[Owasp-board] Information about OWASP China & SecZone

Sarah Baso sarah.baso at owasp.org
Wed Nov 23 14:30:39 UTC 2011

Kate -

Here is I have learned about OWASP China and its "parent organization"

In China, OWASP is not a stand-alone legal entity. Instead, a non-profit
was formed with the name Security Zone (SecZone) to handle the OWASP
finances. Additionally, Ivy Zhang is a full time employee of SecZone who,
from my understanding, is paid to handle all things OWASP-related (OWASP
China chapters, projects, and conference).  So, they have a full time
employee dedicated to OWASP. That being said, the organization of SecZone
is not just OWASP - it is also an organization that promotes and
facilitates internet security research.

Here is more information on the organization:


>From Ivy, I have attached the registration certification, tax registration,
and Organization code certificate. Ivy has translated the registration
certification as follows and I have asked for a translation of the other 2

* Non-enterprise Unit Registration Certification
Issuing authority: Bureau of Civil Affairs in Shenzhen Municipal
Issuing Date: Dec 7th, 2010
Expiring Date: Dec 7th, 2014
Name: Shenzhen Open Source Internet Security Research Center(Translated
according to the Chinese*
*meaning. Its english name is Security Zone, shorted as Seczone.)
Address: Room 1912, CEC Information Building East,No.1 Xinwen Road,
Shenzhen,518034, PRC.
Legal representative: Zhenhua Wan(Rip Torn)
Registered capital: RMB 50,000
Unit in Charge:Shenzhen Science and Technology Association
Business Range: internet security research, implementing internet security
benchmark, making internet security standards in China.*

About SecZone (English translation): Internet security research center
focused on cutting-edge Internet security technology research. Our mission
is to introduce, absorb, the purpose of innovation, constantly absorbing
domestic and foreign newest and most professional security technology, and
innovation applied to the various domestic industries, to promote domestic
Internet security technology.
Internet Security Research Centre for the industry's leading security
vendors and service providers to provide a neutral test security products
and solutions, businesses can securely over the Internet Research Center
analysis needs to choose their own products and solutions

>From my perspective, if SecZone is a third party for handling money in
China, this isn't necessarily a problem... but I think we need to
investigate a bit more about the operation of things. Also, I think there
should be more transparency about how they are running things.  Ivy said at
the chapter leaders workshop that it is not possible for OWASP to become a
legal entity in China, and while I am not necessarily disagreeing, I would
like some insight into why this is.  Also, I think we should learn about
SecZone and where their funding comes from.

Ivy has told me that no membership fees have been collected by people
involved in OWASP China, but next year SecZone would like to start asking
for people who will pay for memberships (as we handle memberships here).
 However, they will need to process the memberships in China through
SecZone and keep the money there.  Also, they have questions about whether
our liability insurance (or to what extent our insurance) applies to them.
 I know for purposes of the conference, we explicitly signed a contract
with SecZone to handle finances:

Also, here are the documents I put together from the events in China
earlier this month:
Report on AppSec Asia 2011 event:

Meeting minutes from Chapters Workshop:

I think we should consider some sort of legal agreement expressly stating
what we (OWASP Foundation - US) are agreeing to and authorizing SecZone to
handle on our behalf.  Additionally, if Ivy IS exclusively handling OWASP
things in China, maybe we can find a better way to integrate her with our
operations team?

Ivy, and the leaders of OWASP China also are considering how to structure
their OWASP Chapter(s) within China.  Right now they exist as one big
chapter consisting of mainland China (Hong Kong has its own chapter).  They
would like to break this up into possibly 5 different cities, but are
unsure on the best way to structure this... the two options seem to be:
1. Instead of 1 OWASP China-Mainland Chapter, we would have 5 smaller
chapters such as OWASP Beijing Chapter, OWASP City 2 Chapter, etc.  These
chapters would all exist in the same flat structure as the other OWASP
Chapters throughout the world.
2. OWASP China - Mainland continues to exist as a country-wide "board" that
oversees the smaller Chinese sub-chapters.  This is slightly
more hierarchical and apparently is the structure used in India (and Brazil
is also considering it).  The local chapters have leaders/boards and then a
national level board would resolve disputes and make other decisions.

Right now, option #2 is the preference of OWASP China - but they are open
to suggestion from us (or the Chapter Committee).

This is quite a bit of new information for me, and I expect for others as
well. I am not sure what our next steps are but at a minimum, I think there
is more information to be gathered to help us understand the full scope of
relationships and how we can better work together with them.


Administrator for
OWASP Global Conference Committee
OWASP Global Chapter Committee

Dir: 312-869-2779
skype: sarah.baso
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111123/b6e8e76a/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ??????(??)1.jpg.jpeg
Type: image/jpeg
Size: 597807 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111123/b6e8e76a/attachment-0002.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ???????.jpg
Type: image/jpeg
Size: 396337 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111123/b6e8e76a/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ????????.jpg
Type: image/jpeg
Size: 706899 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111123/b6e8e76a/attachment-0005.jpg>

More information about the Owasp-board mailing list