[Owasp-leaders] New supporter logos

Dirk Wetter dirk at owasp.org
Wed May 18 22:41:26 UTC 2016

Hi all,

I am not often writing to the leaders list. Time has come though to share concerns with you.

My trigger is the new supporter logo "strategy" which became public today:

I considered the OWASP logo as our core value. I represents OWASP's good
standing. Lot of people in the community contributed to build up our reputation
and -- as a consequence -- to our brand. That is good. Most of the contributors
were altruistic. That's how I understand Open Source.

Now it looks to me we are giving our good standing away instead of putting strong controls
at it. First question: Why do we need to do this? Is this because we feel the need to
get more people to OWASP and we are somehow blindfolded not able to
look at the consequences of a logo distribution? Or are there the commercial interests ruling here?

Worse: the branding guide  (https://www.owasp.org/index.php/Marketing/Resources#tab=BRAND_GUIDELINES)
is more or less still the same. I had some discussions warning that we should fix the bugs in the branding guide
first before doing this. Heck, we don't even have a trademark policy yet, no legal constraint [1]

This is quite the opposite as the speaker agreement -- by the way.

To go into detail (attention, sarcasm)

5. The OWASP Brand may be used in association with an application security assessment only if a complete and detailed methodology, sufficient to reproduce the results, is disclosed.

==> Cool, OWASP allows me to put their logo on my pentests. That certainly sounds good for my costumers also if I
  present BS to him (well, if I care, I could describe the complete and detailed methodology -- but who cares! Nobody
  can control it as my costumer will certainly has no interest to publish my report with his bugs)

BTW: This could also be applied for tools.

3. The OWASP Brand may be used by OWASP Members in good standing to acknowledge a person's involvement in or a company's support of OWASP.

==> C00l. I edit the wiki, change a letter and I can use the OWASP brand on my website to promote my business.
       Or I write a mail to the leaders list. Heck, in fact, as I am on this list, I made it and can use the OWASP logo everywhere!!!

BTW: If a local chapter has corporate sponsorships like the global ones, vendor XYZ purchases this sponsorship
for ten bucks, getting a logo in return and next exhibition he puts this as a sticker to his WAF. W00t!

1. The OWASP Brand may be used to direct people to the OWASP website for information about application security.
2. The OWASP Brand may be used in commentary about the materials found on the OWASP website.

==> 1337! I can still use the logo on my commercial web site. My idea is here is to sell a service or a product. But
       if anyone reads it of course I will argue that I only intended to point to OWASP.

Hopefully you got the message without feeling offended.

To make this clear: I will rather swallow my keyboard instead of doing this. In fact I am trying to fight those
cases but to me it seems that either nobody is listening or OWASP became a vendor driven organization.

As a consequence I am afraid if we don't agree on a strong logo / trademark policy we are commercializing more and more.
Where is "my OWASP" I used to love?


[1] Even ISACA has stronger usage rules of their brand (not talking about materials!):

German OWASP Chapter Lead
Send me encrypted mails (Key ID 0xB818C039)

More information about the OWASP-Leaders mailing list