CINXE.COM

Whistleblower Protection Policy

<!doctype html><html lang="en" class="web tlp-clear" data-studio-config="eyJ4aHJDcmVkZW50aWFscyI6ZmFsc2UsInhockhlYWRlcnMiOnt9fQo="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Whistleblower Protection Policy</title> <meta property="og:title" content="Whistleblower Protection Policy" /> <meta property="og:type" content="website" /> <meta property="og:image" content="https://www.first.org/_/img/first-big-icon.png" /> <meta property="og:url" content="https://www.first.org/about/policies/whistleblower-policy" /> <meta property="og:site_name" content="FIRST — Forum of Incident Response and Security Teams" /> <meta property="fb:profile_id" content="296983660669109" /> <meta property="twitter:card" content="summary" /> <meta property="twitter:site" content="@FIRSTdotOrg" /><meta name="viewport" content="initial-scale=1,maximum-scale=1.0,user-scalable=no" /><link rel="icon" type="image/png" href="/1st.png" /><link rel="apple-touch-icon" sizes="128x128" href="/favicon.png" /><link rel="stylesheet" type="text/css" href="/_/web.css?20250110194732" /></head><body><header><div id="header" data-studio="CU52CV1W8g"><div id="c3" data-studio="Yu8FjCC11g"><div id="topbar"> <div class="sites right"> <ul> <li><a href="https://support.first.org" class="kb-datalist"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a></li> <li><a href="https://portal.first.org" class="button"><span class="no-tiny">Member </span>Portal</a></li> </ul> </div> <div class="first-logo"> <p><a href="/"><img src="/_/img/first-org-simple-negative.svg" alt="FIRST.Org" title="FIRST" /></a></p> </div> <div class="nav"> <ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community &amp; Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity &amp; Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms &amp; Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity &amp; Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">FIRST Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What&#039;s New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li><li><a href="/members">Membership</a><ul><li><a href="/membership/">Becoming a Member</a><ul><li><a href="/membership/process">Membership Process for Teams</a></li><li><a href="/membership/process-associates">Membership Process for Associates</a></li><li><a href="/membership/process-liaisons">Membership Process for Liaisons</a></li><li><a href="/membership/#Fees">Membership Fees</a></li></ul></li><li><a href="/members/teams">FIRST Teams</a></li><li><a href="/members/liaisons">FIRST Liaisons</a></li><li><a href="/members/map">Members around the world</a></li></ul></li><li><a href="/global">Initiatives</a><ul><li><a href="/global/sigs">Special Interest Groups (SIGs)</a><ul><li><a href="/global/sigs/framework">SIGs Framework</a></li><li><a href="/global/sigs/academicsec" class="borderb">Academic Security SIG</a></li><li><a href="/global/sigs/ai-security">AI Security SIG</a></li><li><a href="/global/sigs/automation">Automation SIG</a></li><li><a href="/global/sigs/bigdata">Big Data SIG</a></li><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a><ul><li><a href="/cvss/calculator/4.0">Calculator</a></li><li><a href="/cvss/v4.0/specification-document">Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">User Guide</a></li><li><a href="/cvss/v4.0/examples">Examples</a></li><li><a href="/cvss/v4.0/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v4-0">CVSS v4.0 Documentation &amp; Resources</a><ul><li><a href="/cvss/calculator/4.0">CVSS v4.0 Calculator</a></li><li><a href="/cvss/v4.0/specification-document">CVSS v4.0 Specification Document</a></li><li><a href="/cvss/v4.0/user-guide">CVSS v4.0 User Guide</a></li><li><a href="/cvss/v4.0/examples">CVSS v4.0 Examples</a></li><li><a href="/cvss/v4.0/faq">CVSS v4.0 FAQ</a></li></ul></li><li><a href="/cvss/v3-1">CVSS v3.1 Archive</a><ul><li><a href="/cvss/calculator/3.1">CVSS v3.1 Calculator</a></li><li><a href="/cvss/v3.1/specification-document">CVSS v3.1 Specification Document</a></li><li><a href="/cvss/v3.1/user-guide">CVSS v3.1 User Guide</a></li><li><a