Skip to main content

OpenSSF Working Groups

Participating in Working Groups and their SIGs/projects is fun; it’s the best way to immerse yourself in OpenSSF and the critical challenges facing open source security today.

OpenSSF Working Groups are open to anyone.

Join the Community today!


Best Practices for Open Source Developers

Want to help drive open source security education or help develop best practices? We have a lot of projects and groups that are working towards these goals.

  • We envision a world where software developers can easily IDENTIFY good practices, requirements and tools that help them create and maintain secure world-class software, helping foster a community where security knowledge is shared and amplified.
  • We seek to provide means to LEARN techniques of writing and identifying secure software using methods best suited to learners of all types.
  • We desire to provide tools to help developers ADOPT these good practices seamlessly into their daily work.

Best: GitHub | Slack | Mailing List

Artificial Intelligence / Machine Learning (AI/ML) Security

We formed in September 2023 after the growing problem of AI/ML Security in open source. Join is to discuss the possible security impacts of AI / ML technologies on open source software, maintainers, communities, and their adopters, along with how OSS projects could safely or effectively leverage LLMs to improve their security posture.

AI: GitHub | SlackMailing List

Diversity, Equity, & Inclusion

We formed in December 2023 to help increase representation and strengthen the overall effectiveness of the cybersecurity workforce.

DEI: SlackMailing List

End Users

We represent the interests of public and private sector organizations that primarily consume open source rather than produce it. Right now, we are focusing on threat modeling. Join us to see how threat modeling works and get your ideas in the current scope.

End Users: GitHub | SlackMailing List

Metrics & Metadata

We enable informed confidence in the security of OSS by collecting, curating, and communicating relevant metrics and metadata. Our WG has mostly projects that focus on the code to get this done.

M&M: GitHub | Slack Mailing List

Securing Critical Projects

Wonder how critical OSS projects are selected? Then join us! We have progress reports every other week on each project/SIG so it is easy to jump in and get going.

Sec-Crit-Proj: GitHub | Slack | Mailing List

Securing Software Repositories

We provide a collaborative environment for aligning on the introduction of new tools and technologies to strengthen and secure software repositories. Our current project is Repository Service for TUF, join to learn more.

Sec-Soft-Repo: GitHub | SlackMailing List

Security Tooling

Our mission is to provide the best security tools for open source developers and make them universally accessible. We talk a lot about SBOMs currently.

Sec-Tool: GitHub | Slack| Mailing List

Supply Chain Integrity

We are helping people understand and make decisions on the provenance of the code they maintain, produce and use. We have great projects like GUAC, SLSA and gittuf that you can work with.

Supply-Ch-Int: GitHub | SlackMailing List

Vulnerability Disclosures

We are improving the overall security of the OSS ecosystem by helping advance vulnerability reporting and communication.

To enable OSS maintainers to easily issue VEX documents helping them lower the burden triaging vulnerability reports and communicating impact enable VEX feeds!

Vuln-Disc: GitHub | Slack | Mailing List

Learn how to Get Involved today!

Working Groups, Projects, & SIGs