[GPC] [RFC] Note for Leaders: Project Health Benefits - Using the "OWASP" Name

Jason Li jason.li at owasp.org
Wed May 20 13:45:41 EDT 2009

Hey guys,

Here's an email that I drafted that I'd like to send to the leaders
list. Thoughts?

-Jason Li-
-jason.li at owasp.org-


The last couple of weeks, the GPC has gotten several angry emails from
various project owners in response to some of the initiatives that the
GPC is undertaking.

As you are hopefully aware, the GPC is trying to increase the quality
of all OWASP projects by establishing a level of consistency and
organization across our projects.

What I'm gathering from this trend of pushback though is that while
people generally agree with the direction we are trying to go in
raising the quality of OWASP projects, there are people who don't want
to be subject to any "bureaucratic" rules. In a sense, there's kind of
a "not in my backyard" mentality: everyone agrees that the quality of
OWASP projects needs to be improved but when it comes to their
specific project, the rules need not apply because they are going to
release something "soon", or they are a long time OWASP contributor,

As such, I think we're going to be facing a crossroads - people still
want to contribute, but there will be a subset of those people who
don't want to do what is necessary to be consistent with a high
quality OWASP project.

Right now, we don't really have any carrot/stick to encourage project
owners in the direction towards quality. The GPC is working on a
proposal to encapsulate project health, which establishes three
"levels" of quality for projects (see
https://www.owasp.org/index.php/Assessing_Project_Health). We expect
most projects to reach Level 2 status with a small set of projects
reaching Level 3 status.

The motivation for project owners to move from Level 2 to Level 3 is
that we intend to prominently highlight projects that reach Level 3 on
the OWASP site. But right now, we have no motivation for project
leaders to proceed to Level 2.

As I was going through the project surveys, it occurred to me that an
overwhelming number of projects call themselves the "OWASP XYZ". I'd
like to propose that a project can't include the OWASP "name" until
they reach a certain quality level.

The OWASP "name" is something that belongs to the OWASP Foundation so
it is something that we (as the community) can legitimately "control".
It's also something important that was should protect because any
project bearing the OWASP name reflects the OWASP brand and if the
quality is not up to par, then it damages the perception of OWASP for
all projects.

More information about the Global-projects-committee mailing list