This is a DRAFT or SUBSTANTIALLY MODIFIED existing policy currently in an open review period. Please respond with your comments and inputs regarding this page or directly submit a pull request.
To participate in the secure software movement, you may:
- Read or use any OWASP Site without registering an account.
- Edit content on OWASP Sites with a Github account.
- Register to be a content approver by providing a Github account.
Because we want to understand how OWASP Sites are used so we can make them better for you, we collect some information when you:
- Make public contributions.
- Use the OWASP Sites.
- Send us emails or participate in a survey or give feedback.
- Choose to Donate to or become a Member of OWASP.
- Attend Conferences or participate in local chapter meetings.
- Using reasonable measures to keep your information secure.
- Never selling your information or sharing it with third parties for marketing purposes.
- Only sharing your information in limited circumstances, such as to improve the OWASP Sites, to comply with the law, or to protect you and others.
- Retaining your data for the shortest possible time that is consistent with maintaining, understanding, and improving the OWASP Sites, and our obligations under law.
- Any content you add or any change that you make to a OWASP Site will be publicly and permanently available in addition to being associated with your Github username.
- Our community of volunteer editors and contributors is a self-policing body. Certain administrators of the OWASP Sites, who are chosen by the community, use tools that grant them limited access to nonpublic information about recent contributions so they may protect the OWASP Sites and enforce policies.
As part of our commitment to education and research around the world, we occasionally release public information and aggregated or non-personal information to the general public through data dumps and data sets.
The OWASP Foundation is the nonprofit organization that operates owasp.org and its companion Project, Conference, and event websites.
This Policy explains how we collect, use, and share your personal information.
- We collect very little personal information about you.
- We do not rent or sell your information to third parties.
- By using OWASP Sites, you consent to this Policy.
The OWASP secure software movement is founded on a simple, but powerful principle: we can do more together than any of us can do alone. We cannot work collectively without gathering, sharing, and analyzing information about our users as we seek new ways to make the OWASP Sites more usable, safer, and more beneficial.
We do not sell or rent your Personal Information, nor do we give it to others to sell you anything. We use it to figure out how to make the OWASP Sites more engaging and accessible, to see which ideas work, and to make learning and contributing more fun. Put simply: we use this information to make the OWASP Sites better for you.
After all, it’s people like you, the champions of free knowledge, who make it possible for the OWASP Sites to not only exist, but also grow and thrive.
Because everyone (not just lawyers) should be able to easily understand how and why their information is collected and used, we use common language instead of more formal terms throughout this Policy. To help ensure your understanding of some particular key terms, here is a table of translations:
When we say = we mean
- “the OWASP Foundation” / “the Foundation” / “OWASP” / “we” / “us” / “our” = The OWASP Foundation, Inc., the non-profit organization that operates the OWASP Sites.
- “you” / “your” / “me” = You, regardless of whether you are an individual, group, or organization, and regardless of whether you are using the OWASP Sites or our services on behalf of yourself or someone else.
- “contributions” = Content you add or changes you make to any OWASP Sites.
- “personal information” = Information you provide us or information we collect from you that could be used to personally identify you. To be clear, while we do not necessarily collect all of the following types of information, we consider at least the following to be “personal information” if it is otherwise nonpublic and can be used to identify you:
- (a) your real name, address, phone number, email address, password, identification number on government-issued ID, IP address, user-agent information, credit card number;
- when associated with one of the items in subsection (a), any sensitive data such as date of birth, gender, sexual orientation, racial or ethnic origins, marital or familial status, medical conditions or disabilities, political affiliation, and religion; and
- any of the items in subsections (a) or (b) when associated with your user account.
- “third party” / “third parties” = Individuals, entities, websites, services, products, and applications that are not controlled, managed, or operated by the OWASP Foundation. This includes other OWASP users and independent organizations or groups who help promote the Foundation such as OWASP chapters, Conferences and local event, volunteers, employees, directors, officers, grant recipients, and contractors of those organizations or groups.
