[Owasp-leaders] Suggestion of better brand guidelines

Tiffany Long tiffany.long at owasp.org
Mon Jun 20 17:08:12 UTC 2016

Hello Larry!

I totally understand your concerns.  OWASP is an open source community
dedicated to the results of our projects and outreach.  Anything that takes
away from this would not be serving the community.  That is why I propose
that we update our guidelines and simply make sure that our codified
process for protecting our brand represents our needs and protects the hard
work of our volunteers.  With this in place the work of defending our brand
will be less time consuming as we will have legal protections and a process
that will reach for the law after several other steps have been taken.
Right now we don't actually have trademark protection and our marks can be
used unscrupulously until we do.

 Furthermore, as you have seen from the co-branding work done by Kelly
Santalucia having our brand out there and recognized helps evangelize our
message as well as bring new volunteers into our fold. Over all this
process will help lead to further engagement and mitigate the risk of our
volunteers work being used improperly or diluted by less quality products
branded improperly.

As to your enumerated questions:

1) No, absolutely not.  Branding helps us bring visibility to projects and
should a corporation use the marks inappropriately it helps us protect
them. The trademark does not interfere with licensing.  Think of it as
allowing us to protect our art and names. The actual product is not
affected except to allow us to ensure that the name is not used

2) I do not yet know the budget that will be allotted, but the cost will
depend on what we choose to TM, and where we choose to do it.  For the
first steps we will only require the cost of fees to apply for a TM and
time from me, a paid employee.  We do not need a lawyer for the concrete
steps I suggested. Volunteer input in the process will also be necessary to
make sure we accurately reflect the needs of the community.  We will do our
best to strike a balance to make the effort as productive and efficient as


On Mon, Jun 20, 2016 at 6:58 AM, johanna curiel curiel <
johanna.curiel at owasp.org> wrote:

