|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Changes to Guidelines Wording
Add the following:
"The OWASP name and logo is the property of the OWASP Foundation. The right to use the logo is granted as long as the following guidelines are followed. The right to use the OWASP brand may be revoked at any time."
Current Wording of guideline #3:
"3. The OWASP Brand may be used by OWASP Members in good standing to promote a person or company's involvement in OWASP."
We propose changing the wording of guideline #3 to:
"3. The OWASP Brand may be used by OWASP Members in good standing to acknowledge a person or company's support of The OWASP Foundation."
We updated item 4 as follows, adding information for external events to the original wording:
"4. The OWASP Brand may be used to indicate that OWASP is a host or sponsor of an event for internally produced events or for sponsored and partnered events with a signed agreement."
We added the word "endorses" under item 6. so that it now reads:
"6. The OWASP Brand must not be used in a manner that suggests that The OWASP Foundation supports, advocates, endorses, or recommends any particular product or technology."
Need to review purpose of #9.
Remove "based on personal desire."
Add right to request removal on noncompliant images.
Remove references to OWASP Published Standard.
We also added a Non-Endorsement statement as follows:
Statement of Non-Endorsement
OWASP does not endorse any product, services or tools. The following disclaimer/About OWASP text can be used in projects or press releases that reference external products, services or tools:
About the OWASP Foundation: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You'll find everything about OWASP linked from our wiki and current information on our OWASP Blog. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide. We ask that the community look out for inappropriate uses of the OWASP brand including use of our name, logos, project names and other trademark issues.
Suggested rewrite of this statement:
Statement of Non-Endorsement
OWASP does not endorse any product, services or tools. The following disclaimer/About OWASP text can be used in projects or press releases that reference external products, services or tools. We ask that the community look out for inappropriate uses of the OWASP brand including use of our name, logos, project names and other trademark issues.
About the OWASP Foundation: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You'll find everything about OWASP linked from our wiki and current information on our OWASP Blog. OWASP does not endorse or recommend any product or service This allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.
I (Dirk) would suggest to complete rewrite this:
The OWASP logo (future: is a trademark and) is the property of the OWASP Foundation.
- OWASP logos must not be used by individuals or organizations to promote commercial products, services, or events such as conferences, courses.
- OWASP logos must not be used in a manner that suggests that The OWASP Foundation supports, advocates, endorses, or recommends any particular product, services or technology.
- OWASP logos must not be used in a manner that suggests that a product or technology is compliant with any OWASP Materials
- OWASP logos must not be used in a manner that suggests that a product or technology can enable compliance with any OWASP Materials
- OWASP logos may be used by special arrangement with The OWASP Foundation. Requests to use OWASP logos should be directed in writing to <fillinmailaddresshere>. Requests will be evaluated on a case-by-case basis by a compliance team.
- The special arrangement can be withdrawn by OWASP at any point of time.
Legally this needs to be accompanied by a TM but it would be great if at least one step would be tackled in the next days.
See the whole discussion threads on abuse on the leaders list from April 2016 on. We really need to make sure that vendors and others doesn't use the good name of OWASP for their own marketing.
- Without commenting on the substance of the proposed edits, we need to include the following -Tiffany Long***
"name" should accompany logo as we should also TM our name.
Trademark Application Update and Summary
The following letter sent to the board regarding the current state of OWASP trademarks and branding policy:
I wish to start by apologizing for the overwhelming length of this email. I have enumerated my points to make discussion easier.
The status of our Trademark (TM) application is that we were refused TM protection with the opportunity to submit further documentation before 11/26/16 to prove we meed the standard for protection. This should be relatively easy and should be done in the next few months rather than waiting. The first part of this email is an explanation of how to move forward with the application as well as a number of suggestions for tackling TM related issues.
CURRENT TRADEMARK APPLICATION
1) I want to start by noting that the easiest way to make a case for TM protection is for the mark to be used BEFORE starting the TM process. This is especially important in the case of OWASP which will be making some tough arguments for some of our marks (namely the full name of the organization--"Open Web Application Security Project"--as explained below). The process for TMing unused marks essentially requires that OWASP have the recognition of a major household brand. As I will explain later, we have already hit a roadblock based on the niche nature of our work.
Some in our community have been upset that some of our marks have been used without protection (among other branding concerns). My first suggestion is that we respond to these community members and let them know that using the marks BEFORE starting the TM process is a legal requirement and not a move to ignore community concerns. I also suggest that we communicate the requirements more clearly in the future when we TM other things (I am thinking some of our flagship projects to prevent knockoffs or scams should the community think that is a concern). I want to underscore that it is good that the community is so invested in this discussion not only because it is a sign of the health of the institution but also because if we do not defend our TM we will lose it.
2) There were two problems with our application. The first was confusion regarding the definition of "Specimen." This is easily corrected by attaching an example of the mark when being used to identify our work (not a logo for advertisement but actively doing its job of proving the item or service is a product of OWASP). A shot of it on the website or with our advertising information for a conference should work. As would a picture of it on a book. It would have to have been in place before we applied though.
The second issue is that we either need to disclaim our name in its written form or fight to TM it as well. Disclaiming it means that it is not part of the trade mark and that while we own the name in whatever state we are registered in, we do not own it elsewhere. We should avoid this if at all possible.
I think we have a moderate chance at trademarking it using a secondary case though. The name was denied because it is descriptive of what we do rather than unique. Making a secondary case entails making the case that while, yes, the words "Open Web Application Security Project" are descriptive of what we do (the way "House Cleaner" is a descriptive name for a company that cleans houses), when it is used in context of the cybersecurity industry everyone knows they refer to us and not just any generic opensource application security project. I think we can build a case on the PCI recognition of us by name as well as many large companies such as IBM.