href="/cvss/v3.1/examples">CVSS v3.1 Examples</a></li><li><a href="/cvss/v3.1/use-design">CVSS v3.1 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v3-0">CVSS v3.0 Archive</a><ul><li><a href="/cvss/calculator/3.0">CVSS v3.0 Calculator</a></li><li><a href="/cvss/v3.0/specification-document">CVSS v3.0 Specification Document</a></li><li><a href="/cvss/v3.0/user-guide">CVSS v3.0 User Guide</a></li><li><a href="/cvss/v3.0/examples">CVSS v3.0 Examples</a></li><li><a href="/cvss/v3.0/use-design">CVSS v3.0 Calculator Use &amp; Design</a></li></ul></li><li><a href="/cvss/v2">CVSS v2 Archive</a><ul><li><a href="/cvss/v2/guide">CVSS v2 Complete Documentation</a></li><li><a href="/cvss/v2/history">CVSS v2 History</a></li><li><a href="/cvss/v2/team">CVSS-SIG team</a></li><li><a href="/cvss/v2/meetings">SIG Meetings</a></li><li><a href="/cvss/v2/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v2/adopters">CVSS Adopters</a></li><li><a href="/cvss/v2/links">CVSS Links</a></li></ul></li><li><a href="/cvss/v1">CVSS v1 Archive</a><ul><li><a href="/cvss/v1/intro">Introduction to CVSS</a></li><li><a href="/cvss/v1/faq">Frequently Asked Questions</a></li><li><a href="/cvss/v1/guide">Complete CVSS v1 Guide</a></li></ul></li><li><a href="/cvss/data-representations">JSON &amp; XML Data Representations</a></li><li><a href="/cvss/training">CVSS On-Line Training Course</a></li><li><a href="/cvss/identity">Identity &amp; logo usage</a></li></ul></li><li><a href="/global/sigs/csirt">CSIRT Framework Development SIG</a></li><li><a href="/global/sigs/cyberinsurance">Cyber Insurance SIG</a><ul><li><a href="/global/sigs/cyberinsurance/events">Cyber Insurance SIG Webinars</a></li></ul></li><li><a href="/global/sigs/cti">Cyber Threat Intelligence SIG</a><ul><li><a href="/global/sigs/cti/curriculum/">Curriculum</a><ul><li><a href="/global/sigs/cti/curriculum/introduction">Introduction</a></li><li><a href="/global/sigs/cti/curriculum/cti-introduction">Introduction to CTI as a General topic</a></li><li><a href="/global/sigs/cti/curriculum/methods-methodology">Methods and Methodology</a></li><li><a href="/global/sigs/cti/curriculum/pir">Priority Intelligence Requirement (PIR)</a></li><li><a href="/global/sigs/cti/curriculum/source-evaluation">Source Evaluation and Information Reliability</a></li><li><a href="/global/sigs/cti/curriculum/machine-human">Machine and Human Analysis Techniques (and Intelligence Cycle)</a></li><li><a href="/global/sigs/cti/curriculum/threat-modelling">Threat Modelling</a></li><li><a href="/global/sigs/cti/curriculum/training">Training</a></li><li><a href="/global/sigs/cti/curriculum/standards">Standards</a></li><li><a href="/global/sigs/cti/curriculum/glossary">Glossary</a></li><li><a href="/global/sigs/cti/curriculum/cti-reporting/">Communicating Uncertainties in CTI Reporting</a></li></ul></li><li><a href="/global/sigs/cti/events/">Webinars and Online Training</a></li><li><a href="/global/sigs/cti/cti-program">Building a CTI program and team</a><ul><li><a href="/global/sigs/cti/cti-program/program-stages">Program maturity stages</a><ul><li><a href="/global/sigs/cti/cti-program/stage1">CTI Maturity model - Stage 1</a></li><li><a href="/global/sigs/cti/cti-program/stage2">CTI Maturity model - Stage 2</a></li><li><a href="/global/sigs/cti/cti-program/stage3">CTI Maturity model - Stage 3</a></li></ul></li><li><a href="/global/sigs/cti/cti-program/starter-kit">Program Starter Kit</a></li><li><a href="/global/sigs/cti/cti-program/resources">Resources and supporting materials</a></li></ul></li></ul></li><li><a href="/global/sigs/digital-safety">Digital Safety SIG</a></li><li><a href="/global/sigs/dns">DNS Abuse SIG</a><ul><li><a href="/global/sigs/dns/stakeholder-advice/">Stakeholder Advice</a><ul><li><a>Detection</a><ul><li><a href="/global/sigs/dns/stakeholder-advice/detection/cache-poisoning">Cache Poisoning</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dga">DGA Domains</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-as-a-vector-for-dos">DNS As a Vector for DoS</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-rebinding">DNS