├── Governing Board Public Minutes ├── 2022-08-04.md ├── 2022-09-08.md ├── 2022-10-06.md ├── 2022-11-11.md ├── 2022-12-01.md ├── 2023-02-02.md ├── 2023-03-02.md ├── 2023-04-06.md ├── 2023-05-04.md ├── 2023-07-13.md ├── 2023-08-17.md ├── 2023-10-23.md ├── 2023-12-12.md └── 2024-2-15.md ├── LICENSE ├── OpenSSF Committee Resolutions.md ├── OpenSSF Content Policy.md ├── OpenSSF Member Participation Guide.md ├── OpenSSF Policies and Procedures.md ├── README.md └── vulnerability-disclosure-policy.md /Governing Board Public Minutes/2022-09-08.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | **The Open Source Security Foundation** 5 | 6 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 7 | 8 | 9 | 08 Sept. 2022 10 | 11 | 12 | A regular meeting of the Governing Board of the Open Source Security Foundation was held on 08 Sept 2022 at 8:00 am Pacific Time via teleconference. 13 | 14 | **Governing Board Members Attendance:** 15 | 16 | 17 | 1. Adrian Ludwig (Atlassian) 18 | 2. Mark Ryland (Amazon) 19 | 3. Jonathan Meadows (Citi) 20 | 4. Scott Roberts (Coinbase) 21 | 5. John Roese (Dell) 22 | 6. Mike Hanley (Github) 23 | 7. Eric Brewer (Google) 24 | 8. Bob Callaway (Google) (as TAC Chair Representative) 25 | 9. Kai Chen (Huawei) 26 | 10. Jamie Thomas (IBM) (Board Chair) 27 | 11. Arun Gupta (Intel) 28 | 12. Stephen Chen (JFrog) 29 | 13. Rao Lakkakula (JP Morgan) 30 | 14. Mark Russinovich (Microsoft) 31 | 15. Neil Allen (Morgan Stanley) 32 | 16. Jennifer Fernick (NCC) (as a General Member Representative) 33 | 17. Andrew van der Stock (OWASP) (as Associate Member Representative) 34 | 18. Gareth Rushgrove (Snyk) 35 | 19. Brian Fox (Sonatype) 36 | 20. Ian Coldwater (Twilio) (as Security Community Individual Representative) 37 | 21. Kit Colbert (VMWare) 38 | 22. Subha Tatavarti (WIpro) 39 | 40 | **Observers:** 41 | 42 | 43 | 44 | 1. Robbie Gallagher (Atlassian) 45 | 2. Debashis Das (AWS) 46 | 3. Julia Ferraioli (Cisco) 47 | 4. Mike Brown (Coinbase) 48 | 5. Sarah Evans (Dell) 49 | 6. Per Beming (Ericcson) 50 | 7. Topo Pal (Fidelity) 51 | 8. Anne Bertucio (Google) 52 | 9. Jeff Borek (IBM) 53 | 10. Chris Rohlf (Meta) 54 | 11. Sarah Novotny (Microsoft) 55 | 12. Vincent Danen (Red Hat) 56 | 13. Miki Komraz (Snyk) 57 | 14. Andrew Yorra (Sonatype) 58 | 15. Andrew Aitken (Wipro) 59 | 60 | **OpenSSF and Linux Foundation Staff** 61 | 62 | 63 | 64 | 1. Brian Behlendorf (General Manager) 65 | 2. Jory Burson (Program Director) 66 | 3. David A. Wheeler (Director of Open Source Supply Chain Security) 67 | 4. Khahil White (Program Manager) 68 | 5. Sr. Marketing Manager (Jennifer Bly) 69 | 6. Mike Dolan (SVP, GM of Projects) 70 | 71 | **Call to Order** 72 | 73 | Brian Behlendorf (BB) called the meeting to order at 8:02 am Pacific Time, and Jory Burson (JB) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 74 | 75 | **Agenda** 76 | 77 | BB introduced the agenda for the meeting. There were no additional topics added. 78 | 79 | 80 | 81 | **Antitrust Policy Notice** 82 | 83 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 84 | 85 | **Introductions** 86 | 87 | BB introduced new Governing Board Members from current member companies: Scott Roberts from Coinbase, Stephen Augustus from Cisco, Arun Gupta from Intel, and Gareth Rushgrove from Snyk. 88 | 89 | **Approval of Governing Board Minutes** 90 | 91 | Upon motion made by Dir. Thomas, seconded by Dir. Brewer and approved by all Representatives in attendance, the following resolutions were adopted: \ 92 | 93 | 94 | 95 | 96 | * RESOLVED: That the private minutes of the August 4, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. 