Best Practices Badge Program

The Open Source Security Foundation (OpenSSF) Best Practices Badge is a way for Free/Libre and Open Source Software (FLOSS) projects to show that they follow best practices. Projects can voluntarily self-certify, at no cost, by using this web application to explain how they follow each best practice. The OpenSSF Best Practices Badge is inspired by the many badges available to projects on GitHub. Consumers of the badge can quickly assess which FLOSS projects are following best practices and, as a result, are more likely to produce higher-quality secure software.

The OpenSSF Best Practices Badge website outlines the criteria for the passing badge, provides an example, shows participating projects, and supports queries to show projects that have a passing badge. This project was formerly known as the Core Infrastructure Initiative (CII) Best Practices Badge and was formally renamed as part of OpenSSF in late 2021. More information on the OpenSSF Best Practices Badging program is available on GitHub.

The best practices badge site supports both the OpenSSF Baseline criteria (baseline-1,2,3) and its own “Metal series” of criteria (passing, silver, gold). The baseline series is a more minimal checklist focusing only on MUST security requirements and is derived in part from global cybersecurity regulations and frameworks. The metal series is a larger set of criteria that includes suggestions and quality issues that impact security, and is derived in part from experiences of secure FLOSS projects. We encourage projects to eventually do both. Once you do one series, it’s much easier to do the other.

Best Practices Badge is developed under the OpenSSF organization, as a part of the Best Practices Working Group.