The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.
OpenSSF Mission
OpenSSF Vision
OSS is a digital public good and as an industry, we have an obligation to address the security concerns with the community. We envision a future where OSS is universally trusted, secure, and reliable. This collaborative vision enables individuals and organizations in a global ecosystem to confidently leverage the benefits and meaningfully contribute back to the OSS community.
OpenSSF Values
The OpenSSF serves as a trusted partner to affiliated open source foundations and projects and provides valuable guidance and artifacts, like the top ten Secure Software Development Guiding Principles, to those projects and foundations that encourage security by design and security by default. OpenSSF initiatives should make security easier for open source maintainers and contributors. Consumers of OSS can leverage the output of the OpenSSF to have clear, consistent, and trusted signals to better understand the security profile of OSS content.
The OpenSSF is committed to encouraging all interested stakeholders to participate in the foundation and its technical initiatives (TIs). The OpenSSF is viewed as an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers.
More than just advocacy to Diversity, Equity, and Inclusion (DEI) groups, the OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education, ensuring stakeholder share opportunities to engage in and receive value from OpenSSF TIs.
OpenSSF Strategy
The OpenSSF strategy is a set of objectives that aim to enhance the security of OSS by developing tooling and processes that make secure development easier, promote a deeper understanding of best practices, and provide support to innovative technical initiatives. The charter is the source of truth for the OpenSSF, and this strategy builds on the charter.
Objectives focus on tooling and processes designed to ensure consistency, integrity, and risk assessment that strengthen the overall security of the OSS ecosystem. This focus supports the community to develop tooling, processes, and educational assets that accelerate OSS security technical initiatives. Accomplishing these objectives will provide maintainers and contributors of OSS (of all skill levels) the ability to proactively or reactively address both existing and emergent security threats.
The OpenSSF strategy is outlined across five key areas:
- Education and targeted communication: Develop and promote best practices, guidelines, and educational resources to enhance open source software security awareness and expertise within the ecosystem. OpenSSF advocates with targeted personas (including maintainers, contributors, and consumers) in the OSS ecosystem to improve their default security posture and catalyzes efforts to reduce or eliminate friction in achieving that state.
- Facilitate collaboration: Foster a culture of collaboration and inclusion among OSS communities, security experts, and industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.
- Sustainable technical innovation and enhanced delivery: Support tooling and process enhancements to existing security capabilities. Deliver new security capabilities to open source ecosystems, such as vulnerability detection, incident response, secure coding practices, and actionable standards.
- Advocacy and policy: Advocate for policies and practices that promote OSS security, working with governments, industry bodies, and other relevant organizations.
- Community engagement: Actively engage with OSS communities through events, conferences, workshops, and online platforms to foster dialogue, collaboration, and knowledge exchange.
FAQ
Why does the industry need OpenSSF now?
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
Who are the initial and current OpenSSF members?
View the full list of current OpenSSF members. The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, and Red Hat, among others.
Do I have to be a member to participate in a Working Group or project?
No, as with any Linux Foundation effort, any technical effort is open to all and doesn’t require funding to participate (just like any other open source project).
Does the GB or TAC control WGs or projects directly?
Neither the Governing Board (GB) nor the Technical Advisory Council (TAC) is responsible for managing the foundation hosted Working Groups (WGs) and projects directly. Instead, the maintainers of those projects manage them; this includes defining the governance process. The GB is responsible for the budget and the TAC the overall technical strategy.
Does membership or sponsorship level ever affect project-related decisions?
No, all project-related decisions are made by the project maintainers. Maintainership and governance processes are decided by the projects without regard to OpenSSF membership.
Where can I see current status and projects of work items?
All work is happening in the open and the OpenSSF TAC lists all technical initiatives.
How can I report not-publicly-known security vulnerabilities in OpenSSF projects, SIGs, or its website?
For specific projects and SIGs hosted on GitHub, please go to its GitHub repository and try to privately report a vulnerability there (see GitHub’s information on privately reporting a security vulnerability). If that isn’t enabled, or for other reasons you can’t determine where to send private information, please email your report to security@openssf.org.
How is OpenSSF ensuring inclusive representation of the open source community?
Diversity, Inclusion, and Representation is one of our core values. We aim to create an inclusive culture and make sure everyone is respected and valued.
How do I join and participate?
Anyone can contribute to the OpenSSF. Find out how you can get involved.
How does my organization join as a member?
To learn more about how you can join your industry peers in supporting the OpenSSF, submit a membership inquiry and an OpenSSF representative will be in touch soon.
What is the OpenSSF Outbound Vulnerability Disclosure Policy?
We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers, as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit.”
Please read more in our Model Outbound Vulnerability Disclosure Policy
