Skip to main content

OpenSSF Guides

Guides produced by OpenSSF Working Groups to help make open source more secure.

Translation of guides into Japanese.

Correctly Using Regular Expressions for Secure Input Validation

Guide for correctly using regular expressions for secure input validation, countering some common errors and omissions.

Principles for Package Repository Security

A framework for package repositories to assess their current security capabilities and to help roadmap future improvements.

Compiler Options Hardening Guide for C and C++

A guide aims to empower developers with the expertise and resources to build more secure C and C++ applications.

Guide to becoming a CVE Numbering Authority as an Open Source project

A guide for Open Source projects that are interested in issuing and managing their own CVE IDs through the CVE Numbering Authority (CNA) program.

Source Code Management Best Practices Guide

Guide for securing and implementing best practices for SCM platforms, including GitHub and GitLab.

Concise Guide for Developing More Secure Software

Concise guide for all software developers for software development, building, and distribution.

Concise Guide for Evaluating Open Source Software

As a software developer, before using open source software (OSS) dependencies or tools, identify candidates and evaluate the leading ones against your needs.

Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects

Intended to help security researchers (aka “Finders”) engage with open source software (OSS) project maintainers to kick off and participate in the coordinated vulnerability response process.

npm Best Practices Guide

Aims to be an all-inclusive document explaining the security supply-chain best practices when using npm’s package manager.

Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects

Intended to help open source project maintainers create and maintain a coordinated vulnerability response process.