[Owasp-board] Additional Brand Abuse

Tobias tobias.gondrom at owasp.org
Fri Dec 5 18:23:55 UTC 2014

Maybe I am missing something, but I don't see a problem.

The web page only states that they are "scanning for OWASP Top-10", not 
that OWASP would certify or that their product would be an OWASP 
project.... And there is no claim that they find or fix all OWASP Top-10 
("...will scan your website for the OWASP Top 10 list of web security 
vulnerabilities, complete with a comprehensive compliance report for the 
most recent OWASP Top 10 List of Risks.")

So in fact, I don't think there is a violation and even more so I would 
want companies to refer to our Top-10 list, when they say they scan for 
something. That is the way, when you set the defacto standard for the 
industry. Naturally people refer to the standard. And we want people to 
refer to us. That way we help them to focus their efforts on the most 
important security problems and influence and promote our mission.

Just my 2cents.


On 06/12/14 01:07, Eoin Keary wrote:
> All the site is saying that they claim it scans for owasp top 10.
> Where is the issue??
> Sent from my iPhone
> On 15 Nov 2014, at 02:13, Jim Manico <jim.manico at owasp.org 
> <mailto:jim.manico at owasp.org>> wrote:
>> Folks,
>> When we do a google search for "OWASP" I see that Acunetix is 
>> advertising that they are scanning for the OWASP Top Ten. The ad 
>> links to 
>> http://www.acunetix.com/vulnerability-scanner/scan-website-owasp-top-10-risks/
>> I think this ad violates the following brand usage guidelines: 
>> https://www.owasp.org/index.php/Marketing/Resources#The_Brand_Usage_Rules
>> 5) The OWASP Brand must not be used in a manner that suggests that 
>> The OWASP Foundation supports, advocates, or recommends any 
>> particular product or technology.
>> 7) The OWASP Brand must not be used in a manner that suggests that a 
>> product or technology can enable compliance with any OWASP Materials 
>> other than an OWASP Published Standard.
>> and
>> 8) The OWASP Brand must not be used in any materials that could 
>> mislead readers by narrowly interpreting a broad application security 
>> category. For example, a vendor product that can find or protect 
>> against forced browsing must not claim that they address all of the 
>> access control category.
>> I would like to file this with our compliance officer, but I think he 
>> is over-burdened right now. Do you think this is a clear violation 
>> and if so, should we approach them in a gentle way with suggestions 
>> to correct this?
>> Aloha,
>> Jim
>> <Screen Shot 2014-11-15 at 10.05.36 AM.jpg>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141206/571973bd/attachment-0001.html>

More information about the Owasp-board mailing list