Talk:Summit 2011 Working Sessions/Session090

OWASP Licensing FAQ (Frequently Asked Questions) -- Deliverable 1 from OWASP Summit meeting in Lisbon 2011

Disclaimer: The following is not legal advice. It is highly recommended for a licensed lawyer to review your specific situation and ascertain all relevant issues when selecting and understanding license agreements.

1. Who own the content and code submitted to OWASP? a. The author of the submitted code or content owns the code. However, the author submitting the creative work agrees to open source their work under an approved open source license. The author also has the option of completely assigning all rights in his work to OWASP. Under copyright law the author of a creative work gains copyright protection once the creative work is put into a tangible form.

2. Can I take back from OWASP the code/documentation I had previously submitted? a. Technically no, because you open sourced your code/documentation. However, you can fork your documentation/code and close source your additional changes as the owner of the original documentation/code.

3. Does OWASP require you to share back your changes? a. It depends on the license associated with the code/documentation you are modifying. Some licenses require you to share back any code changes the instant you make then. Other licenses require you to use the same license as the parent code/document which you used. Some are triggered upon distribution and others are triggered on modification or use.

4. What is the default license for information posted on the OWASP wiki? a. Creative Commons 3.0 SA Attribution

5. Can you override the default license which OWASP runs under? a. Yes, but you have to follow the directions in the license you are selecting to abide by the selected license. If the license you selected for your code/document does not include placement directions. Add a license section in the header comments of a code file or the appendix of a document.

6. Which license should I use if I want to give enterprises free will to build products on top of your submitted code or make and use changes to your submitted documents? a. BSD

7. Which license should I use to control distribution, sale or modification of the submitted code/documentation? a. It depends on the limitations you want to enforce in your submitted code/documentation. So read the license and talk to an attorney to understand what you are getting into. Remember that the more restrictive the license then the less likely that an enterprise will want to use it.

8. Is it possible to change my license after my document/code is released to the public? a. If you are the sole contributor for the document/code then you can make changes to the license at any time. If there are multiple contributors to a document or code base you will need go get agreement for the license change from all contributors.

OWASP Licensing Issues to Consider -- Deliverable 2 from OWASP Summit meeting in Lisbon 2011

1. Should we require contributors to completely assign their rights to OWASP. During the meeting it was mentioned that Apache does this and it makes changing licenses and other management functions easier.

2. How should we deal with a multi-contributor document or code base where there is a lack of agreement for license types or other things requiring a unanimous agreement.

3. I thought that the choice of licensing by owner was open to any open source license. Should we limit the options?

4. It was determined that the major issue with enterprise adoption of OWASP documents was the requirement to open source/share back any derivative documents upon use (older licenses) or utilize the same or similar open source license upon distribution (Creative Commons 3.0 SA Attribution). Can we clarify the meaning of “distribution” such that the passing of derived works to partners or affiliates does not constitute public “distribution” under Creative Commons 3.0 SA Attribution)?

5. Can we have a licensed attorney review the licenses in question to ensure that there are no hidden issues with OWASP licensing? For example, to discuss if C.C. Share Alike 3.0 SA Attribution is the correct license for OWASP documentation. Also to see if there is a process which can be used to update older document licenses (such as giving contributors notice and opportunity to object to license changes)

6. Is there any difference with international contributors as to copyright and ownership rules?