Rebinding</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dns-server-compromise">DNS Server Compromise</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/dos-against-the-dns">DoS Against the DNS</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/domain-name-compromise">Domain Name Compromise</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/lame-delegations">Lame Delegations</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/local-resolver-hijacking">Local Resolver Hijacking</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/on-path-dns-attack">On-path DNS Attack</a></li><li><a href="/global/sigs/dns/stakeholder-advice/detection/stub-resolver-hijacking">Stub Resolver Hijacking</a></li></ul></li></ul></li><li><a href="/global/sigs/dns/policies">Code of Conduct &amp; Other Policies</a></li><li><a href="/global/sigs/dns/dns-abuse-examples">Examples of DNS Abuse</a></li></ul></li><li><a href="/global/sigs/ethics">Ethics SIG</a><ul><li><a href="/global/sigs/ethics/ethics-first">Ethics for Incident Response Teams</a></li></ul></li><li><a href="/epss/">Exploit Prediction Scoring System (EPSS)</a><ul><li><a href="/epss/model">The EPSS Model</a></li><li><a href="/epss/data_stats">Data and Statistics</a></li><li><a href="/epss/user-guide">User Guide</a></li><li><a href="/epss/research">EPSS Research and Presentations</a></li><li><a href="/epss/faq">Frequently Asked Questions</a></li><li><a href="/epss/who_is_using">Who is using EPSS?</a></li><li><a href="/epss/epss_tools">Open-source EPSS Tools</a></li><li><a href="/epss/api">API</a></li><li><a href="/epss/papers">Related Exploit Research</a></li><li><a>Blog</a><ul><li><a href="/epss/articles/prob_percentile_bins">Understanding EPSS Probabilities and Percentiles</a></li><li><a href="/epss/articles/log4shell">Log4Shell Use Case</a></li><li><a href="/epss/articles/estimating_old_cvss">Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities</a></li></ul></li><li><a href="/epss/partners">Data Partners</a></li></ul></li><li><a href="/global/sigs/msr/">FIRST Multi-Stakeholder Ransomware SIG</a></li><li><a href="/global/sigs/hfs/">Human Factors in Security SIG</a></li><li><a href="/global/sigs/ics">Industrial Control Systems SIG (ICS-SIG)</a></li><li><a href="/global/sigs/iep">Information Exchange Policy SIG (IEP-SIG)</a></li><li><a href="/global/sigs/information-sharing">Information Sharing SIG</a><ul><li><a href="/global/sigs/information-sharing/misp">Malware Information Sharing Platform</a></li></ul></li><li><a href="/global/sigs/le">Law Enforcement SIG</a></li><li><a href="/global/sigs/malware">Malware Analysis SIG</a><ul><li><a href="/global/sigs/malware/ma-framework">Malware Analysis Framework</a></li><li><a href="/global/sigs/malware/ma-framework/malwaretools">Malware Analysis Tools</a></li></ul></li><li><a href="/global/sigs/metrics">Metrics SIG</a><ul><li><a href="/global/sigs/metrics/events">Metrics SIG Webinars</a></li></ul></li><li><a href="/global/sigs/netsec/">NETSEC SIG</a></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/global/sigs/policy">Policy SIG</a></li><li><a href="/global/sigs/psirt">PSIRT SIG</a></li><li><a href="/global/sigs/red-team">Red Team SIG</a></li><li><a href="/global/sigs/cpg">Retail and Consumer Packaged Goods (CPG) SIG</a></li><li><a href="/global/sigs/ctf">Security Lounge SIG</a></li><li><a href="/global/sigs/tic/">Threat Intel Coalition SIG</a><ul><li><a href="/global/sigs/tic/membership-rules">Membership Requirements and Veto Rules</a></li></ul></li><li><a href="/global/sigs/tlp">Traffic Light Protocol (TLP-SIG)</a></li><li><a href="/global/sigs/transport">Transportation and Mobility SIG</a></li><li><a href="/global/sigs/vulnerability-coordination">Vulnerability Coordination</a><ul><li><a href="/global/sigs/vulnerability-coordination/multiparty">Multi-Party Vulnerability Coordination and Disclosure</a></li><li><a href="/global/sigs/vulnerability-coordination/multiparty/guidelines">Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure</a></li></ul></li><li><a href="/global/sigs/vrdx">Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)</a><ul><li><a