Third Party Engagement

How Third Parties can use ZAP and engage with the ZAP Core Team.

This is not a legal document, third parties are expected to perform their own due diligence before offering services which use or are related to ZAP.

  • Any third party can sponsor anyone to work on ZAP
  • Third parties can promote their sponsorship of ZAP or people working on ZAP
  • Any third party can build commercial services using ZAP as long as they conform to all of the relevant Open Source licences and do not claim that it is endorsed by the ZAP core team or OWASP
  • Any third party can rebundle and redistribute ZAP with any other components as long as they do not claim it is an “official ZAP release” or endorsed by either the ZAP core team or OWASP
  • Third parties are encouraged to be public about their use of ZAP and to contribute back fixes and enhancements
  • Third parties should not use “ZAP” or “ZAPROXY” in their product names
  • Third party specific add-ons can be added to the ZAP Marketplace as long as the add-ons are free and Open Source and it is clear who developed/supports them. Any services those add-ons connect to can be Open Source, closed source, free or commercial
  • Third party specific add-ons will not be included in the official ZAP distributions
    • Exceptions may be made by the ZAP core team, for example add-ons which connect to commonly used components like bug trackers
  • Third party specific add-ons should not be included in the ZAP code base (with the above proviso)
  • Third parties can offer free or paid-for support for ZAP as long as they do not claim that it is endorsed by the ZAP core team or OWASP
  • ZAP communication channels cannot be used to endorse commercial products
  • Commercial products based on ZAP can be mentioned on ZAP communication channels as long as all similar commercial products are treated equally
  • Code will be merged into the code base based on its quality and suitability as decided by the ZAP core team
  • Add-ons may be added to zap-extensions by agreement of the ZAP core team
  • In general larger extensions should be implemented in their own repo, which does not have to be in the zaproxy org (template repo will be forthcoming)