OWASP · vanderaj · Jun 3, 2025 · Apr 28, 2025 · May 26, 2025 · May 26, 2025
diff --git a/legal/bylaws.md b/legal/bylaws.md
@@ -339,10 +339,12 @@ Each member of a Board Committee shall serve for such term as shall be establish
 
 (a) A Project Committee of the Foundation is hereby established, which may have such Sub-Groups as from time to time may be approved by the Board of Directors. The Project Committee and its Sub-Groups shall be the principal Member-level forum for the discussion and preliminary adoption of technical strategy and standards, subject to the review, and within the strategic direction established by, the Board of Directors and such Member Committee shall otherwise have such rights and privileges as shall from time to time be established by the Board of Directors, or as set forth in such Project Committee charter, rules, and policies as shall have been previously adopted by the Board of Directors. The Project Committee may make technical recommendations to the Board of Directors concerning technical strategy and other technical work products of the Foundation and may undertake such other tasks as may from time to time be established by the Board of Directors, provided that all strategies and standards may only be finally adopted by the Board of Directors
 
-(b) From time to time, the Board of Directors may establish additional Member Committees. Each Member, so long as it remains a Member in good standing, shall be entitled to appoint such representatives to each such Member Committee, with such voting rights (if any), as set forth in Article II. Unless otherwise specified in these By-laws or by the Board of Directors, each Member Committee may have such sub-groups, working groups, and other groups as from time to time may be approved by such Member Committee, within the strategic direction established by the Board of Directors (each a "Sub-Group")
+(b) From time to time, the Board of Directors may establish or disband additional Member Committees, or Working Groups, and additionally, delegate the authority to create or disband Committees or Working Groups to the Executive Director. The Board shall be entitled to appoint such representatives to each such Member Committee or Working Group, with such voting rights (if any), as set forth in Article II. Unless otherwise specified in these By-laws or by the Board of Directors, each Member Committee may have such sub-groups, working groups, and other groups as from time to time may be approved by such Member Committee, within the strategic direction established by the Board of Directors (each a "Sub-Group").
 
 (c) Member Committees are subject to the Committees Policy (if any)
 
+(d) Working Groups are subject to the Working Groups Policy (if any)
+
 # ARTICLE VI - OFFICERS
 
 ## Section 6.1 Officers

diff --git a/operational/committees.md b/operational/committees.md
@@ -9,6 +9,8 @@ tags: Rules of Procedure
 
 Approved by the OWASP Board of Directors on 2024-06-25
 
+NB: This published policy is currently under review, and may disagree with the Working Group policy. The Working Group policy takes precedence for Working Group matters until such time as the Committees Policy has been updated. This notice will be removed once this policy has been reviewed and approved by the Board.
+
 ## Introduction
 
 The OWASP Committees Policy devolves responsibility for in-scope outcomes to Committees and empowers OWASP members and the community to help shape OWASP.

diff --git a/operational/working-groups.md b/operational/working-groups.md
@@ -0,0 +1,79 @@
+---
+
+title: Working Groups Policy (Draft WIP)
+layout: col-document
+document: Rules of Procedure
+tags: Rules of Procedure
+notice: 2021-04-28
+
+---
+
+{% include draft-notice.html %}
+
+NB: Where the Committees policy and this policy disagree, the Working Group policy takes precedence until such time as the Committee Policy has been updated to reflect the new working group policy. This notice will be removed once the Committee Policy has been updated.
+
+## Purpose and Scope
+
+Working Groups are critical operational units within OWASP, tasked with achieving targeted objectives that directly support OWASP’s strategic mission. These Working Groups complement Committees by focusing on functional outcomes that support the tactical objectives defined by Committees. This policy defines the creation, governance, leadership, participation, accountability, and lifecycle management of OWASP Working Groups.
+
+## Establishment of Working Groups
+
+Working Groups are proposed by OWASP Members. Proposals to create a Working Group must be clearly aligned with OWASP’s strategic priorities and demonstrate tangible benefit to the OWASP community.
+
+Proposals must be submitted in the form of a Scope and Program of Work and submitted to the OWASP Executive Director. The Scope and Program of Work shall clearly describe:
+
+* Working Group purpose and rationale  
+* Scope of work, goals, and key deliverables  
+* Milestones and timelines for key activities
+
+Approval is documented formally, and Working Groups are notified promptly upon establishment.
+
+## Leadership and Governance
+
+Each Working Group must have one Chair or up to two Co-Chairs, providing balanced leadership, continuity, and domain-specific expertise. Chairs must be active OWASP members. Chairs hold responsibility for ensuring effective Working Group operations, maintaining clear documentation, transparent decision-making, and strategic alignment with OWASP’s mission.
+
+## Vetting and Appointment
+
+Operational responsibility for vetting potential Working Group Chairs lies with the OWASP Executive Director or an appointed staff representative. Candidates must demonstrate sufficient expertise, relevant professional experience, and alignment with OWASP’s core values.
+
+The Executive Director is responsible for confirming appointments of Working Group Chairs following successful vetting, formally documenting decisions, and communicating appointments clearly to all parties involved.
+
+## Working Group Participation
+
+Participation in Working Groups is open to anyone with relevant interest and willingness to actively contribute, including non-members of OWASP. Working Group Chairs are responsible for clearly communicating participant expectations, maintaining a welcoming environment, and ensuring adherence to OWASP’s Code of Conduct.
+
+If a participant is found to be in violation of the Code of Conduct, the Working Group Chair may recommend to the Executive Director that the participant be removed from the Working Group. The Executive Director will make a final decision on the removal of the participant.
+
+## Operations and Decision-Making
+
+Working Groups must maintain transparent, consensus-driven decision-making processes. Regular meetings shall be scheduled with clear agendas distributed in advance, concise documentation of decisions, and prompt follow-up of assigned actions. Meetings should be action-oriented, inclusive, and public.
+
+Working Group documentation, including minutes, decision logs, and relevant deliverables, must be transparently maintained in OWASP’s designated repositories, ensuring ongoing accessibility and accountability to the OWASP community.
+
+## Reporting and Accountability
+
+Working Group Chairs are required to submit quarterly Chairs Reports to the Executive Director and OWASP Board, providing concise updates on achievements, challenges, and upcoming objectives. 
+
+The Chairs Report will directly inform decisions to be made by the Executive Director regarding Working Group continuation, modification, or sunset.
+
+## Lifecycle Management and Sunset Clause
+
+Working Groups will be periodically reviewed by the Executive Director. Each Working Group must clearly define measurable success criteria in their Scope and Program of Work.
+
+Evaluations determine:
+
+* Whether the Working Group continues as-is  
+* If the Working Group pivots its objectives to meet changing OWASP strategic priorities  
+* If the Working Group has completed its mission or no longer aligns strategically, thus triggering a sunset decision
+
+Decisions regarding lifecycle status must be formally documented and communicated transparently to the Working Group and broader OWASP community. If the Executive Director determines that a Working Group is not meeting its scope or objectives, the Executive Director may recommend to the OWASP Board that the Working Group be disbanded.
+
+## Communication and Community Engagement
+
+Open and regular communication with the OWASP community is mandatory for all Working Groups. Chairs shall maintain transparent communication channels via OWASP platforms, such as the website, newsletters, and community forums.
+
+Working Groups shall:
+
+* Frequently publish updated progress and deliverables  
+* Conduct periodic community engagement and outreach activities  
+* Actively solicit community feedback to inform Working Group activities