OpenSSF Technical Vision
We envision a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course:
- Developers can easily learn secure development practices and are proactively guided by their tools to apply those practices and automatically informed when action is needed to prevent, remediate, or mitigate security issues.
- Developers, auditors, and regulators can create and easily distribute security policies that are enforced through tooling and automation, providing continuous assurance of the results.
- Developers and researchers can identify security issues (including unintentional vulnerabilities and malicious software) and have this information swiftly flow backwards through the supply chain to someone who can rapidly address the issue.
- Community members can provide information and notifications about product defects, mitigations, quality, and supportability and have this information rapidly flow forward across the ecosystem system to all users, and users can rapidly update their software or implement mitigations as appropriate.
The Open Source Security Foundation (OpenSSF) provides tools, services, training, infrastructure, and resources to achieve this vision.
OpenSSF Values
Public Good
We believe the security of open source is a public good and as an industry we have an obligation to address it for the commonwealth of the community.
Openness and Transparency
We commit to encouraging all interested stakeholders to participate in the foundation and its working groups. The foundation’s work will be made publicly available.
Maintainers First
We approach the work of contributing to improving the security of open source software with a strong respect for open source maintainers and developers, with an intent to create resources and tooling to help scale security improvements to benefit the open source ecosystem as a whole.
Diversity, Inclusion, and Representation
We work to actively invite and include people from a range of backgrounds, locations, identities, and perspectives, and promote a culture of mutual respect and inclusiveness as a requirement for participation.
Agility and Delivery
We work to deliver concrete and useful outputs and tools to help make open source more secure. We do so in a manner that enables us to learn from experience and experiment, and improve our outputs accordingly.
Credit Where Credit is Due
We commit to a culture where people’s contributions are recognized and acknowledged fairly.
Neutrality
We don’t bias toward any ecosystem, vendor or platforms.
Empathy
We recognize and understand each other’s challenges, perspective and circumstances. We commit to a culture of listening and caring for multiple opinions.
FAQ
What is the scope of OpenSSF?
OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It focuses on mission-critical software, metrics, tooling, best practices, developer identity validation, vulnerability disclosures best practices, and more.
The OpenSSF was established on the premise that security researchers need a mechanism to allow them to collaboratively address methods needed to secure the open source security supply chain. It recognizes that security researchers across the globe within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work among private entities, foundations, and academia.
Why does the industry need OpenSSF now?
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
Who are the initial and current OpenSSF members?
View the full list of current OpenSSF members. The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat, among others.
Do I have to be a member to participate in a Working Group or project?
No, as with any Linux Foundation effort, any technical effort is open to all and doesn’t require funding to participate (just like any other open source project).
Does the GB or TAC control WGs or projects directly?
Neither the Governing Board (GB) nor the Technical Advisory Council (TAC) is responsible for managing the foundation hosted Working Groups (WGs) and projects directly. Instead, the maintainers of those projects manage them; this includes defining the governance process. The GB is responsible for the budget and the TAC the overall technical strategy.
Does membership or sponsorship level ever affect project-related decisions?
No, all project-related decisions are made by the project maintainers. Maintainership and governance processes are decided by the projects without regard to OpenSSF membership.
Where can I see current status and projects of work items?
All work is happening in the open and the OpenSSF TAC lists all technical initiatives.
How can I report not-publicly-known security vulnerabilities in OpenSSF projects, SIGs, or its website?
For specific projects and SIGs hosted on GitHub, please go to its GitHub repository and try to privately report a vulnerability there (see GitHub’s information on privately reporting a security vulnerability). If that isn’t enabled, or for other reasons you can’t determine where to send private information, please email your report to security@openssf.org.
How is OpenSSF ensuring inclusive representation of the open source community?
Diversity, Inclusion, and Representation is one of our core values. We aim to create an inclusive culture and make sure everyone is respected and valued.
How do I join and participate?
Anyone can contribute to the OpenSSF. Find out how you can get involved.
How does my organization join as a member?
To learn more about how you can join your industry peers in supporting the OpenSSF, submit a membership inquiry and an OpenSSF representative will be in touch soon.
What is the OpenSSF Outbound Vulnerability Disclosure Policy?
We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers, as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit.”
Please read more in our Model Outbound Vulnerability Disclosure Policy
