The OSPS Baseline is designed to establish a minimum set of security-related best practices for open source software projects, relative to their maturity level. It aims to help maintainers, contributors, and users quickly understand and adopt fundamental security steps — like enabling secure workflows, setting up responsible disclosure policies, and maintaining basic project hygiene. By meeting this “baseline,” a project signals that it has taken essential measures to reduce the risk of common vulnerabilities and improve overall trustworthiness of the project to its adopters and contributors.

The OpenSSF community has produced this control catalog in collaboration with Linux Foundation partners — including CNCF, FINOS, and OpenJS.

Key Benefits
For Developers & Maintainers
• Clear, actionable guidance to improve security.
• Demonstrates commitment to secure development practices.
• Reduces repetitive security requests from downstream consumers.

For Consumers & Organizations
• Transparent, verifiable evidence of upstream project security.
• Streamlines compliance with global standards (e.g., CRA, NIST SSDF).
• Enables due diligence and risk management practices.

The Baseline Framework
The OSPS Baseline defines 41 security requirements across three maturity levels, structured within six lifecycle stages. Each stage is supported by documentation, automation, and reporting to help projects demonstrate security practices at scale.

Sample: OSPS-AC-3.01
When a direct commit is attempted on the project’s primary branch, an enforcement mechanism MUST prevent the change from being applied.