97 | * RESOLVED: That the public minutes of the August 4, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit B, are hereby confirmed, approved and adopted. 98 | 99 | ** \ 100 | Process for approving and publishing public minutes** 101 | 102 | BB introduced a revised process for approval and publication of public minutes. The board agreed that an expedited process for sharing public minutes would be beneficial, but that a strict deadline was not necessary. After a brief discussion, it was agreed by consensus that the public distribution of the minutes should be sent to the public TAC mailing list, and that staff should endeavor to provide a copy of minutes as soon as possible for the board to review and approve for public consumption. 103 | 104 | **2022 Linux Foundation Member Summit and in-person OpenSSF Governing Board Meeting** 105 | 106 | BB reminded all governing board members, their designated observers, and the TAC representatives to register for the LF Member Summit and in-person OpenSSF Governing Board meeting to be held in Tahoe the week of Nov. 8. BB requested that members inform staff of their plans to participate in person or via teleconference. 107 | 108 | **2022-23 Budget Refresh** 109 | 110 | BB presented information about the OpenSSF’s financial position as of July 31st, and proposed an update to the spending allocations in several categories. 111 | 112 | Upon motion made by Dir. Allen, seconded by Dir. van der Stock and approved by all Representatives in attendance, the following resolution was adopted: \ 113 | 114 | 115 | 116 | 117 | * RESOLVED: That the proposed 2022 OpenSSF budget reforecast as presented in OpenSSF Governing Board (GB) 2022-09-08.pdf is hereby approved. 118 | 119 | **Technical Advisory Council Governance update “PR112”** 120 | 121 | Representative Callaway provided an update on pull request #112 which sought to clarify processes, roles, responsibilities and relationships within the TAC and its working groups. 122 | 123 | **Report from the Governance Subcommittee** 124 | 125 | Observer Bertucio presented a readout of the Governance Subcommittee’s recent meetings. 126 | 127 | Multiple Governing Board participants noted that, as communication across the organization appeared to be the underlying issue, it would be helpful to invite TAC members to regularly join conversations with the Governing Board. Upon motion made by Dir. Callaway, seconded by Dir. Fox and Dir. Coldwater and approved by all Representatives in attendance, the following resolution was adopted: \ 128 | 129 | 130 | 131 | 132 | * RESOLVED: That OpenSSF TAC Representatives be invited to attend non-executive sessions of Governing Board meetings. 133 | 134 | ACTION: Staff to invite TAC Representatives to Governing Board meetings and communicate parameters of participation. 135 | 136 | **Mobilization Plan Implementation** 137 | 138 | BB then updated the Governing Board regarding progress made to date on mobilization plan work items. Discussion ensued. Further discussion about how to structure and operationalize Mobilization Plan work was tabled for future meetings. 139 | 140 | **Brief Updates** 141 | 142 | BB shared brief updates with the board regarding membership renewals, upcoming events and upcoming content in the blog and other announcements.. 143 | 144 | **Adjournment** 145 | 146 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:29 AM Pacific Time. 147 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2022-10-06.