href="/global/sigs/vrdx/vdb-catalog">Vulnerability Database Catalog</a></li></ul></li><li><a href="/global/sigs/wof">Women of FIRST</a></li></ul></li><li><a href="/global/governance">Internet Governance</a></li><li><a href="/global/irt-database">IR Database</a></li><li><a href="/global/fellowship">Fellowship Program</a><ul><li><a href="https://portal.first.org/fellowship">Application Form</a></li></ul></li><li><a href="/global/mentorship">Mentorship Program</a></li><li><a href="/hof">IR Hall of Fame</a><ul><li><a href="/hof/inductees">Hall of Fame Inductees</a></li></ul></li><li><a href="/global/victim-notification">Victim Notification</a></li><li><a href="/volunteers/">Volunteers at FIRST</a><ul><li><a href="/volunteers/list">FIRST Volunteers</a></li><li><a href="/volunteers/participation">Volunteer Contribution Record</a></li></ul></li><li><a href="#new">Previous Activities</a><ul><li><a href="/global/practices">Best Practices Contest</a></li></ul></li></ul></li><li><a href="/standards">Standards &amp; Publications</a><ul><li><a href="/standards">Standards</a><ul><li><a href="/cvss">Common Vulnerability Scoring System (CVSS-SIG)</a></li><li><a href="/tlp">Traffic Light Protocol (TLP)</a><ul><li><a href="/tlp/use-cases">TLP Use Cases</a></li></ul></li><li><a href="/standards/frameworks/">Service Frameworks</a><ul><li><a href="/standards/frameworks/csirts">CSIRT Services Framework</a></li><li><a href="/standards/frameworks/psirts">PSIRT Services Framework</a></li></ul></li><li><a href="/iep">Information Exchange Policy (IEP)</a><ul><li><a href="/iep/iep_framework_2_0">IEP 2.0 Framework</a></li><li><a href="/iep/iep-json-2_0">IEP 2.0 JSON Specification</a></li><li><a href="/iep/iep-polices">Standard IEP Policies</a><ul><li><a href="https://www.first.org/iep/2.0/first-tlp-iep.iepj">IEP TLP Policy File</a></li><li><a href="https://www.first.org/iep/2.0/first-unknown-iep.iepj">IEP Unknown Policy File</a></li></ul></li><li><a href="/iep/iep_v1_0">IEP 1.0 Archive</a></li></ul></li><li><a href="/global/sigs/passive-dns">Passive DNS Exchange</a></li><li><a href="/epss">Exploit Prediction Scoring System (EPSS)</a></li></ul></li><li><a href="/resources/papers">Publications</a></li></ul></li><li><a href="/events">Events</a></li><li><a href="/education">Education</a><ul><li><a href="/education/first-training">FIRST Training</a><ul><li><a href="/education/trainings">Training Courses</a></li><li><a href="/education/trainers">FIRST Trainers</a></li></ul></li></ul></li><li><a href="/blog">Blog</a></li></ul> </div> </div> <div id="home-buttons"> <p><a href="/join" data-title="Join"><img alt="Join" src="/_/img/icon-join.svg"><span class="tt-join">Join<span>Details about FIRST membership and joining as a full member or liaison.</span></span></a> <a href="/learn" data-title="Learn"><img alt="Learn" src="/_/img/icon-learn.svg"><span class="tt-learn">Learn<span>Training and workshop opportunities, and details about the FIRST learning platform.</span></span></a> <a href="/participate" data-title="Participate"><img alt="Participate" src="/_/img/icon-participate.svg"><span class="tt-participate">Participate<span>Read about upcoming events, SIGs, and know what is going on.</span></span></a></p> </div></div></div></header><div id="body" data-studio="CU52CV1W8g"><div id="c1" data-studio="Yu8FjCC11g" class="toc-h2 toc-h3"><h1 id="Whistleblower-Protection-Policy">Whistleblower Protection Policy</h1> <p>Also available as <a href="FIRST-whistleblower-protection-policy.pdf">PDF</a>(160KB)</p> <p>In keeping with the policy of maintaining the highest standards of conduct and ethics, FIRST will investigate any suspected fraudulent or dishonest use or misuse of FIRST's resources or property by staff, board members, consultants, or volunteers. Staff, board members, consultants, and volunteers are encouraged to report suspected fraudulent or dishonest conduct (i.e., to act as &quot;whistleblower&quot;), pursuant to the procedures set forth below.