ossf / wg-metrics-and-metadata

The purpose of the Metrics & Metadata (formerly Identifying Security Threats) working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.
https://openssf.org
Apache License 2.0
221 stars 42 forks source link

Metrics and Metadata in Open Source Projects

The purpose of this working group is to enable stakeholders to have informed confidence in the security of open source projects. We do this by collecting, curating, and communicating relevant metrics and metadata from open source projects and the ecosystems of which they are a part.

Motivation

Open source software is an essential part of modern software development, and of practically all technology solutions. Adoption of open source software has grown over the past two decades, powering everything from tiny "Internet of Things" devices to the most advanced supercomputers in the world. This has led to enormous productivity gains, allowing software engineers to focus more on solving business problems and less on creating and re-creating the same building blocks needed in many situations.

With these benefits, however, comes some risk. Attackers frequently target open source projects and the ecosystems they are a part of in order to compromise the organizations or users that use those projects. It's essential that we understand these threats and work to build defenses against them.

Objective

Our objective is to enable stakeholders to have informed confidence in the security of open source projects. This includes identifying threats to the open source ecosystem and recommending practical mitigations. We will also identify a set of key metrics and build tooling to communicate those metrics to stakeholders, enabling a better understanding of the security posture of individual open source software components.

Scope

The scope of this working group includes "security", as opposed to privacy, resiliency, or other related areas. We also consider the broad open source ecosystem, as opposed to focusing exclusively on critical open source projects.

Active Projects

Get Involved

Related Work

Quick Start

The best way to get started is to simply join a working group meeting. You can also read our Meeting Minutes to get up to speed with what we're up to.

Meeting Times

Meeting Notes

Meeting Minutes If attending please add your name, and if a returning attendee, please change the color of your name from gray to black.

Antitrust Policy Notice

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.

Governance

The CHARTER document outlines the scope and governance of our group activities.

The workgroup leads are: