About OpenSSF

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, release, and consumption of the open source software (OSS) we all depend on. This includes fostering collaboration within and beyond the OpenSSF, establishing best practices, and developing innovative solutions.

OSS is a digital public good and as an industry, we have an obligation to address the security concerns with the community. We envision a future where OSS is universally trusted, secure, and reliable. Producers of OSS (of all skill levels) have the ability to proactively and retroactively address both existing and emergent security threats through low-friction tooling automation, education, and clear and actionable guidance. This collaborative vision enables individuals and organizations in a global ecosystem to confidently leverage the benefits and meaningfully contribute back to the OSS community.

The OpenSSF serves as a trusted partner to affiliated open source foundations and projects, and provides valuable guidance and artifacts that encourage security-by-design and security- by-default. OpenSSF initiatives should make security easier for open source maintainers and contributors. Consumers of OSS can leverage the output of the OpenSSF to have clear, consistent, and trusted signals to better understand the security profile of OSS content.

The OpenSSF is committed to encouraging all interested stakeholders to participate in the foundation and its technical initiatives (TIs). The OpenSSF is viewed as an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers.

The OpenSSF remains committed to directly facilitating an environment for all perspectives, all backgrounds, and equitable opportunities for global mentorship and education. The OpenSSF remains committed to continuously evolving these efforts to bring more inclusive and diverse software security education. The OpenSSF will ensure stakeholders have open and transparent opportunities to engage in and receive value from OpenSSF TIs.

The OpenSSF strategy is a set of objectives that aim to enhance the security of OSS by developing tooling and processes that make secure development easier, promote a deeper understanding of best practices, and provide support to innovative technical initiatives. The charter is the source of truth for the OpenSSF, and this strategy builds on the charter.

Objectives focus on tooling and processes designed to ensure consistency, integrity, and risk assessment that strengthen the overall security of the OSS ecosystem. This focus supports the community to develop tooling, processes, and educational assets that accelerate OSS security technical initiatives. Accomplishing these objectives will provide maintainers and contributors of OSS (of all skill levels) the ability to proactively or retroactively address both existing and emergent security threats.

The OpenSSF strategy is outlined across three key areas:
We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader.

• How do we impact our technological underpinnings to drive adoption of better security outcomes? Catalyst for Change

OpenSSF acts as a catalyst for change with producers of OSS to improve “secure by design/default”. Drive technical engagement to create integrated tools that remove barriers to adopting security foundations to improve open source software security.

• How do we ensure the evolving security needs of our developer community are being met? Educate & Empower the Modern Developer

Create and maintain best practices guides & education materials that ensure both current and future OSS developers obtain & maintain sufficient secure development skills. Consumers of OSS can leverage clear, consistent, and easily integrated trusted signals to better understand the security posture of open source content ingested in supply chains.

• How do we interact with others and influence better security? Ecosystem Leader

Be an influential advocate and provide a thought leadership forum for collaboration with partners, OSS communities, security experts, and industry stakeholders on matters important to open source software and supply chain security. Participate meaningfully in standards, frameworks and public policy that impact OSS security. Up-level technical aspects of open source software security when needed to engage with governments, industry bodies, and other relevant organizations.