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 4 | 5 | **The Open Source Security Foundation** 6 | 7 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 8 | 9 | 06 October 2022 10 | 11 | 12 | 13 | A regular meeting of the Governing Board of the Open Source Security Foundation was held on 06 Oct 2022 at 8:00 am Pacific Time via teleconference. 14 | 15 | **Governing Board Members In Attendance** 16 | 17 | 18 | 19 | 20 | 22 | 24 | 26 | 27 | 28 | 30 | 32 | 34 | 35 | 36 | 38 | 40 | 42 | 43 | 44 | 46 | 48 | 50 | 51 | 52 | 54 | 56 | 58 | 59 | 60 | 62 | 64 | 66 | 67 | 68 | 70 | 72 | 74 | 75 | 76 | 78 | 80 | 82 | 83 | 84 | 86 | 88 | 90 | 91 | 92 | 94 | 96 | 98 | 99 | 100 | 102 | 104 | 106 | 107 | 108 | 110 | 112 | 114 | 115 | 116 | 118 | 120 | 122 | 123 | 124 | 126 | 128 | 130 | 131 | 132 | 134 | 136 | 138 | 139 | 140 | 142 | 144 | 146 | 147 | 148 | 150 | 152 | 154 | 155 | 156 | 158 | 160 | 162 | 163 | 164 | 166 | 168 | 170 | 171 | 172 | 174 | 176 | 178 | 179 | 180 | 182 | 184 | 186 | 187 |
Company 21 | Governing Board Director 23 | Present 25 |
Cisco 29 | Stephen Augustus 31 | 33 |
Citi 37 | Jonathan Meadows 39 | 41 |
Coinbase 45 | Scott Roberts 47 | 49 |
Dell Technologies 53 | John Roese 55 | 57 |
DeployHub* 61 | Tracy Ragan 63 | 65 |
GitHub 69 | Mike Hanley 71 | 73 |
Google 77 | Eric Brewer 79 | 81 |
Google* 85 | Bob Callaway 87 | 89 |
Huawei 93 | Kai Chen 95 | 97 |
IBM Corporation 101 | Jamie Thomas (Chair) 103 | 105 |
Intel Corporation 109 | Arun Gupta 111 | 113 |
JFrog 117 | Stephen Chin 119 | 121 |
JP Morgan Chase 125 | Rao Lakkakula 127 | 129 |
Microsoft 133 | Mark Russinovich 135 | 137 |
Morgan Stanley 141 | Neil Allen 143 | 145 |
NCC Group* 149 | Jennifer Fernick 151 | 153 |
Oracle 157 | John Heimann 159 | 161 |
OWASP* 165 | Andrew van der Stock 167 | 169 |
Sonatype 173 | Brian Fox 175 | 177 |
VMWare 181 | Kit Colbert 183 | 185 |
188 | 189 | 190 | **Observers, Invited Guests, and Staff Attendance** 191 | 192 | 193 | 194 | 195 | 197 | 199 | 201 | 202 | 203 | 205 | 207 | 209 | 210 | 211 | 213 | 215 | 217 | 218 | 219 | 221 | 223 | 225 | 226 | 227 | 229 | 231 | 233 | 234 | 235 | 237 | 239 | 241 | 242 | 243 | 245 | 247 | 249 | 250 | 251 | 253 | 255 | 257 | 258 | 259 | 261 | 263 | 265 | 266 | 267 | 269 | 271 | 273 | 274 | 275 | 277 | 279 | 281 | 282 | 283 | 285 | 287 | 289 | 290 |
Company 196 | 198 | Observer 200 |
AWS 204 | 206 | Debashis Das 208 |
Dell Technologies 212 | 214 | Sarah Evans 216 |
Ericsson 220 | 222 | Per Beming 224 |
Fidelity 228 | 230 | Topo Pal 232 |
Google 236 | 238 | Anne Bertucio 240 |
IBM Corporation 244 | 246 | Jeff Borek 248 |
Meta 252 | 254 | Chris Rohlf 256 |
Microsoft 260 | 262 | Sarah Novotny 264 |
Sonatype 268 | 270 | Andrew Yorra 272 |
VMWare 276 | 278 | Tim Pepper 280 |
WiPro 284 | 286 | Andrew Aitken 288 |
291 | 292 | 293 | 294 | 295 | 296 | 298 | 300 | 302 | 303 | 304 | 306 | 308 | 310 | 311 | 312 | 314 | 316 | 318 | 319 | 320 | 322 | 324 | 326 | 327 | 328 | 330 | 332 | 334 | 335 |
TAC Representatives and Invited Guests 297 | 299 | 301 |
TAC Representative 305 | 307 | Aeva Black 309 |
TAC Representative 313 | 315 | Christopher ‘CRob’ Robinson 317 |
TAC Representative 321 | 323 | Luke Hinds 325 |
TAC Representative 329 | 331 | Josh Bressers 333 |
336 | 337 | 338 | 339 | 340 | 341 | 343 | 345 | 347 | 348 | 349 | 351 | 353 | 355 | 356 | 357 | 359 | 361 | 363 | 364 | 365 | 367 | 369 | 371 | 372 | 373 | 375 | 377 | 379 | 380 | 381 | 383 | 385 | 387 | 388 | 389 | 391 | 393 | 395 | 396 | 397 | 399 | 401 | 403 | 404 |
OpenSSF and Linux Foundation Staff 342 | 344 | 346 |
General Manager 350 | 352 | Brian Behlendorf 354 |
Director of Open Source Supply Chain Security 358 | 360 | David A. Wheeler 362 |
Program Director 366 | 368 | Jory Burson 370 |