Types of Information We Receive From You & How We Get It
Your Public Contributions
When you make a contribution to any OWASP Site you are creating a permanent, public record of every piece of content added, removed, or altered by you. The page history will show when your contribution or deletion was made, as well as your Github username. We may use your public contributions, either aggregated with the public contributions of others or individually, to create new features or data-related products for you or to learn more about how the OWASP Sites are used.
Publicly Visible Information
Account Information & Registration
- You do not need to create an account to use any OWASP Site.
- If you want to edit content, you must have a GitHub account.
- If you want to be a content approver, you must provide an active GitHub account.
You are not required to create an account to read or contribute to a OWASP Site, except under rare circumstances.
GPS & Other Location Technologies
If you consent, we can use GPS (and other technologies commonly used to determine location) to show you more relevant content. We keep information obtained by these technologies confidential, except as provided in this Policy.
Sometimes, we automatically receive location data from your device. For example, if you want to upload a photo, we may receive metadata, such as the place and time you took the photo, automatically from your device. Please be aware that, unlike location information collected using GPS signals described above, the default setting on your mobile device typically includes the metadata in your photo or video upload to the OWASP Sites. If you do not want metadata sent to us and made public at the time of your upload, please change your settings on your device.
Finally, when you visit any OWASP Site, we automatically receive the IP address of the device (or your proxy server) you are using to access the Internet, which could be used to infer your geographical location.
Information Related to Your Use of the OWASP Sites
We use certain technologies to collect information about how you use OWASP Sites. Like other websites, we receive some information about you automatically when you visit the OWASP Sites.
We also use a variety of commonly-used technologies, like cookies, to collect information regarding how you use the OWASP Sites, make our services safer and easier to use, and to help create a better and more customizable experience for you.
We want to make the OWASP Sites better for you by learning more about how you use them. Examples of this might include how often you visit the OWASP Sites, what you like, what you find helpful, how you get to the OWASP Sites, and whether you would use a helpful feature more if we explained it differently. We also want this Policy and our practices to reflect our community’s values. For this reason, we keep information related to your use of the OWASP Sites confidential, except as provided in this Policy.
Information We Receive Automatically
Because of how browsers work, we receive some information automatically when you visit the OWASP Sites. This information includes the type of device you are using (possibly including unique device identification numbers, for some beta versions of our mobile applications), the type and version of your browser, your browser’s language preference, the type and version of your device’s operating system, in some cases the name of your internet service provider or mobile carrier, the website that referred you to the OWASP Sites, which pages you request and visit, and the date and time of each request you make to the OWASP Sites.
Put simply, we use this information to enhance your experience with OWASP Sites. For example, we use this information to administer the sites, provide greater security, and fight vandalism; optimize mobile applications, customize content and set language preferences, test features to see what works, and improve performance; understand how users interact with the OWASP Sites, track and study use of various features, gain understanding about the demographics of the different OWASP Sites, and analyze trends.
Information We Collect
We use a variety of commonly-used technologies, like cookies, to understand how you use the OWASP Sites, make our services safer and easier to use, and to help create a better and more customizable experience for you.
Depending on which technology we use, locally stored data can be anything from text, pictures, and whole articles (as we explain further below) to Personal Information (like your IP address) and information about your use of the OWASP Sites (like your username or the time of your visit).
We use this information to make your experience with the OWASP Sites safer and better, to gain a greater understanding of user preferences and their interaction with the OWASP Sites, and to generally improve our services. We will never use third-party cookies, unless we get your permission to do so. If you ever come across a third-party data collection tool that has not been authorized by you (such as one that may have been mistakenly placed by another user or administrator), please report it to us at firstname.lastname@example.org
More on Locally Stored Data
We believe this data collection helps improve your user experience, but you may remove or disable some or all locally stored data through your browser settings, depending on your browser. While locally stored data may not be necessary to use our sites, some features will not function properly if you disable locally stored data.
While the examples above concerning information about you collected through the use of data collection tools are kept confidential in accordance with this Policy, please note that some information about the actions taken by your username is made publicly available through public logs alongside actions taken by other users. For example, a public log may include the date your account was created on a OWASP Site along with the dates that other accounts were created on a OWASP Site.
How We Use Information We Receive From You
We and our service providers use your information for the legitimate purpose of pursuing our charitable mission, including:
- Operating the OWASP Sites, sharing your contributions and administering our Services.
