Talk:OWASP Corporate Application Security Pledge

'''Dinis Cruz comment: '''

If we take the approach that we will not (for now) verify all or most claims made, then we should:


 * Make the fact that the claims are not verified very clear (or at least that we don't check it unless there is an complain)
 * Create a workflow to allow for 'non compliance' claims to be verified (i.e . somebody claims to be compliant when it is not)
 * Make it as comprehensive as possible (and try to integrate as many OWASP projects in there as possible (for example the developers have to go through Web Goat and Site Generator))

Otherwise it is a great idea, i really like to potential of this, and the opportunity to reward the companies that have those 5 items.

Actually we should add public verifiable items for each one (for example if they they security team contact must be public and it must work :) )