3) Because of the concerns regarding our TM arising in Germany, I think we also need to talk about international TM law. The American TM we are applying for will protect us in America but not outside of the country. Because OWASP is a global entity we should protect ourselves internationally. The first step to doing this would be applying through the MADRID PROTOCOL. The Madrid Protocol is an international treaty that allows existing TMs to apply for protection in most of Europe (including all of the EU), the US, Russia, China and Australia all at once. For future applications we can even simply apply through the Madrid Protocol first rather than going through the US first.
Furthermore, the Paris Convention is a treaty that ensures that within 6 months of being granted a TM in any of the 188 member states one can apply for a TM in the rest of the member states without fear of competition---leaving us vulnerable in only 8 countries (for those 6 months). This time can be used to discuss what other areas we wish to get protection in. There are 2 African treaties covering most of that continent and several regional Asian coalitions. Latin America is segregated by state however.
I strongly suggest we hit several birds with one stone using the Madrid Protocol and discuss our options for the rest of the world during our grace period granted by the Paris Convention.
4) We should also strongly consider TMing "OWASP." It is how most people refer to us and it borders on a "fanciful" case usage (easier to prove that it refers to us specifically due to the meaninglessness of the word). We have a much stronger case for this mark. If needed we can reach to the secondary case usage due to IBM, PCI, and others recognizing us by it.
We should also talk about TMing the supporter logo as a symbol of our institution it should be trade marked to make cease and desists easier. To do so it needs to be used first. Same with marking ZAP and other flagship projects that might be imitated in a malicious manner. I suspect this last suggestion will be most contentious, but it is not contrary to open source and it just means that we can ensure when people download our products or go to a service we provide they know they are dealing with us and not imitators. I think of Linux, Mozilla, Apache, and Red Hat as examples of this usage.
5) We can add "TM," "SM," or the "R" in a circle prior to being granted to any mark, but it is not necessary. Doing it prior may prevent others from applying for similar marks while we try to make the case for ours and gives superficial protection from companies who might wish to misuse our brand, that would be its only protection. We also do not need to add "TM" or the others to our marks after we have a TM if we do not choose to, but we do need to defend against misuse when we find it.
Trademarks are lost if the owner does not protect them. The strongest and protections we can have are to have strong brand guidelines in place BEFORE we finish the application process. My experience here comes largely form the American Red Cross which has one of the strongest and most recognized brands in the nonprofit arena due largely to their phenomenal brand management.
Use cases for our marks are going to be the most strongly debated aspect of our brand guidelines. Frankly this is as it should be and I will not address that conversation here except to say that they should be tightly defined. While openness is the best environment for OWASP to grow and build neat things, the OWASP brand should be tightly controlled to prevent misuse and confusion. As use case guidelines are more marketing in nature it should be treated as a separate but related conversation.
OWASP may also want to look into a uniform naming convention for our project titles or logos. This is not necessary, but it will help with confirming OWASP's presence as a thought leader (in the marketing sense) and future TM issues. It will also help developers reaching out to learn more on their own recognize OWASP and OWASP sources.
Finally we need a well defined system for addressing misuse. This should include but may not be limited to 1) who to report misuse to for investigation; 2) how to first address it (The first and second communications should always be friendly and from OWASP not a lawyer.); 3) how the incident is escalated; and 4) how to document the process and store the information in the future.
A) Revise the current trademark application. B) Apply for TM protection through the Madrid Protocol C) Move forward with the application for the name "OWASP" and the supporter logo D) Confirm the logos with the flagship projects and some of the other high visibility projects (like Cornucopia) and submit the applications to protect those logos on behalf of the projects as well. E) Immediately have Hugo add the TM symbol to the circle logo, the header logo, and the supporter logo as well as any other logos/names OWASP may want to TM. F) Work to clarify the existing branding guidelines based on feedback from the community G) Work to decide on whether to trademark outside of the Madrid Protocol (I suggest we do to some extent) and prioritize the order with the community.
Tiffany Long OWASP Global Community Manager
Use clear IP guidelines
We should work towards creating a page like this: http://www.isaca.org/about-isaca/licensing-and-promotion/pages/ip-guidelines.aspx
Note the following:
- What are the basic rules for usage of ISACA’s trademarks?
To the extent that a name or logo does not appear on the above list this does not constitute a waiver of any of the intellectual property rights that ISACA has established in any of its products, service names or logos.
ISACA trademarks may not be used by individuals or organizations to promote events such as conferences, review courses, consulting services or commercial products and services. Such use of these trademarks may falsely imply an endorsement or approval of the product or service by ISACA. For fair use (under trademark laws) or other truthful references that are not likely to cause confusion as to any association, sponsorship, affiliation, or endorsement by ISACA no permission is required. Requests to use ISACA trademarks should be directed in writing to IPinfo@isaca.org. Requests will be evaluated on a case-by-case basis.
- May an ISACA member use an ISACA logo to promote his/her company?
Generally no, with the exception for certifications described below. Please note that an individual’s membership in ISACA does not include or accrue to his/her company. A member’s use of the logo in connection with his/her business may cause people and organizations receiving the member’s promotional materials to believe mistakenly that the member’s company and its products or services are affiliated with or endorsed by ISACA. Such statements misrepresent an individual or enterprise as having a relationship that does not exist.
Projects like Top 10 and Benchmark have been misrepresented, so up to a certain level, we should also imply that using OWASP project's to promote a company is not done. Vendors should not use OWASP logo's or OWASP projects to promote their companies, consulting services any form that implies any kind of endorsement.
With the introduction of the 'supporter logo' it should be also strictly defined in which form this should be used