</p> <h2 id="Reporting">Reporting</h2> <p>A person's concerns about possible fraudulent or dishonest use or misuse of resources or property should be reported to a board member or the FIRST Secretariat. Alternately, to facilitate reporting of suspected violations where the reporter wishes to remain anonymous, a written statement may be submitted to one of the individuals listed above.</p> <h2 id="Definitions">Definitions</h2> <h3 id="Baseless-Allegations">Baseless Allegations</h3> <p>Allegations made with reckless disregard for their truth or falsity or allegations that were made maliciously or not in good faith. Individuals making such allegations may be subject to disciplinary action by FIRST and/or legal claims by individuals accused of such conduct.</p> <h3 id="Fraudulent-or-Dishonest-Conduct">Fraudulent or Dishonest Conduct</h3> <p>A deliberate act or failure to act with the intention of obtaining an unauthorized benefit. A non-exhaustive list of examples of such conduct include the following:</p> <ul> <li>Forgery or alteration of documents</li> <li>Unauthorized alteration or manipulation of computer files</li> <li>Pursuit of a benefit or advantage in violation of FIRST's conflict-of-interest policy</li> <li>Misappropriation or misuse of FIRST resources, such as funds, supplies, or other assets</li> <li>Authorizing or receiving compensation for goods not received or services not performed, or paying for services or goods that are not rendered or delivered</li> <li>Authorizing or receiving compensation for hours not worked</li> <li>Supplying false or misleading information on FIRST's financial or other public documents, including its Form 990 (Annual Information Return)</li> <li>Providing false information to or withholding material information from FIRST's board or auditors</li> <li>Destroying, altering, mutilating, concealing, covering up, falsifying, or making a false entry in any records that may be connected to an official proceeding, in violation of federal or state law or regulations or otherwise obstructing, influencing, or impeding any official proceeding, in violation of federal or state law or regulations</li> <li>Embezzling, self-dealing, or otherwise obtaining an unlawful private benefit (i.e., FIRST assets being used by anyone in the organization improperly for personal gain).</li> </ul> <h3 id="Whistleblower">Whistleblower</h3> <p>An employee, consultant, or volunteer who informs a supervisor or the Chair about an activity relating to FIRST which that person believes to be fraudulent or dishonest.</p> <h2 id="Responsibilities-and-Investigations">Responsibilities and Investigations</h2> <h3 id="Board-Members-and-FIRST-Secretariat">Board Members and FIRST Secretariat</h3> <p>Board Members and the FIRST Secretariat are required to report suspected fraudulent or dishonest conduct to the Chair. Reasonable care should be taken in dealing with suspected misconduct to avoid</p> <ul> <li>Baseless allegations</li> <li>Premature notice to persons suspected of misconduct and/or disclosure of suspected misconduct to others not involved with the investigation</li> <li>Violations of a person's rights under law</li> </ul> <p>Due to the important, yet sensitive, nature of the suspected violations, effective professional follow-up is critical. Supervisors should not perform any investigative or other follow-up steps on their own. Accordingly, a supervisor who becomes aware of suspected misconduct should report it to the Chair, but should not without prior permission take steps on his or her own to do any of the following:</p> <ul> <li>Contact the person suspected to further investigate the matter or demand restitution</li> <li>Discuss the case with attorneys, the media, or anyone other than the Chair</li> <li>Report the case to an authorized law enforcement officer without first discussing the case with the Chair</li> </ul> <h3 id="Investigation">Investigation</h3> <p>All relevant matters, including suspected but unproved matters, will be reviewed and analyzed by an appropriate person designated by the Chair or the Board. This may include an investigation by legal counsel and/or accountants in some instances. All investigations will be kept confidential to the extent feasible. Appropriate corrective action will be taken, if necessary, and findings will be communicated to the reporting person and his or her supervisor.