The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration, establishing best practices, and developing innovative solutions.
OSS is a digital public good and as an industry, we have an obligation to address the security concerns with the community. We envision a future where OSS is universally trusted, secure, and reliable. This collaborative vision enables individuals and organizations in a global ecosystem to confidently leverage the benefits and meaningfully contribute back to the OSS community.
The OpenSSF serves as a trusted partner to affiliated open source foundations and projects and provides valuable guidance and artifacts, like the top ten Secure Software Development Guiding Principles, to those projects and foundations that encourage security by design and security by default. OpenSSF initiatives should make security easier for open source maintainers and contributors. Consumers of OSS can leverage the output of the OpenSSF to have clear, consistent, and trusted signals to better understand the security profile of OSS content.
The OpenSSF is committed to encouraging all interested stakeholders to participate in the foundation and its technical initiatives (TIs). The OpenSSF is viewed as an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers.
More than just advocacy to Diversity, Equity, and Inclusion (DEI) groups, the OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education, ensuring stakeholder share opportunities to engage in and receive value from OpenSSF TIs.
The OpenSSF strategy is a set of objectives that aim to enhance the security of OSS by developing tooling and processes that make secure development easier, promote a deeper understanding of best practices, and provide support to innovative technical initiatives. The charter is the source of truth for the OpenSSF, and this strategy builds on the charter.
Objectives focus on tooling and processes designed to ensure consistency, integrity, and risk assessment that strengthen the overall security of the OSS ecosystem. This focus supports the community to develop tooling, processes, and educational assets that accelerate OSS security technical initiatives. Accomplishing these objectives will provide maintainers and contributors of OSS (of all skill levels) the ability to proactively or reactively address both existing and emergent security threats.
The OpenSSF strategy is outlined across five key areas:
- Education and targeted communication: Develop and promote best practices, guidelines, and educational resources to enhance open source software security awareness and expertise within the ecosystem. OpenSSF advocates with targeted personas (including maintainers, contributors, and consumers) in the OSS ecosystem to improve their default security posture and catalyzes efforts to reduce or eliminate friction in achieving that state.
- Facilitate collaboration: Foster a culture of collaboration and inclusion among OSS communities, security experts, and industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.
- Sustainable technical innovation and enhanced delivery: Support tooling and process enhancements to existing security capabilities. Deliver new security capabilities to open source ecosystems, such as vulnerability detection, incident response, secure coding practices, and actionable standards.
- Advocacy and policy: Advocate for policies and practices that promote OSS security, working with governments, industry bodies, and other relevant organizations.
- Community engagement: Actively engage with OSS communities through events, conferences, workshops, and online platforms to foster dialogue, collaboration, and knowledge exchange.
As open source has become more pervasive, its security has become a key consideration for building and maintaining critical infrastructure that supports mission-critical systems throughout our society. It is more important than ever that we bring the industry together in a collaborative and focused effort to advance the state of open source security. The world’s technology infrastructure depends on it.
No, as with any Linux Foundation effort, any technical effort is open to all and doesn’t require funding to participate (just like any other open source project).
Neither the Governing Board (GB) nor the Technical Advisory Council (TAC) is responsible for managing the foundation hosted Working Groups (WGs) and projects directly. Instead, the maintainers of those projects manage them; this includes defining the governance process. The GB is responsible for the budget and the TAC the overall technical strategy.
No, all project-related decisions are made by the project maintainers. Maintainership and governance processes are decided by the projects without regard to OpenSSF membership.
How can I report not-publicly-known security vulnerabilities in OpenSSF projects, SIGs, or its website?
For specific projects and SIGs hosted on GitHub, please go to its GitHub repository and try to privately report a vulnerability there (see GitHub’s information on privately reporting a security vulnerability). If that isn’t enabled, or for other reasons you can’t determine where to send private information, please email your report to email@example.com.
Diversity, Inclusion, and Representation is one of our core values. We aim to create an inclusive culture and make sure everyone is respected and valued.
We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers, as well as researchers, must act responsibly. This is why we adhere to a maximum 90-day public disclosure time limit, the “Time Limit.”
Please read more in our Model Outbound Vulnerability Disclosure Policy