🎉 2025 OpenSSF Annual Report is now live! Download Report

Open Source Software in Public Policy

Governments globally recognize cybersecurity’s importance, establishing partnerships and strategies to secure digital infrastructure. However, this attention risks unintentional government policies inconsistent with open-source software (OSS) development and use, often due to a lack of understanding of OSS.

The OpenSSF is a “community of software developers, security engineers, and more who are working together to secure OSS for the greater public good.” This includes the secure development, distribution, deployment, and use of OSS. This short document gives a clear stance on OpenSSF policy work, whether regional or general, as a basis for policy summits, member discussions, and solidarity across our policy representatives.

We, the OpenSSF, take steps to constructively engage with stakeholders worldwide to help improve the security of OSS globally, including working to ensure that OSS will continue to be sustainably available to everyone. This includes responding to government requests for information (RFI), providing expert advice, engaging in processes to develop relevant standards, reporting vulnerabilities/incidents and working to improve related processes, providing fora for discussions and collaboration, and developing educational materials. Per the Linux Foundation bylaws section 8.8, we do not perform any political expenditure or lobbying that might impact our status as a tax-exempt organization.

The OpenSSF focuses on following (per the OpenSSF Public Policy Committee):

  1. Encourage governments to responsibly consume OSS in general and contribute upstream, particularly in areas concerning security
  2. Encourage public funding of OSS ecosystems, particularly targeting security enhancements and maintenance
  3. Encourage OSS consumers to be responsible for OSS security outcomes
  4. Encourage governments to engage with or join OSS communities
  5. Encourage governments to adopt secure-by-design, secure open source software, and software supply chain security best practices as three key pillars of cyber workforce and education strategies
  6. Encourage governments to collaborate, internationally, to secure open source software
  7. Encourage governments to include OSS consumption, contribution, appropriate regulation, engagement, education, and international collaboration as key prongs of their AI strategies, and use AI to accelerate each of these.

We advocate for flexible approaches that are efficient, agile, and enable innovation. We note that many OSS projects have small communities (often only one person) and don’t have a source of finances, so many OSS projects cannot develop extensive documentation or provide specialized responses to regulations without additional assistance. The OpenSSF develops tools, guidance, education, and other materials to make it easier for maintainers and communities to develop more secure OSS.

The OpenSSF has a global focus, with international policy and standards experts who advise and work with our communities. We recognize that cybersecurity concerns transcend political borders and want to address universal challenges that all creators and consumers of software face today.

Global Cyber Policy Working Group

Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.

Governing Board Public Policy Committee

The mission of the Governing Board Public Policy Committee is to provide an avenue for OpenSSF members to collaborate on policy matters related to or that impact open source software. Activities may include, for example, making recommendations on public statements regarding technical documents (including guidelines) published or authorized by public authorities, policy statements such as the U.S. EO, proposed regulations, and draft legislation or documents advancing the joint understanding on these issues in a manner consumable by policymakers.

European Union Cyber Resilience Act

The Cyber Resilience Act (CRA) law entered into force (EIF) on December 10, 2024, when it was published as Regulation (EU) 2024/2847 in the Official Journal of the European Union. The CRA will fully apply three years later, on December 11, 2027. The CRA will obligate all products with digital elements, including their remote data processing, put on the European market to follow this regulation. The CRA intends to address threats and vulnerabilities by establishing standardized frameworks for cybersecurity requirements as part of a wider set of European product legislation.

Public Policy News and Updates

Dec 17, 2025 | Jeff Diecks

In EU Cyber Resilience Act

CRA Implementation Resources from the European Commission

The European Commission has released an information website on CRA implementation: https://digital-strategy.ec.europa.eu/en/factpages/cyber-resilience-act-implementation The Commission has also published the first version of the FAQ: https://ec.europa.eu/newsroom/dae/redirection/document/122331 Read more.
SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework

Oct 22, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework

By Madalin Neag, Kate Stewart, and David A. Wheeler In our previous blog post, we explored how the Software Bill of Materials (SBOM) should not be a static artifact created only to comply with some regulation, but should be a decision ready tool. In particular, SBOMs can support risk management.… Read more.

Sep 19, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

From Ghent to Brussels: OpenSSF’s Week of Policy and Security in Europe

At the end of October, the Linux Foundation, the Linux Foundation Europe and OpenSSF will gather leaders across industry, government, and open source communities for three impactful events in Belgium. Together, these back-to-back gatherings will advance collaboration, shape policy, and highlight the critical role of open source in Europe’s digital… Read more.

Sep 11, 2025 | OpenSSF

In Blog, Global Cyber Policy

Open Source Friday with OpenSSF – Global Cyber Policy Working Group

On August 15, 2025, GitHub’s Open Source Friday series spotlighted the Open Source Security Foundation (OpenSSF) in a live interview hosted by Kevin Crosby. Open Source Friday is GitHub’s weekly program that celebrates the creators, maintainers, and contributors who make the open source community thrive. The session introduced the OpenSSF… Read more.

Jul 29, 2025 | OpenSSF

In EU Cyber Resilience Act, Podcast

What’s in the SOSS? Podcast #36 – S2E13 From Compliance to Community: Meeting CRA Requirements Together

In this episode of 'What's in the SOSS” CRob dives deep into the Erlang ecosystem with Jonatan Männchen (CISO, Erlang Ecosystem Foundation), Ulf Riehm (Product Owner, Herrmann Ultraschall), and Michael Winser (Alpha-Omega). This episode explores the critical importance of security in open source, particularly in light of regulations like the… Read more.

Jul 15, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

New: Cyber Resilience Act (CRA) Brief Guide for OSS Developers

Specialized software, such as software in medical devices, has been regulated for years. But laws on specialized software affected very few developers. The European Union (EU) Cyber Resilience Act (CRA) is fundamentally different. Read more.
CRAblog

Jun 2, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

OSS and the CRA: am I a Manufacturer or a Steward?

The European Union’s Cyber Resilience Act (CRA) is a piece of legislation that covers all countries within the EU and the EEA and entered into force on 10th December 2024. It covers many types of devices and applications that are either sold or otherwise made commercially available on the European… Read more.
CRACoursePR

Apr 29, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act, Global Cyber Policy

OpenSSF Launches Free Course to Prepare Developers for the EU Cyber Resilience Act

SAN FRANCISCO, CA – April 29, 2025 – The Open Source Security Foundation (OpenSSF), in collaboration with LF Education, announces the general availability of  LFEL1001, a free online course designed to help software developers understand and prepare for the requirements of the European Union (EU) Cyber Resilience Act (CRA). In… Read more.

Apr 16, 2025 | OpenSSF

In Blog, EU Cyber Resilience Act

NEW FREE COURSE: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)

By Linux Foundation Education, see original blog. Quickly Grasp the Key Requirements of the CRA with this Express Learning Video Course OpenSSF and Linux Foundation Education have announced the launch of Understanding the EU Cyber Resilience Act (CRA) (LFEL1001), a new, free, Express Learning video course that covers: Key requirements of the EU’s Cyber… Read more.
TechTalkApr2025

Apr 14, 2025 | OpenSSF

In Blog, Global Cyber Policy

Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy

Open source is the backbone of today’s digital infrastructure—but with great power comes great responsibility. As cybersecurity threats grow in complexity and regulatory landscapes shift globally, open source projects are under increasing pressure to meet stringent security expectations. Read more.
1 2 3