</p> <h3 id="Whistleblower-Protection">Whistleblower Protection</h3> <ul> <li>FIRST will use its best efforts to protect whistleblowers against retaliation. Whistleblowing complaints will be handled with sensitivity, discretion, and confidentiality to the extent allowed by the circumstances and the law. Generally, this means that whistleblower complaints will only be shared with those who have a need to know so that FIRST can conduct an effective investigation, determine what action to take based on the results of any such investigation, and in appropriate cases, with law enforcement personnel. (Should disciplinary or legal action be taken against a person or persons as a result of a whistleblower complaint, such persons may also have the right to know the identity of the whistleblower.)</li> <li>Employees, consultants, and volunteers of FIRST may not retaliate against a whistleblower for informing management about an activity which that person believes in good faith to be fraudulent or dishonest with the intent or effect of adversely affecting the terms or conditions of the whistleblower's employment, including but not limited to, threats of physical harm, loss of job, punitive work assignments, or impact on salary or fees. Whistleblowers who believe that they have been retaliated against may file a written complaint with the Chair. Any complaint of retaliation will be promptly investigated and appropriate corrective measures taken if allegations of retaliation are substantiated. This protection from retaliation is not intended to prohibit supervisors from taking action, including disciplinary action, in the usual scope of their duties and based on valid performance-related factors.</li> <li>Whistleblowers must be cautious to avoid baseless allegations (as described earlier in the definitions section of this policy). Allegations that are baseless and not made in good faith may result in disciplinary action.</li> </ul></div></div><div id="navbar" data-studio="CU52CV1W8g"><div id="c4" data-studio="Yu8FjCC11g"><ul class="navbar"><li><a href="/about">About FIRST</a><ul><li><a href="/about/mission">Mission Statement</a></li><li><a href="/about/history">History</a></li><li><a href="/about/sdg">Sustainable Development Goals</a></li><li><a href="/about/organization">Organization</a><ul><li><a href="/about/organization/directors">Board of Directors</a></li><li><a>Operations Team</a><ul><li><a href="/about/organization/ccb">Community &amp; Capacity Building</a></li><li><a href="/about/organization/events">Event Office</a></li><li><a href="/about/organization/executive-director">Executive Director</a></li><li><a href="/about/organization/infrastructure">Infrastructure</a></li><li><a href="/about/organization/secretariat">Secretariat</a></li></ul></li><li><a href="/about/organization/committees">Committees</a><ul><li><a href="/about/organization/committees/compensation-committee">Compensation Committee</a></li><li><a href="/about/organization/committees/conference-program-committee">Conference Program Committee</a></li><li><a href="/about/organization/committees/membership-committee">Membership Committee</a></li><li><a href="/about/organization/committees/rules-committee">Rules Committee</a></li><li><a href="/about/organization/committees/standards">Standards Committee</a></li></ul></li><li><a href="/events/agm">Annual General Meeting</a></li><li><a href="/about/organization/reports">Annual Reports and Tax Filings</a></li></ul></li><li><a href="/about/policies">FIRST Policies</a><ul><li><a href="/about/policies/anti-corruption">Anti-Corruption Policy</a></li><li><a href="/about/policies/antitrust">Antitrust Policy</a></li><li><a href="/about/policies/bylaws">Bylaws</a></li><li><a href="/about/policies/board-duties">Board duties</a></li><li><a href="/about/bugs">Bug Bounty Program</a></li><li><a href="/about/policies/code-of-conduct">Code of Conduct</a></li><li><a href="/about/policies/conflict-policy">Conflict of Interest