Skip to main content

Best Practices Badge

Best Practices Logo

The Open Source Security Foundation (OpenSSF) Best Practices badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The OpenSSF Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and as a result are more likely to produce higher-quality secure software.

You can easily see the criteria for the passing badge. More information on the OpenSSF Best Practices Badging program is available on GitHub. Project statistics and criteria statistics are available. The projects page shows participating projects and supports queries (e.g., you can see projects that have a passing badge). You can also see an example (where we try to earn our own badge). This project was formerly known as the Core Infrastructure Initiative (CII) Best Practices badge. and was originally developed under the CII. It is now part of the OpenSSF Best Practices Working Group (WG). The OpenSSF is a foundation of the Linux Foundation (LF). The project was formally renamed from “CII Best Practices badge” on 2021-12-24.

Privacy and legal issues: Please see our privacy policy, about cookies, and terms of use. The code for the badging application itself is released under the MIT license (projects pursuing a badge are under their respective licenses). All publicly-available non-code content managed by the badging application is released under at least the Creative Commons Attribution License version 3.0 (CC-BY-3.0); newer non-code content is released under CC-BY version 3.0 or later (CC-BY-3.0+). If referencing collectively or not otherwise noted, please credit the OpenSSF Best Practices badge contributors.

Criticality Score

This project is maintained by members of the Securing Critical Projects WG.


  1. Generate a criticality score for every open source project.
  2. Create a list of critical projects that the open source community depends on.
  3. Use this data to proactively improve the security posture of these critical projects.
    Fuzz Introspector

Fuzz introspector is a tool to help fuzzer developers to get an understanding of their fuzzer’s performance and identify any potential blockers. Fuzz introspector aggregates the fuzzers’ functional data like coverage, hit frequency, entry points, etc to give the developer a birds eye view of their fuzzer. This helps with identifying fuzz bottlenecks and blockers and eventually helps in developing better fuzzers.

Fuzz-introspector aims to improve fuzzing experience of a project by guiding on whether you should:

  • introduce new fuzzers to a fuzz harness
  • modify existing fuzzers to improve the quality of your harness.