- Providing customized Services.
- Sending emails with news updates, surveys and communications about items we believe may be of interest to you.
- Sending optional surveys and requesting feedback.
- Improving the OWASP Sites and making your user experience safer and better.
GPS & Other Location Technologies
As stated above, we can use commonly-used location technologies to show you more relevant content. For example, our mobile apps can identify articles from the OWASP Sites about points of interest near your location. As a reminder, you can deactivate our access to these location technologies at any time, and still use the OWASP Sites.
As stated above, we may automatically receive location data from your device. Please be aware that the default setting on your mobile device typically results in the metadata associated with your photo being included in the upload. As a reminder, if you do not want metadata sent to us and made public at the time of your upload, please change your settings on your device.
When you visit any OWASP Site, we automatically receive the IP address of the device (or your proxy server) you are using to access the Internet, which could be used to infer your geographical location. We keep IP addresses confidential, except as provided in this Policy. If you are visiting OWASP Sites with your mobile device, we may use your IP address to provide anonymized or aggregated information to service providers regarding the volume of usage in certain areas.
We use this location information to make your experience with the OWASP Sites safer and better, to gain a greater understanding of user preferences and their interaction with the OWASP Sites, and to generally improve our services. For example, we use this information to provide greater security, optimize mobile applications, and learn how to expand and better support OWASP communities. We also use Personal Information in the manner described in the sections of this Policy titled “For Legal Reasons” and “To Protect You, Ourselves & Others.”
When May We Share Your Information?
With Your Permission
- We may share your information when you give us specific permission to do so, for legal reasons, and in the other circumstances described below.
- We share your information for a particular purpose, if you agree.
For Legal Reasons
We will disclose your information in response to an official legal process only if we believe it to be legally valid. We will notify you of such requests when possible.
We will access, use, preserve, and/or disclose your Personal Information if we reasonably believe it necessary to satisfy a valid and legally enforceable warrant, subpoena, court order, law or regulation, or other judicial or administrative order. However, if we believe that a particular request for disclosure of a user’s information is legally invalid or an abuse of the legal system and the affected user does not intend to oppose the disclosure themselves, we will try our best to fight it. We are committed to notifying you via email at least ten (10) calendar days, when possible, before we disclose your Personal Information in response to a legal demand. However, we may only provide notice if we are not legally restrained from contacting you, there is no credible threat to life or limb that is created or increased by disclosing the request, and you have provided us with an email address.
If the Organization is Transferred (Really Unlikely!)
To Protect You, Ourselves & Others
We, or users with certain administrative rights, may disclose information that is reasonably necessary to:
- enforce or investigate potential violations of the OWASP Foundation or community-based policies;
- protect our organization, infrastructure, employees, contractors, or the public; or
- prevent imminent or serious bodily harm or death to a person.
OWASP Sites are collaborative, with users writing most of the policies and selecting from amongst themselves people to hold certain administrative rights. These rights may include access to limited amounts of otherwise nonpublic information about recent contributions and activity by other users. They use this access to help protect against vandalism and abuse, fight harassment of other users, and generally try to minimize disruptive behavior on the OWASP Sites. These various user-selected administrative groups have their own privacy and confidentiality guidelines, but all such groups are supposed to agree to follow our Access to Nonpublic Information Policy. These user-selected administrative groups are accountable to other users through checks and balances: users are selected through a community-driven process and overseen by their peers through a logged history of their actions. However, the legal names of these users are not known to the OWASP Foundation.
We hope that this never comes up, but we may disclose your Personal Information if we believe that it’s reasonably necessary to prevent imminent and serious bodily harm or death to a person, or to protect our organization, employees, contractors, users, or the public. We may also disclose your Personal Information if we reasonably believe it necessary to detect, prevent, or otherwise assess and address potential spam, malware, fraud, abuse, unlawful activity, and security or technical concerns.
