The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
Open source software is an essential part of modern software development, and of practically all technology solutions. Adoption of open source software has grown over the past two decades, powering everything from tiny "Internet of Things" devices to the most advanced supercomputers in the world. This has led to enormous productivity gains, allowing software engineers to focus more on solving business problems and less on creating and re-creating the same building blocks needed in many situations.
With these benefits, however, comes some risk. Attackers frequently target open source projects and the ecosystems they are a part of in order to compromise the organizations or users that use those projects. It's essential that we understand these threats and work to build defenses against them.
Our objective is to enable stakeholders to have informed confidence in the security of open source projects. This includes identifying threats to the open source ecosystem and recommending practical mitigations. We will also identify a set of key metrics and build tooling to communicate those metrics to stakeholders, enabling a better understanding of the security posture of individual open source software components.
The scope of this working group includes "security", as opposed to privacy, resiliency, or other related areas. We also consider the broad open source ecosystem, as opposed to focusing exclusively on critical open source projects.
Security Insights - Provides a mechanism for projects to report information about their security practices in a machine-readable way.
Security Risk Dashboard - This project's purpose is to collect, organize, and provide interesting security metrics for open source projects to stakeholders, including users.
Security Reviews - This repository contains a collection of security reviews of open source software.
Threats, Risks, and Mitigations in the Open Source Ecosystem
OpenSSF Best Practices Badge Program - an input to the metrics dashboard generated by the Security Metrics project (formerly named CII Best Practices Badge Program).
OpenSSF Scorecard - another input to the metrics dashboard
CHAOSS - develops definitions of metrics
The best way to get started is to simply join a working group meeting. You can also read our Meeting Minutes to get up to speed with what we're up to.
Meeting Minutes If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
The CHARTER document outlines the scope and governance of our group activities.
The workgroup leads are: