[Owasp-leaders] Branding rules

Dirk Wetter dirk at owasp.org
Thu Nov 13 14:30:10 UTC 2014


Dear Mr. Manicode,

for a working group there are momentarily not so much cycles left
for me. Maybe after German OWASP Day in December ...

I could help though collecting suggestions for the board. I found your
input a very good start but I hope there will be a bit more of
a discussion here! C'mon...

@all:

Thx, Dirk


Am 11/13/2014 02:33 PM, schrieb Jim Manico:
> Dr. Wetter,
> 
> I think your concerns are very important and appropriate. Thank you for bringing this up. May I suggest that you form a working group or simply make direct suggestions to the board and we can consider and vote on your proposed changes?
> 
> The Apache Foundation has a trademark guideline that is worth reviewing in your research. http://www.apache.org/foundation/marks/ 
> 
> ISSA is even more strict:
> 
> 
>       1.1.3.3 Use of the Logo by Other Organizations
> 
> The official ISSA logo may not be used by any other organization without the express written consent of the ISSA International Board.
> 
> 
> ISC2 forbids the use of their marks on any product material.
> https://www.isc2.org/uploadedfiles/(isc)2_public_content/legal_and_policies/logoguidelines.pdf
> 
> I am sure we can find many other examples to consider when maturing our own policy.
> 
> It would be a great help to the foundation if you could lead an effort to suggest changes to the board.
> 
> Thank you Dr. Wetter,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> On Nov 13, 2014, at 8:43 PM, Dirk Wetter <dirk at owasp.org <mailto:dirk at owasp.org>> wrote:
> 
>>
>> Hi folks,
>>
>> I find it quite important that our branding rules https://owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
>> are clear. But IMO they are not and for my taste they are way too relaxed.
>>
>>
>> In detail:
>>
>> --
>> 3. OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP.
>> --
>>
>> Isn't this a conflict with a commercial endorsement? How is an involvement
>> defined and who defines it? And what is allowed: To put a company logo on the OWASP
>> web site or an OWASP logo on the companies web site? Or may I as an consultant
>> and OWASP member put an OWASP logo on my commercial web site -- not that I want to.
>>
>> Let's say an employee of company A edits the OWASP website and as a consequence puts
>> an OWASP logo on their website. Pretty good marketing, right? What about companies
>> who do a bit more than this: are they allowed to do the same?  Or is another company B
>> allowed to hand out flyers or other materials with an OWASP logo on it?
>>
>> Here are the circumstances are not clear to me as well as the definitions of "good
>> standing" and "involvement". And it goes way too far for me.
>>
>> --
>> 4. The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.
>>
>> So a commercial pentesting company or a vendor which sells a product (black
>> box scanner) or a similar SaaS service may use the OWASP logo if they match
>> the condition of "a complete and detailed methodology"?
>>
>> That is IMO too much for me too.
>>
>>
>> --
>> 5. The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, or recommends any particular product or technology.
>>
>> On one hand that might clarify the points above a bit -- but still leaves room for interpretation.
>> So, is one allowed to use the OWASP logo or not? I would read this that using an OWASP logo on
>> a commercial web site suggests that OWASP Foundation supports, advocates, or recommends something
>> and thus it is not allowed. A sales guy may read this differently.
>>
>> That appears not clear enough to me. And: I believe we shouldn't allow the usage
>> of the OWASP logo on commercial web sites at all.
>>
>>
>> --
>> 6.-8.
>> The OWASP Brand must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials other than an OWASP Published Standard.
>> The OWASP Brand must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials other than an OWASP Published Standard.
>> The OWASP Brand must not be used in any materials that could mislead readers by narrowly interpreting a broad application security category. For example, a vendor product that can find or protect against forced browsing must not claim that they address all of the access control category.
>>
>> Those three actually narrows the usage -- which is in principle not bad -- however OTOH the narrowing
>> suggests to me that everything else would be allowed.
>>
>>
>> Am I missing something or is it just me (language problem)?
>>
>>
>>
>> Cheers, Dirk
>>
>>
>>
>>
>> -- 
>> German OWASP Board, (Chair AppSec Research 2013, German OWASP Day 2014)
>> Send me encrypted mails (Key ID 0xB818C039)
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders


-- 
German OWASP Board, (Chair AppSec Research 2013, German OWASP Day 2014)
Send me encrypted mails (Key ID 0xB818C039)



More information about the OWASP-Leaders mailing list