Sr. Marketing Manager 374 | 376 | Jennifer Bly 378 |
SVP, GM of Projects 382 | 384 | Mike Dolan 386 |
Executive Director 390 | 392 | Jim Zemlin 394 |
Strategic Advisor 398 | 400 | Sam Ramji 402 |
405 | 406 | 407 | **Call to Order** 408 | 409 | Brian Behlendorf (BB) called the meeting to order at 8:02 am Pacific Time, and Jory Burson (JB) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 410 | 411 | **Agenda** 412 | 413 | BB introduced the agenda for the meeting. There were no additional topics added. 414 | 415 | 416 | 417 | **Antitrust Policy Notice** 418 | 419 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 420 | 421 | **Introductions** 422 | 423 | BB welcomed TAC Representatives who have been invited to join the non-executive sessions of OpenSSF Governing Board meetings. BB also introduced Sam Ramji, who has been contracted to assist OpenSSF staff with strategic planning and coordination activities to prepare for 2023. 424 | 425 | **Meeting Rules Update** 426 | 427 | Chairperson Thomas shared changes to the operation of Governing Board meetings in order to improve participation and efficiency. Moving forward: agenda items will be timeboxed; Governing Board members will be given first opportunity to speak on issues, followed by Invited Guests and then Observers with time permitting; and the Zoom chat will be disabled to prevent the loss of key points outside the meeting. 428 | 429 | **2022 Timeline and Milestones** 430 | 431 | BB shared a timeline and workback plan for achieving the remaining milestones OpenSSF needs to accomplish in 2022. BB further noted that the agenda development and preparation of other documents for the Nov. 11 strategy meeting is a primary focus in order to ensure Board members are aligned on the open questions and able to fully participate in discussions. 432 | 433 | ACTION: OpenSSF Staff will include information about financial investments and results for the Board in the November meeting. 434 | 435 | **Governing Board and TAC Q&A** 436 | 437 | Representative Callaway presented an update from the TAC, noting recent progress, highlights, and areas of improvement. He noted that organic activity and output from the working groups, projects, and SIGs remains high and of high quality. He cited recent publications from working groups that are providing good guidance for general and ecosystem-specific work, as well as the projects such as Scorecard which has been on a regular release cadence and has been picking up a lot of new adoption. He further highlighted some of the impactful work going on in new and existing working groups. Representative Callaway described the areas of improvement as issues of scope and identity - who we (the TAC) are and what our direction should be, understanding the TAC’s role in conversations and as well as the Mobilization Plan. Representative Callaway then shared some ideas the TAC has been considering in order to improve communication and efficiency of operations. 438 | 439 | **Governance Subcommittee Updates** 440 | 441 | Observer Bertucio gave a brief update on the progress of the governance subcommittee’s work. She shared some of the recommendations for the composition of the committee and noted that the next steps are to provide a proposal and resolution for the Governing Board to consider via email. She also noted that the group has been working on suggestions for the Nov. 11 meeting discussions. 