OpenSSF Technical Vision
We envision a future where participants in the open source ecosystem use and share high quality software, with security handled proactively, by default, and as a matter of course:
- Developers can easily learn secure development practices and are proactively guided by their tools to apply those practices and automatically informed when action is needed to prevent, remediate, or mitigate security issues.
- Developers, auditors, and regulators can create and easily distribute security policies that are enforced through tooling and automation, providing continuous assurance of the results.
- Developers and researchers can identify security issues (including unintentional vulnerabilities and malicious software) and have this information swiftly flow backwards through the supply chain to someone who can rapidly address the issue.
- Community members can provide information and notifications about product defects, mitigations, quality, and supportability and have this information rapidly flow forward across the ecosystem system to all users, and users can rapidly update their software or implement mitigations as appropriate.
The Open Source Security Foundation (OpenSSF) provides tools, services, training, infrastructure, and resources to achieve this vision.
We believe the security of open source is a public good and as an industry we have an obligation to address it for the commonwealth of the community.
Openness and Transparency
We commit to encouraging all interested stakeholders to participate in the foundation and its working groups. The foundation’s work will be made publicly available.
We approach the work of contributing to improving the security of open source software with a strong respect for open source maintainers and developers, with an intent to create resources and tooling to help scale security improvements to benefit the open source ecosystem as a whole.
Diversity, Inclusion, and Representation
We work to actively invite and include people from a range of backgrounds, locations, identities, and perspectives, and promote a culture of mutual respect and inclusiveness as a requirement for participation.
Agility and Delivery
We work to deliver concrete and useful outputs and tools to help make open source more secure. We do so in a manner that enables us to learn from experience and experiment, and improve our outputs accordingly.
Credit Where Credit is Due
We commit to a culture where people’s contributions are recognized and acknowledged fairly.
We don’t bias toward any ecosystem, vendor or platforms.
We recognize and understand each other’s challenges, perspective and circumstances. We commit to a culture of listening and caring for multiple opinions.
OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It focuses on mission-critical software, metrics, tooling, best practices, developer identity validation, vulnerability disclosures best practices, and more.
The OpenSSF was established on the premise that security researchers need a mechanism to allow them to collaboratively address methods needed to secure the open source security supply chain. It recognizes that security researchers across the globe within organizations have common interests and concerns. OpenSSF facilitates sustained dialogue and project work among private entities, foundations, and academia.
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
No, as with any Linux Foundation effort, any technical effort is open to all and doesn’t require funding to participate (just like any other open source project).
Neither the Governing Board (GB) nor the Technical Advisory Council (TAC) is responsible for managing the foundation hosted Working Groups (WGs) and projects directly. Instead, the maintainers of those projects manage them; this includes defining the governance process. The GB is responsible for the budget and the TAC the overall technical strategy.
No, all project-related decisions are made by the project maintainers. Maintainership and governance processes are decided by the projects without regard to OpenSSF membership.
How can I report not-publicly-known security vulnerabilities in OpenSSF projects, SIGs, or its website?
For specific projects and SIGs hosted on GitHub, please go to its GitHub repository and try to privately report a vulnerability there (see GitHub’s information on privately reporting a security vulnerability). If that isn’t enabled, or for other reasons you can’t determine where to send private information, please email your report to email@example.com.
Diversity, Inclusion, and Representation is one of our core values. We aim to create an inclusive culture and make sure everyone is respected and valued.
We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers, as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit.”
Please read more in our Model Outbound Vulnerability Disclosure Policy