To Our Service Providers
As hard as we may try, we can’t do it all. So sometimes we use third-party service providers or contractors who help run or improve the OWASP Sites for you and other users. We give access to your Personal Information to these providers or contractors as needed to perform their services for us or to use their tools and services. We put requirements, such as confidentiality agreements, in place to help ensure that these service providers treat your information consistently with, and no less protective of your privacy than, the principles of this Policy. Our primary service providers, who may change without prior notice include, GitHub, SalesForce, Atlassian, Expensify, RegOnline, Eventbrite, Paypal, and Stripe.
If you are visiting OWASP Sites with your mobile device, we use your IP address to provide anonymized or aggregated information to service providers regarding the volume of usage in certain areas.
To Understand & Experiment
We give volunteer developers and researchers access to systems that contain your information to allow them to protect, develop, and contribute to the OWASP Sites. We also share non-Personal Information or aggregated information with third parties interested in studying the OWASP Sites. When we share information with third parties for these purposes, we put reasonable technical and contractual protections in place to protect your information consistent with this Policy. The software that powers much of the functionality of OWASP Sites depends on the contributions of volunteer software developers, who spend time writing and testing code to help it improve and evolve with our users’ needs. To facilitate their work, we give some developers limited access to systems that contain your Personal Information, but only as reasonably necessary for them to develop and contribute to the OWASP Sites.
Similarly, we share non-Personal Information or aggregated information with researchers, scholars, academics, and other interested third parties who wish to study the OWASP Sites. Sharing this information helps them understand usage, viewing, and demographics statistics and patterns. They then can share their findings with us and our users so that we can all better understand and improve the OWASP Sites.
When we give access to personal information to third-party developers or researchers, we put requirements, such as reasonable technical and contractual protections, in place to help ensure that these service providers treat your information consistently with the principles of this Policy and in accordance with our instructions. If these developers or researchers later publish their work or findings, we ask that they not disclose your personal information. Please note that, despite the obligations we impose on developers and researchers, we cannot guarantee that they will abide by our agreement, nor do we guarantee that we will regularly screen or audit their projects.
Because You Made It Public
Any information you post publicly on the OWASP Sites is just that – public. For example, if you put your mailing address on any page, that is public, and not protected by this Policy. Please think carefully about your desired level of anonymity before you disclose Personal Information on your user page or elsewhere.
How Do We Protect Your Data?
We strive to protect your information from unauthorized access, use, or disclosure. We use a variety of physical and technical measures, policies, and procedures (such as access control procedures, network firewalls, and physical security) designed to protect our systems and your Personal Information. Unfortunately, there’s no such thing as completely secure data transmission or storage, so we can’t guarantee that our security will not be breached (by technical measures or through violation of our policies and procedures).
We will never ask for your password by email (but may send you a temporary password via email if you have requested a password reset). If you ever receive an email that requests your password, please let us know by sending it to email@example.com, so we can investigate the source of the email.
How Long Do We Keep Your Data?
Except as otherwise stated in this policy, we only keep your Personal Information as long as necessary to maintain, understand and improve the OWASP Sites or to comply with U.S. law.
Once we receive Personal Information from you, we keep it for the shortest possible time that is consistent with the maintenance, understanding, and improvement of the OWASP Sites, and our obligations under applicable U.S. law. Non-personal information may be retained indefinitely.
Please remember that certain information, such as your IP address (if you edit while not logged in) and any public contributions to the OWASP Sites, is archived and displayed indefinitely by design; the transparency of the projects’ contribution and revision histories is critical to their efficacy and trustworthiness. To learn more about our data retention practices, see our data retention guidelines.
Where is the Foundation & What Does That Mean for Me?
Substantial changes to this Policy will not be made until after a public comment period of at least 30 days.
In the event of substantial changes, we will provide the proposed changes to our users in at least three (3) languages (selected at our discretion) for open comment period lasting at least thirty (30) calendar days. Prior to the start of any comment period, we will provide notice of such changes and the opportunity to comment via the OWASP Sites, and via a notification on OWASP mailing lists.
For minor changes, such as grammatical fixes, administrative or legal changes, or corrections of inaccurate statements, we will post the changes and, when possible, provide at least three (3) calendar days’ prior notice via a notification on OWASP mailing lists.
Depending on your jurisdiction, you also may have the right to lodge a complaint with a supervisory authority competent for your country or region.