Open Source Security Foundation (OpenSSF)

Collaborating to secure the open source ecosystem

About OpenSSF

Open source software has become pervasive in data centers, consumer devices, and services, representing its value among technologists and businesses alike. Because of its development process, the OSS that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain. The initial technical initiatives will focus on:

  • Vulnerability Disclosures
  • Security Tooling
  • Security Best Practices
  • Identifying Security Threats to Open Source Projects
  • Securing Critical Projects
  • Developer Identity Verification
OpenSSF on GitHubOpenSSF Governance

Resources

Threats, Risks & Mitigations of the Open Source Ecosystem
Open Source Security Coalition

Vulnerabilities in the Core
Harvard’s Lab for Innovation Science and Linux Foundation

Red Hat Product Security Risk Report
Red Hat

We believe open source is a public good and across every industry we have a responsibility to come together to improve and support the security of open source software we all depend on. Ensuring open source security is one of the most important things we can do and it requires all of us around the world to assist in the effort. The OpenSSF will provide that forum for a truly collaborative, cross-industry effort.

Jim ZemlinExecutive Director at The Linux Foundation

FAQ

What is the OpenSSF?

The OpenSSF is a cross-industry collaboration that brings together leaders to improve the security of open source software (OSS) by building a broader community, targeted initiatives, and best practices

The OpenSSF brings together open source security initiatives under one foundation to accelerate work through cross-industry support. This is beginning with the Core Infrastructure Initiative and the Open Source Security Coalition, and will include new working groups that address vulnerability disclosures, security tooling and more.

Will the OpenSSF identify and build new open source security standards and technologies or just maintain and sustain existing ones?

Likely a bit of both but first we need to come to agreement on the problems we are tackling together and then will decide how best to solve them cooperatively as one foundation.

How is OpenSSF different from CII? What happens to CII?

The CII was funded largely by grants, OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives. The CII plans to contribute resources and experience to the OpenSSF and plans to work through their project approval process shepherded by the OpenSSF TAC for desired projects. In the long term, the CII will dissolve efforts with work happening under the OpenSSF umbrella.

What happens to the Open Source Security Coalition (OSSC)?

All of the OSSC members and their projects will now be a part of the OpenSSF.

What is the scope of OpenSSF?

OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices. In the future, there is a plan to focus resources on the most mission-critical software identified by Harvard’s Lab for Innovation Science.

The OpenSSF was established on the premise that security researchers need a mechanism to allow them to collaboratively to address methods needed to secure the open source security supply chain. It recognizes that security researchers across the globe within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work among private entities, foundations and academia.

Why now? Why does the industry need OpenSSF now? Why do we need OpenSSF? What will it do that isn’t being done today?

As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.

What are the OpenSSF values?

  • Public good. We believe the security of open source is a public good and as an industry we have an obligation to address it for the commonwealth of the community.
  • Openness and Transparency: We commit to encouraging all interested stakeholders to participate in the foundation and its working groups. The foundation’s work will be made publicly available.
  • Maintainers First: We approach the work of contributing to improving the security of open source software with a strong respect for open source maintainers and developers, with an intent to create resources and tooling to help scale security improvements to benefit the open source ecosystem as a whole.
  • Diversity, Inclusion, and Representation: We work to actively invite and include people from a range of backgrounds, locations, identities, and perspectives, and promote a culture of mutual respect and inclusiveness as a requirement for participation
  • Agility and Delivery: We work to deliver concrete and useful outputs and tools to help make open source more secure. We do so in a manner that enables us to learn from experience and experiment, and improve our outputs accordingly.
  • Credit where credit is due: We commit to a culture where people’s contributions are recognized and acknowledged fairly.
  • Neutrality: We don’t bias toward any ecosystem, vendor or platforms.
  • Empathy: We recognize and understand each other’s challenges, perspective and circumstances. We commit to a culture of listening and caring for multiple opinions.

Who are the initial OpenSSF members?

The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others.

What initial Working Groups will be there?

  • Vulnerability Disclosures: The vision is an open source software ecosystem where the time to fix a vulnerability and deploy that fix across the ecosystem is measured in minutes, not months. Create a unified format and API for vulnerability reporting / coordinated disclosure and drive broad adoption
  • Security Tooling: Our mission is to provide the best security tools for open source developers and make them universally accessible. We want to create a space where members can collaborate together to improve upon existing security tooling and develop new ones to suit the needs of the broader open source community
  • Identifying Security Threats to Open Source Projects: The objective is to enable stakeholders to have informed confidence in the security of open source projects. We will identify a set of key metrics and build tooling (API, web UI) to communicate those metrics to stakeholders, enabling those stakeholders to better understand the security posture of individual open source components.
  • Security Best Practices: The objective is to provide open source developers with best practices recommendations.
  • Securing Critical Projects: The objective is to perform audits, assurance, response teams, improvements and hands on tactical work.

How will the OpenSSF be governed?

Each WG will have an associated Technical Steering Committee (TSC) and will self govern with their own respective technical charter, a typical approach within the Linux Foundation that separates business (funding) governance from technical governance.

Do I have to be a member to participate in a Working Group or project?

No, as with any Linux Foundation effort, any technical effort is open to all and doesn’t require funding to participate (just like any other open source project).

Does the GB or TAC control WGs or projects directly?

Neither the Governing Board (GB) nor the Technical Advisory Committee (TAC) is responsible for managing the foundation hosted WGs and projects directly. Instead, the maintainers of those projects manage them; this includes defining the governance process. The GB is responsible for the budget and the TAC the overall technical strategy.

Does membership or sponsorship level ever affect project-related decisions?

No, all project-related decisions are made by the project maintainers. Maintainership and governance processes are decided by the projects without regard to OpenSSF membership.

Where can I see current status and projects of work items?

All work is happening in the open and the OpenSSF TAC lists all technical initiatives.

What licenses are contributions licensed under?

Each WG gets to decide their own open source IP policy.

How is OpenSSF ensuring inclusive representation of the open source community?

Diversity, Inclusion, and Representation is one of our core values. We will create an inclusive culture and make sure everyone is respected and valued. We will explore opportunities to work within the community and with the Linux Foundation on related efforts.

How do I join and participate?

Anyone can contribute to the Open Source Security Foundation . Get involved by visiting: https://openssf.org and https://github.com/ossf