Tuesday, 2 April 2013

Proposal: Remove all commercial/non-OWASP logos from OWASP.org

Following the recent threads about the commercialization of OWASP, I think the time as come for a simple move, that will be a little bit painful, but will clear the water and send a nice big message of what OWASP stands for.

Remove all commercial/non-owasp-projects logos from OWASP.org
This move has a log of advantages:
  • it is generic so it doesn't single out anybody
  • it can be done since there are no 'real' contractual obligations for OWASP to put company's XYZ logo on the OWASP site 
    • note that OWASP can change the contents of any content/text hosted on owasp.org , as long as the changes are released in an compatible license :)
    • in fact anybody can start the http://owasp-without-logos.org site with all content from owasp.org, expect the 3rd party logos
  • it will push the cases where sponsor-logos are expected to exist, to be placed in separate/dedicated 3rd party websites (like what happens with AppSec conferences)
    • and if there ARE execptions, they should be treated as one-of exceptions (and be fully documented)
  • it will stop the current 'F1/NASCAR logo parade' that is the OWASP main page, and some of its projects
  • it will stop the nasty and non-productive "hey that company shouldn't have their logo in that project" threads
  • it will send a strong message that OWASP is about sharing information and all information/tools/projects that are 'donated' to owasp are supposed to be shared in a no-strings/logos attached mode
  • it will clarify that the OWASP logo, name, tools and content CAN be used in commercial situations, as long as it is done outside of OWASP.org
  • it shows a sign of maturity for OWASP, where OWASP doesn't need (anymore) to sell a bit of its soul in exchange for good content and tools
  • it shows that OWASP's value to the corporate sponsors, is NOT a logo on owasp.org, but the amazing value provided by the multiple OWASP activities, events and projects.
  • it shows that OWASP can learn from others, and in this case, follow (as Jim recommended) the Apache foundation example (see http://www.apache.org/foundation/marks/responsibility.html )
There are a couple disadvantages:
  • Some OWASP leaders and supporting companies will be annoyed and fell that 'OWASP changed the value-added they would get by contributing to OWASP'
  • Some OWASP corporate sponsors might even be so angry that they don't renew their anual membership
  • Some OWASP leaders might be so annoyed that they stop contributing at all to OWASP
  • This is one of those issues that has the potential to generate a gazilion of emails, with lots of opinions and no decisions in the end. Btw, the faster 'a' decision is made the better (Yes or No). 
I believe that OWASP today (April 2013) is in the perfect situation to make this move. There is enough money to sustain any financial loss (which I don't think will happen) and the OWASP projects are still in a state where a drop of a couple OWASP leaders wouldn't have a dramatic effect (which again i don't think will happen)

So what do you say, fellow OWASP friends, should we make this jump?

My vote is YES, lets get rid of the commercial logos in OWASP and start a new generation of OWASP content and tools

Dinis Cruz


Michael Coates said...

"it can be done since there are no 'real' contractual obligations for OWASP to put company's XYZ logo on the OWASP site "

For completeness, please note that the above statement is not correct. This type of change would require a change in membership benefits and would take about 1 year to be realized.



You can also view the OWASP operating budgets here:

It would be good to understand the impacts on income and operating expenses. Does this mean OWASP looses X dollars and can no longer fund activity Y? Or, perhaps the logo placement is not a key item for corporate members and there is little impact.

None-the-less, important questions to consider.

Anonymous said...


As always I am behind the time but what is the summary of the problem today? Like most online projects its the paretto principle of contribution ie a few will do most of the work. By having banner advertising you give the one that will never do work an ability to contribute with cash. Is that causing real issues? Isn't it best to let that roll on ?

Dinis Cruz said...

Michael: My view is that we/OWASP should just do it, and see if any OWASP member sues OWASP for breach of contract. Maybe (proactively) we could even offer existing members a refund (if they want to).

BTW, I would be very surprised if any OWASP corporate member actually did that, specially if the change is applied globally and consistently.

Mark: I think that was more true in the beginning of OWASP than now. The 'over commercialization' of OWASP has kind of been an issue for a while, and (for example) there has been a number of 'very non productive' OWASP Top 10 related threads about the use logos on the final document.

My view is that it is time that OWASP takes a strong stand on its openness and independence.

And if having a logo on OWASP's website/project is the only reason what a particular company is involved in OWASP, maybe 'losing' those contributions is not a big problem.