Whilst I know from a large number of regular emails most participants of
this list get a great deal of value out of it and enjoying belonging.
But you can't please all of the people all of the time (nearly broke
into a Rolling Stones song then) and I have taken the opportunity to set
out a list charter.

The list charter sets out what is and isn't appropriate content, and
explains how to deal with some common scenarios.

Some things are certainly open for discussion and I would love to hear
from you off-line from the list by the end of the week, if you would
like to see things added or changed.

We could for instance allow postings and reviews of webappsec related
books ? I think books are very different from software as the cost makes
them generally accessible to all, however let me know what you think.

We could take OWASP project postings to another list. I think the
projects spark interesting debate and only add value to webappsec but
let me know what you think. If you want them to stay let me know, if you
want them to go let me know.

They are just two ideas. If you have others let me know. Posting about
commercially licensed tools or marketing messages are not up for
discussion I am afraid.

Subject to any changes I'll get the charter on the securityfocus.com
sign-up page for the list so everyone can reference it within a few
weeks and I'll review the charter once a year from now on.

Cheers!

Mark

Web Application Security Mailing List - Charter V1.0

Objective
Whilst the webappsec list is an open and free discussion forum, in order to make the list fair and accessible to all while maintaining relevancy, we have developed this list charter. This charter sets out the lists operating rules for both posting and moderating.

Information about subscribing, unsubscribing and the archives can be found at the end of this charter.

Background
The Web Application Security mailing list hosted at securityfocus.com was founded in late 1999. It was originally named "www-mobile-code" and renamed to "webappsec" in 2001 to reflect the real intent and scope. The list is moderated by Mark Curphey (markcurphey.com) who is the Director for Application Security at a large financial institution in Silicon Valley and part of OWASP - the Open Web Application Security Project (http://www.owasp.org).

OWASP and webappsec are two different things but they are closely linked. The OWASP project was founded from discussions on the webappsec list and therefore grew from the list. OWASP projects are discussed and developed on the list.

What is appropriate content?
The list is an open discussion forum for most things related to web application security. Appropriate posts would fall into the following three main categories

News
Specific news stories about web application security technology, standards, issues, architectures or related topics.

Technical Discussions
Technical discussions abut specific areas of web application security. These may include design, development, deployment, testing or management.

Announcements
Whitepapers that deal with web application security or closely related topics maybe posted. Papers that require a user to register before downloading or receiving the paper must NOT be posted and will be rejected.

Guidelines for Posting
All postings should be polite, non-personal and contain no defamatory or derogatory comments or foul language
All posting must be commercial / marketing free (discrete footnotes and email signatures are acceptable)
All postings must be in English
Everyone has an equal voice and all posts will be approved as long as they post within the bounds of this charter.
Only announcements about Open Source tools that are bound by a license defined by the OSI (www.opensource.org) or no license at all will be approved. Discussions about the merits or experiences of specific commercial tools are allowed but should be conducted objectively.
No posting should contain or discuss information relating to vulnerabilities in an actual site.
Advisories for vulnerabilities in products or applications will not be approved. These should be directed to Bugtraq.
Only posts in text will be approved. No HTML !

Guidelines for Moderating
The moderator has sole and full discretion over what is appropriate content and what is not. We reserve the right to reject any message however in general all posts will be approved as long as they post within the bounds of this charter.

Conflict Resolution
From time to time people may feel that a post was either approved that shouldn't have been or a post was not approved that should have been. The appropriate way to deal with all moderation and list management issues is to;

1. Refer to this charter.
2. If you still feel a mistake has been made then you should mail the moderator (markcurphey.com) offline, explain your concerns and discuss the issue.
3. If you still a mistake has been made you should send the offline email discussion thread with the moderator along with your reasons why you feel this is not appropriate to Dave Ahmad (dasecurityfocus.com) and copy the moderator.

If you are ever unsure if you should post or feel there is a justified reason why you are posting outside of the charters scope, you can mail the moderator for advice prior to posting.

List Management
How do I subscribe?
Send an e-mail message to webappsec-subscribesecurityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

How do I unsubscribe?
Send an e-mail message to webappsec-unsubscribesecurityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

If your email address has changed email listadminsecurityfocus.com and ask to be manually removed.

How do I disable mail delivery temporarily?
Unsubscribe from the list and resubscribe to start receiving mailing list traffic again.

Is the list available in a digest format?
Yes.

How do I subscribe to the digest?
Send an e-mail message to webappsec-digest-subscribesecurityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

How do I unsubscribe from the digest?
Send an e-mail message to webappsec-digest-unsubscribesecurityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

I seem to not be able to unsubscribe. What is going on?
You are probably subscribed from a different address than that from which you are sending commands to the list from. Either send email from the appropriate address or email listadminsecurityfocus.com to be unsubscribed manually.

Can you add a tag like "[webappsec]" to the subject line of each message?
Not at this time.

How can I tell whether I am subscribed to the list?
Send an e-mail message to webappsec-querysecurityfocus.com. If you want to test whether you are subscribed to the digest send an e-mail message to webappsec-digest-querysecurityfocus.com.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]