Skip to main content

The Open Source Software Security Mobilization Plan

During the Open Source Software Security Summit II in Washington, DC on May 12 – 13, 2022, The Linux Foundation and OpenSSF gathered a cross-section of open source developer and commercial ecosystem representatives along with leaders and experts from key U.S. federal agencies to reach a consensus on high-impact actions to take to improve the resiliency and security of open source software.

The plan they agreed to focuses on 10 streams of investment, with concrete action steps for both immediate improvements and strong foundations for a more secure future.


10 Streams of Investment for Open Source Security

Security Education
Deliver baseline secure software development education and certification to all.
Risk Assessment
Establish a public, vendor-neutral, objective, metrics-based risk assessment dashboard for the top 10,000 (or more) OSS components.
Digital Signatures
Accelerate the adoption of digital signatures on software releases.
Memory Safety
Eliminate root causes of many vulnerabilities through replacement of non-memory-safe languages.
Incident Response
Establish an OpenSSF Incident Response Team of security experts to assist open source projects accelerate their responses to newly discovered vulnerabilities.
Better Scanning
Accelerate discovery of new vulnerabilities by maintainers and experts through advanced security tools and expert guidance.
Code Audits
Conduct third-party code reviews (and any necessary remediation work) of up to 200 of the most-critical OSS components once per year.
Data Sharing
Coordinate industry-wide data sharing to improve the research that helps determine the most critical OSS components.
SBOMs Everywhere
Improve SBOM tooling and training to drive adoption.
Improved Software Supply Chains
Enhance the 10 most critical OSS build systems, package managers, and distribution systems with better supply chain security tools and best practices.

Download the Summit II plan to learn more.


Get in touch with us.

For more information about the Open Source Software Security Mobilization Plan and how you can get involved in the OpenSSF, please fill out this form to be contacted by an OpenSSF representative.