This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP Licenses

Jump to: navigation, search

OWASP and Licensing

The OWASP Foundation uses several licenses to distribute software, documentation, and other materials. Contact us for agreements concerning acceptance of materials from individuals and corporations, such as existing documents or software projects. These licenses help us ensure that OWASP projects are supported longterm, and the materials produced can be easily used and are free and open to everyone.

Use of the OWASP Brand

The use of the OWASP Brand is covered by the OWASP brand usage rules.

Licensing of OWASP Website Content

We welcome the use of OWASP website content. If you would like to use anything from the wiki in another work, you must follow the terms of the Creative Commons Attribution ShareAlike 3.0 license (CC-BY-SA). We strongly encourage organizations to use OWASP materials for their internal purposes. If you want to distribute modified OWASP materials externally, you must make them available under the CC-BY-SA license - preferably by making your improvements directly at OWASP. Thanks!

Licensing of OWASP Projects

All software, documentation, and other materials produced by The OWASP Foundation or any OWASP Project is licensed according to an open source license as defined by the [Open Source Initiative (OSI) organization]. For licensing questions, please contact us at [email protected].

In an effort to help OWASP Project leaders choose the appropriate license for their project, the Global Project Committee recommends the following open source licenses. Understand that these licenses are only recommendations and Project Leaders are welcome to use any [Open Source Initiative (OSI) organization] approved license they wish.

Why are you recommending these licenses?
Which other open source licenses are eligible for an OWASP project?

Choosing a license under which an artifact is distributed and enforcing the license are prerogatives of the copyright holders over that artifact. By default, each contributor is copyright holder over the contributed piece. Contributors must all agree on the license and cooperate in enforcing it or must assign their copyright to the entity which becomes responsible for choosing and enforcing the license.

OWASP is a collaborative initiative for the public good and most of its output is expected to be functional, rather than aesthetic. The problem OWASP tackles is so large that OWASP acknowledges a need to collaborate with the commercial world. Therefore, in order to become an OWASP Sponsored Project, you should be comfortable with:

  • Allowing arbitrary uses for your work, for example for commercial purposes. (If you disagree, consider using CC-BY-NC.)
  • Revealing to the world your project's source code (its form preferred for modification).
  • Allowing your work, under certain conditions (see below), to be modified by others and redistributed. (If you disagree, consider using CC-BY-ND.)
How to choose a license for artifcts of your OWASP project
Artifact Under what conditions can your work be modified and redistributed?
As long as modifications are licensed in the same spirit If credit is appropriately given to you Under any circumstances
Standalone Tool Run locally
GPL (newest version as of 2016 is 3.0)

The "General Public License" protects users' four essential freedoms, among other things by requiring someone who distributes software derived from yours to also publish the source code for the modifications. Anyone can charge money for distributing copies of the software, but cannot prevent its recipients from redistributing it for free. The GPL allows the copyright holders to distribute the software under additional licenses, too, which can be a way to make it proprietary-friendly.
Apache License (newest version as of 2016 is 2.0)

Has the fewest restrictions, even allowing proprietary modifications and proprietary forks of your project, and is more up-to-date than the BSD license.
CC0 (newest version as of 2016 is 1.0)

The "Public Domain Dedication" means that anybody can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.
Consumed over the network
AGPL (newest version as of 2016 is 3.0)

The "Affero General Public License" extends the GPL to SaaS: users of the modified software must be able to obtain the source code of the modifications.
GPL or LGPL (newest version as of 2016 is 3.0)

The "Lesser General Public License" relaxes the GPL for libraries: if the library is not modified, just integrated (function calls, global variables,...), with other software, it does not require the source code of the other software to be published. The Free Software Foundation recommends the LGPL only for libraries which have established competitors for the same functionality, otherwise they recommend the full GPL.
Document (includes E-Learning, presentations, books etc.)
CC-BY-SA (newest version as of 2016 is 4.0)

The "Creative Commons Attribution-ShareAlike" is like the GPL, but for documents.
CC-BY (newest version as of 2016 is 4.0)

The "Creative Commons Attribution" is like the Apache License, but for documents.

Contributor License Agreements

OWASP desires that all contributors of ideas, code, or documentation to the OWASP projects complete, sign, and submit (via snailmail or fax) a Contributor License Agreement. The purpose of this agreement is to clearly define the terms under which intellectual property has been contributed to OWASP and thereby allow us to defend the project should there be a legal dispute regarding the software at some future time. All contributions made through the website are covered by the clickthrough license on the account creation page.

Assignment of Copyright Agreement

In the case that the contributor desire to assign copyright to the OWASP Foundation, please use the Assignment of Copyright Agreement. Assignment of copyright is not strictly necessary but is an option available to those contributors who would prefer that the OWASP Foundation hold the copyright for contributed materials.