> Hi Larry, Dirk
> I offered my support for this part to define clear policies with no cost
> at all. I have access to legal support and can help provide this.
> The steps took by the Stephany are the right ones toward protection of the
> brand but it is necessary to define better policies and process towards
> protection of brand abuse.
> In the end is about misrepresentation. Do we want vendor's to use OWASP
> logo in a way that should indicate endorsement?
>  I don't think so especially when we proc;aim, being vendor neutral and
> using the OWASP logo in commercial vendor activities to promote business or
> commercial activities should be clearly stipulated to avoid this:
> http://www.acunetix.com/blog/articles/owasp-top-10-2010/
> e <https://pbs.twimg.com/media/CVO0vmSW4AAgZ6M.png:large>specially this:
> https://pbs.twimg.com/media/CVO0vmSW4AAgZ6M.png:large
> and a page that cannot be found after Dirk mention the abuse on twitter:
> https://twitter.com/drwetter/status/733744181340962816
> While I agree with many things you mentioned regarding lack of engagement,
> I think at this point of time OWASP has a brand to protect and should not
> really worry about lack of engagement and should establish clear policies
> regarding this.
> Protecting a brand when there has been clear abuse cases is not a waste of
> time, on the contrary, if we allow abuse, our vendor neutrality claims will
> go down the drain and loose credebility
> On Mon, Jun 20, 2016 at 8:48 AM, Larry Conklin <larry.conklin at owasp.org>
>> wrote:
>>> Is this really an issue that we need to drive time, and money towards?
>>> We have some much publicized cases in the past of abuse of OWASP name and
>>> branding being used by a commercial security vendors. This is not what we
>>> want as a community when we put volunteer hours into something and then
>>> have a commercial enterprise try to make money for themselves. I appreciate
>>> and support not wanting this type of abuse.
>>> My fear is that we are over reacting to brand abuse with a knee jerk
>>> reaction. Yes, we have had complaints. The community and board so far has
>>> been able to resolve these. Now we want more polices, attorneys
>>> involvement, additional overhead and expenses? What will that really give
>>> us? Our focus should always be on Application Security and being an open
>>> organization.
>>> *Don’t fear lack of control. Fear lack of engagement. Lack of engagement
>>> is our greatest weakness. Money and time should go towards projects not
>>> more polices, legal fees, etc.*
>>> If we are not careful we might back ourselves into a corner. The end
>>> result could be a less open organization, more polices, with less money
>>> going towards projects.  In the past been able to resolve branding
>>> abuse with community and board working together.
>>> Open questions to community manager and board.
>>>    1. Does branding, logo's, trademarks registered to OWASP take any
>>>    rights away from project leaders or projects being open source?
>>>    2. How much money is being budgeted for legal, etc fees for
>>>    branding, logo's, and trademarks?
>>> Larry Conklin, CISSP
>>> On Mon, Jun 13, 2016 at 1:55 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>>> BTW, I added my suggestion to the discussion/talk section.
>>>> https://www.owasp.org/index.php?title=Talk%3AMarketing%2FResources&diff=217765&oldid=210932
>>>> Cheers, Dirk
>>>> Am 06/06/2016 um 05:33 PM schrieb Dirk Wetter:
>>>> > Hi Liam and all,
>>>> >
>>>> > Am 05/20/2016 um 06:38 PM schrieb Liam Smit:
>>>> >> Hi Dirk
>>>> >>
>>>> >> On Fri, May 20, 2016 at 5:57 PM, Dirk Wetter <dirk at owasp.org
>>>> <mailto:dirk at owasp.org>> wrote:
>>>> >>
>>>> >>
>>>> >>     Am 05/20/2016 um 05:07 PM schrieb johanna curiel curiel:
>>>> >>
>>>> >>
>>>> >> <snip>
>>>> >>
>>>> >>     > Abuses will happen where financial gain is.If putting this
>>>> logo can help me sell...well you bet the first ones happy will be the
>>>> vendors.
>>>> >>     > Contrast did that with OWASP benchmark publicising OWASP logo
>>>> 'sponsored by' even the DHS logo.
>>>> >>     > https://twitter.com/jctechno/status/672079500033814528
>>>> >>
>>>> >>     Ok, a TM would have helped here maybe.
>>>> >>
>>>> >>
>>>> >>     But in general this is why I think giving away a supporter logo
>>>> is not good either -- the
>>>> >>     only point where we have
>>>> >>     a different stance so far:
>>>> >>
>>>> >>     My firm belief is if you give a away a logo you can't control
>>>> the usage. It's like putting
>>>> >>     a vulnerable
>>>> >>     web application in the internet. Somebody will find and
>>>> hack/abuse it. It also doesn't
>>>> >>     matter if a law is
>>>> >>     saying that it shouldn't been hacked [1]. Same with the logo.
>>>> Giving a logo away is like
>>>> >>     announcing
>>>> >>     a vulnerable web app to all bad guys. So a supporter logo could
>>>> be an invitation to abuse
>>>> >>     (ideas see my first mail).
>>>> >>
>>>> >>     Also I do not understand the point in the first place: Why do we
>>>> want to give a away a
>>>> >>     logo? What's
>>>> >>     our added benefit?
>>>> >>
>>>> >>     Thus I find a very strict logo policy accompanied with a proper
>>>> TM the right thing to do.
>>>> >>     There's
>>>> >>     still potential for abuse but at least you did the best
>>>> reasonably possible..
>>>> >>
>>>> >>     Look at ISACA. You can't use the logo without written consent by
>>>> ISACA.
>>>> >>
>>>> >>
>>>> >> Why don't you put forward a strict logo use policy?
>>>> >>
>>>> >> Obviously it might not be adopted if most people prefer a looser
>>>> logo usage policy but if you
>>>> >> don't put anything forward then I highly doubt anything will come of
>>>> you merely stating your
>>>> >> preference for a strict usage policy.
>>>> >
>>>> > fair enough.
>>>> >
>>>> > Not so many people responded, so I wanted to limit my investment in
>>>> terms of time.
>>>> >
>>>> > Suggestion:
>>>> >
>>>> > --snip
>>>> >
>>>> > The OWASP logo (future: is a trademark and) is the property of the
>>>> OWASP Foundation.
>>>> >
>>>> > * OWASP logos must not be used by individuals or organizations to
>>>> promote commercial products,
>>>> > services, or events such as conferences, courses.
>>>> > * OWASP logos must not be used in a manner that suggests that The
>>>> OWASP Foundation supports,
>>>> > advocates, endorses, or recommends any particular product, services
>>>> or technology.
>>>> > * OWASP logos must not be used in a manner that suggests that a
>>>> product or technology is
>>>> > compliant with any OWASP Materials
>>>> > * OWASP logos must not be used in a manner that suggests that a
>>>> product or technology can
>>>> > enable compliance with any OWASP Materials
>>>> > * OWASP logos may be used by special arrangement with The OWASP
>>>> Foundation. Requests to use
>>>> > OWASP logos should be directed in writing to
>>>> >   <fillinmailaddresshere>. Requests will be evaluated on a
>>>> case-by-case basis by a compliance team.
>>>> > * The special arrangement can be withdrawn by OWASP at any point of
>>>> time.
>>>> >
>>>> > --snap
>>>> >
>>>> > I was replacing brand by logo. I haven't seen @
>>>> >
>>>> https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES
>>>> > any definition of the term "brand". If that would be clarified we
>>>> could swap that back.
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > Cheers, Dirk
>>>> >
>>>> >
>>>> --
>>>> German OWASP Chapter Lead
>>>> Send me encrypted mails (Key ID 0xB818C039)
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> --
>> Johanna Curiel
>> OWASP Volunteer
> --
> Johanna Curiel
> OWASP Volunteer
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160620/7810eca1/attachment-0001.html>

More information about the OWASP-Leaders mailing list