• Focused on oversight of the independent audit
• Responsible for reviewing annual financial statements
• Monitoring internal controls
• Managing risk (e.g., insurance)
• To be composed of board members (treasurer as chair)
• Other members should ideally have financial or accounting background or a risk background
• This structure reduces the need for the entire Board to do detailed audit work every year ensuring stronger governance and oversight. It matches what other nonprofit boards already do
• Ricardo to prepare a draft outline and post for discussion

Membership Financial Transparency & Oversight Committee:

• Community advisory group enabling insight into financial stewardship
• Likely January vote (new board)
• Avi noted that naming it ‘Audit Committee’ might create confusion
• Ashwini requested clarity on structure, clarity on committee’s term, cadence, advisors
• Ashwini also raised whether the whistleblower policy applies
• Ricardo to draft a charter and circulate for review

Discussion on the 25th Anniversary of OWASP

Background Andrew van der Stock will discuss plans and initiatives to celebrate the 25th anniversary of OWASP in 2026, including events, marketing campaigns, and community engagement activities.

• Due to limited time, the discussion was shortened.
• Andrew referenced the content calendar available to directors on Monday.com
• Updates will continue into December.

Tentative discussion on MITRE CAPEC - TABLED

Background Avi Douglen will lead a tentative discussion on the MITRE CAPEC (Common Attack Pattern Enumeration and Classification) project, its relevance to OWASP, and potential collaboration opportunities.

Executive Session

Background The Board will enter into an executive session to discuss sensitive matters

COMMENTS, ANNOUNCEMENTS, AND OTHER BUSINESS

ADJOURNMENT

Adjournment motion

The next general Board meeting is on December 16 2025, at 9 am US Eastern Time.

• December 2025

“It is moved, and seconded to adjourn. Those in favor, say “aye””

Sponsor: Ricardo Griffith Second: Harold Blankenship

Meeting adjourned, Board proceeded into Executive Session