[Owasp-leaders] Branding rules

Jim Manico jim.manico at owasp.org
Thu Nov 13 13:33:21 UTC 2014


Dr. Wetter,

I think your concerns are very important and appropriate. Thank you for
bringing this up. May I suggest that you form a working group or simply
make direct suggestions to the board and we can consider and vote on your
proposed changes?

The Apache Foundation has a trademark guideline that is worth reviewing in
your research. http://www.apache.org/foundation/marks/

ISSA is even more strict:
1.1.3.3 Use of the Logo by Other Organizations

The official ISSA logo may not be used by any other organization without
the express written consent of the ISSA International Board.


ISC2 forbids the use of their marks on any product material.
https://www.isc2.org/uploadedfiles/(isc)2_public_content/legal_and_policies/logoguidelines.pdf

I am sure we can find many other examples to consider when maturing our own
policy.

It would be a great help to the foundation if you could lead an effort to
suggest changes to the board.

Thank you Dr. Wetter,
--
Jim Manico
@Manicode
(808) 652-3805

On Nov 13, 2014, at 8:43 PM, Dirk Wetter <dirk at owasp.org> wrote:


Hi folks,

I find it quite important that our branding rules
https://owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
are clear. But IMO they are not and for my taste they are way too relaxed.


In detail:

--
3. OWASP Brand may be used by OWASP Members in good standing to promote a
person or company's involvement in OWASP.
--

Isn't this a conflict with a commercial endorsement? How is an involvement
defined and who defines it? And what is allowed: To put a company logo on
the OWASP
web site or an OWASP logo on the companies web site? Or may I as an
consultant
and OWASP member put an OWASP logo on my commercial web site -- not that I
want to.

Let's say an employee of company A edits the OWASP website and as a
consequence puts
an OWASP logo on their website. Pretty good marketing, right? What about
companies
who do a bit more than this: are they allowed to do the same?  Or is
another company B
allowed to hand out flyers or other materials with an OWASP logo on it?

Here are the circumstances are not clear to me as well as the definitions
of "good
standing" and "involvement". And it goes way too far for me.

--
4. The OWASP Brand may be used in association with an application security
assessment only if a complete and detailed methodology, sufficient to
reproduce the results, is disclosed.

So a commercial pentesting company or a vendor which sells a product (black
box scanner) or a similar SaaS service may use the OWASP logo if they match
the condition of "a complete and detailed methodology"?

That is IMO too much for me too.


--
5. The OWASP Brand must not be used in a manner that suggests that The
OWASP Foundation supports, advocates, or recommends any particular product
or technology.

On one hand that might clarify the points above a bit -- but still leaves
room for interpretation.
So, is one allowed to use the OWASP logo or not? I would read this that
using an OWASP logo on
a commercial web site suggests that OWASP Foundation supports, advocates,
or recommends something
and thus it is not allowed. A sales guy may read this differently.

That appears not clear enough to me. And: I believe we shouldn't allow the
usage
of the OWASP logo on commercial web sites at all.


--
6.-8.
The OWASP Brand must not be used in a manner that suggests that a product
or technology is compliant with any OWASP Materials other than an OWASP
Published Standard.
The OWASP Brand must not be used in a manner that suggests that a product
or technology can enable compliance with any OWASP Materials other than an
OWASP Published Standard.
The OWASP Brand must not be used in any materials that could mislead
readers by narrowly interpreting a broad application security category. For
example, a vendor product that can find or protect against forced browsing
must not claim that they address all of the access control category.

Those three actually narrows the usage -- which is in principle not bad --
however OTOH the narrowing
suggests to me that everything else would be allowed.


Am I missing something or is it just me (language problem)?



Cheers, Dirk




-- 
German OWASP Board, (Chair AppSec Research 2013, German OWASP Day 2014)
Send me encrypted mails (Key ID 0xB818C039)

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20141113/ce4e9ac9/attachment-0001.html>


More information about the OWASP-Leaders mailing list