[Owasp-codes-of-conduct] Statement of compliance

Colin Watson colin.watson at owasp.org
Thu Sep 1 03:50:00 EDT 2011


Regarding "some organizations might decide they do everything we
suggest, and we might want to state a form of words for any statement
of adoption" and your reply:

On 27 July 2011 21:12, Jason Li <jason.li at owasp.org> wrote:
> Regarding the last bullet, perhaps we cab add one guideline to each code of
> conduct that reads something akin to:
> "Organizations SHOULD clearly communicate that they are in full or partial
> compliance with this Code of Conduct"
> With some word-smithing and explanatory text of course...
> -Jason

I have been thinking about this and want to make sure we don't create
a problem of OWASP brand abuse.


Some people might write:

   "XXX complies with OWASP's codes 100%"

   "XXX is OWASP code compliant"

   "All XXX's training is undertaken under the terms of the the OWASP
Code of Conduct on YYYY"

Perhaps we would have to be more explicit in what people can say, and
therefore put this on the project pages, rather than in the codes -
just refer to the wiki from those?

"The OWASP logo cannot be used.  Organisations that comply with all
the mandatory aspects should assess themselves against the criteria at
least bi-annually.  A statement of the following format can be used:

  XXX supports and adheres to the mandatory components of the OWASP
Application Security Code of Conduct for YYY version 1.2 (link).

  ( AND optionally:

    XXX has also adopted optional recommendations A & C in the code. )

  This has been self-assessed on DATE.
  This has been independently verified by ZZZ on DATE.


  OWASP does not endorse or recommend commercial products or services."

A bit wordy, but I think we need to be more prescriptive.


More information about the Owasp-codes-of-conduct mailing list