Policy</a></li><li><a href="/about/policies/doc-rec-retention-policy">Document Record Retention and Destruction Policy</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li><li><a href="/about/policies/gen-event-reg-refund-policy">General Event Registration Refund Policy</a></li><li><a href="/about/policies/event-site-selection">Guidelines for Site Selection for all FIRST events</a></li><li><a href="/identity">Identity &amp; Logo Usage</a></li><li><a href="/about/policies/mailing-list">Mailing List Policy</a></li><li><a href="/about/policies/media">Media Policy</a></li><li><a href="/about/policies/privacy">Privacy Policy</a></li><li><a href="/about/policies/registration-terms-conditions">Registration Terms &amp; Conditions</a></li><li><a href="/about/policies/terms">Services Terms of Use</a></li><li><a href="/about/policies/standards">Standards Policy</a></li><li><a href="/about/policies/diversity">Statement on Diversity &amp; Inclusion</a></li><li><a href="/about/policies/translation-policy">Translation Policy</a></li><li><a href="/about/policies/travel-policy">Travel Policy</a></li><li><a href="/about/policies/uniform-ipr">Uniform IPR Policy</a></li><li><a href="/about/policies/whistleblower-policy">Whistleblower Protection Policy</a></li></ul></li><li><a href="/about/partners">Partnerships</a><ul><li><a href="/global/partners">Partners</a></li><li><a href="/global/friends">Friends of FIRST</a></li><li><a href="/global/supporters/">FIRST Supporters</a></li><li><a href="/about/sponsors">FIRST Sponsors</a></li></ul></li><li><a href="/newsroom">Newsroom</a><ul><li><a href="/newsroom/news">What&#039;s New</a></li><li><a href="/newsroom/releases">Press Releases</a></li><li><a href="/newsroom/news/media">In the News</a></li><li><a href="/podcasts">Podcasts</a><ul><li><a href="/newsroom/news/first-impressions/">FIRST Impressions Podcast</a></li><li><a href="/newsroom/news/podcasts/">FIRSTCON Podcast</a></li></ul></li><li><a href="/newsroom/newsletters">Newsletters</a></li><li><a href="/newsroom/policy">FIRST Press Policy</a></li></ul></li><li><a href="/about/procurement">Procurement</a></li><li><a href="/about/jobs/">Jobs</a></li><li><a href="/contact">Contact</a></li></ul></li></ul></div></div><div id="sidebar" data-studio="CU52CV1W8g"></div><footer><div id="footer" data-studio="CU52CV1W8g"><div id="c2" data-studio="Yu8FjCC11g"><div class="content"> <div class="support"> <div class="kbsearch bottom"> <p><a href="https://support.first.org"><img src="/_/img/icon-portal_support.svg" alt="FIRST Support" title="FIRST Support" /></a> <input class="kb-search" type="search" placeholder="Do you need help?"></p> </div> </div> <div id="socialnetworks"><a href="/about/sdg" title="FIRST Supported Sustainable Development Goals (SDG)" class="icon-sdg"></a><a rel="me" href="https://bsky.app/profile/first.org" target="_blank" title="BlueSky @first.org" class="icon-bluesky"></a><a rel="me" href="https://infosec.exchange/@firstdotorg" target="_blank" title="@FIRSTdotOrg@infosec.exchange" class="icon-mastodon"></a><a href="https://twitter.com/FIRSTdotOrg" target="_blank" title="Twitter @FIRSTdotOrg" class="icon-tw"></a><a href="https://www.linkedin.com/company/firstdotorg" target="_blank" title="FIRST.Org at LinkedIn" class="icon-linkedin"></a><a href="https://www.facebook.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Facebook" class="icon-fb"></a><a href="https://github.com/FIRSTdotorg" target="_blank" title="FIRST.Org at Github" class="icon-github"></a><a href="https://www.youtube.com/c/FIRSTdotorg" target="_blank" title="FIRST.Org at Youtube" class="icon-youtube"></a><a href="/podcasts" title="FIRST.Org Podcasts" class="icon-podcast"></a></div> <p><a href="/copyright">Copyright</a> © 2015—2025 by Forum of Incident Response and Security Teams, Inc. All Rights Reserved.</p> </div> <p><span class="tlp"></span></p></div></div></footer><script nonce="MhBvYqVN5eUmY6yt3KyUBg" async="async" src="/_/web.js?20250108234724"></script><script nonce="MhBvYqVN5eUmY6yt3KyUBg" async="async" src="/_/s.js?20250103-103952"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10