This document defines the Open Cybersecurity Alliance (OCA) community governance per OASIS Open Projects Governance Policy. This document changes infrequently by the process defined below.
Open Cybersecurity Alliance (OCA), an OASIS Open Project, is committed to building an open, inclusive, productive and self-governing open source community. The community is governed by this document and in accordance with OASIS Open Project Rules with the goal of defining how community should work together to achieve their goals.
This document applies to all code repositories under the Opencybersecurity Alliance github organization that resides at https://github.com/opencybersecurityalliance.
The OCA is overseen by the following committees:
-
Project Governing Board (PGB): Group responsible for the overall lifecycle or business strategy of the project. Oversees activities such as events, marketing, partnerships, promotion, budget, and so forth.
-
Technical Steering Committee (TSC): Group responsible for the overall technical health and direction of the project; final reviewers of PRs, responsible for releases, responsible for overseeing work of Maintainers and community leaders.
A list of current TSC and PGB members can found at https://opencybersecurityalliance.org/governance.
In addition to the project leadership, important roles may be filled by community members:
Contributors: A Contributor is someone who has agreed to the Contributor License Agreement (CLA) and who makes regular contributions to one or more OCA projects (including but not limited to activities such as documentation, code reviews, responding to issues, participation in proposal discussions, contributing code, etc.). Any person (whether or not an OASIS member or OCA sponsor) may participate in the OCA as a Contributor. The role of contributor is furthermore defined in the OASIS Open Project Rules.
Maintainers: A Maintainer is someone who has agreed to the Contributor License Agreement (CLA) and has been selected by the TSC to oversee one or more components of an OCA project, review code and pull requests, prepare releases, triage issues, and similar tasks. Maintainers and their requisite duties are managed by the TSC. Any person (whether or not an OASIS member or OCA sponsor) may be appointed as a project Maintainer. The role of Maintainer is furthermore defined in the OASIS Open Project Rules.
The PGB must at all times have a chair or two co-chairs. The PGB chair or co-chairs are confirmed annually by the PGB itself via a call for nominations, and if required, a full majority vote of the PGB.
For most decisions, the PGB operates by lazy consensus. In addition to the votes required by OASIS Open Project Rules, decisions on the following items require a full majority vote of the PGB:
- Any action or decision that may bind the OCA to committments or obligations with any external party or entity, including but not limited to legal, financial, or intellectual property related commitments or obligations
- Promoting work to an OASIS standards track
- Starting or consuming a new project into the OCA
- Endorsements, partnerships, or liasions with other groups
- Substantive changes to the Governance policies or documents
- The TSC recall procedure
Nominees for the TSC can be submitted by any individual to the PGB. TSC members are appointed at the discretion of the PGB, and are reconfirmed by the PGB on a 2 year basis, or until they voluntarily resign or are recalled according to the recall procedure outlined below.
The TSC must at all times have a chair or two co-chairs. The TSC chair or co-chairs are confirmed annually by the TSC itself via a call for nominations, and if required, a full majority vote of the TSC.
PGB members are permitted to fully participate in the TSC if they so choose, but their presence in meetings shall not affect quorm calculations for meetings or ballots. At their own discretion, they may participate in all TSC discussions and decisions, including but not limited to casting votes on any balloted measures.
For most decisons, the TSC operates by lazy consensus. The TSC may, at its own discretion, delegate authority on minor technical decisions to Maintainers in the community, including but not limited to:
- Tagging of minor versions of a project
- Creation and merging/removal of feature branches
- Acceptance or rejection of specific defects, feature requests, user stories
- Merging of pull requests
Decisons on the following items must be made based on a Simple Majority Vote
- Tagging / releasing of a new major version of a project
- Recommending work to the PGB for promotion to the standards track
- Appointment of new Maintainers
Any community member may submit a request for recall of a TSC member to the PGB at any time by sumitting the request and sufficient justification to the PGB chair or co-chairs. Such requests shall be held in confidence by the PGB chair or co-chairs. In the event of receipt of such a request, the chair or co-chairs shall schedule the recall as an item for discussion at the next PGB meeting, which shall be held no later than 30 days after the receipt of the request. After subsequent discussion, the recall shall be decided upon by a full majority vote of the PGB. In the event of a recall vote passing, the TSC member shall at that time be considered immediately recalled and be relieved of all responsibilities conferred via the position.
At this time, new projects may be accepted into the OCA at the sole discretion of the PGB.
All substantive changes in Governance require a full majority vote of the PGB.