442 | 443 | **Getting to Consensus on the Mobilization Plan** 444 | 445 | BB introduced the next topic, getting to consensus on the mobilization plan, noting that the goal was to outline the process through which the group can reach agreement. BB asked what information or variables would be most useful to help the group consider and reach consensus to proceed with Mobilization Plan activities, funding and resourcing. BB also suggested that the Governing Board task the Governance Subcommittee to develop a proposal. 446 | 447 | BB also gave a quick update on the status of different Mobilization Plan work areas, noting that 4 SIGs have been formed and are actively delivering work. It was further noted that some of the workstreams were more aspirational than others, and that the seeming lack of progress on those workstreams is more reflective of their readiness to come forward with funding proposals. 448 | 449 | ACTION: OpenSSF Staff will provide a short slide with future meeting materials outlining status updates on Mobilization Plan activities. 450 | 451 | ACTION: Governance Subcommittee will develop a proposal for building consensus and oversight of Mobilization Plan activities. 452 | 453 | **EXECUTIVE SESSION** 454 | 455 | BB called the open session of the OpenSSF Governing Board meeting to a close. TAC Representatives and invited guests were excused.** ** 456 | 457 | **Approval of Governing Board Minutes** 458 | 459 | BB presented the minutes of the September 8, 2022 meeting. 460 | 461 | 462 | 463 | BB called on the Directors to approve the private minutes of the 8 September 2022 meeting of the Governing Board, in the form attached hereto as Exhibit A. Upon motion made by Dir. Gupta, seconded by Dir. Ragan and approved by all Representatives in attendance, the following resolutions were adopted: \ 464 | 465 | 466 | 467 | 468 | * RESOLVED: That the private minutes of the Sept. 8, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. 469 | 470 | ** \ 471 | Special Topic: Government Relations** 472 | 473 | BB invited Observer Borek to present on Government Relations and the recent activities of the OpenSSF Public Policy committee. 474 | 475 | ACTION: Governing Board members are asked to read the group’s [recent blog](https://openssf.org/blog/2022/09/27/the-united-states-securing-open-source-software-act-what-you-need-to-know/) about understanding the new Securing Open Source Software Act and to send representatives from their organizations to the Public Policy committee. 476 | 477 | **Staffing: Current Headcount and Open Positions** 478 | 479 | BB shared a table overview of current and future staffing. BB noted several roles which have job descriptions in development. BB noted the high priority hires for 2023 focus on program and project management that will help grow our support for our working groups and the Mobilization Plan workstreams. 480 | 481 | ACTION: Board members are asked to share their thoughts and input for the continued budgeting and resourcing discussion in November. 482 | 483 | **Governance Changes and Input into Nov. 11 Meeting** 484 | 485 | Sam Ramji (SR) shared a plan to meet with each Governing Board member and help get the different voices and perspectives of the Board into one set of documents in order to prepare for the November 11 strategy meeting and 2023 planning. SR noted that the goal is to align our large board and TAC members on a set of operational documents for OpenSSF. 486 | 487 | **Adjournment** 488 | 489 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:26 AM Pacific Time. 490 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2022-11-11.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 4 | 5 | **The Open Source Security Foundation** 6 | 7 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 8 | 9 | 11 November 2022 10 | 11 | 12 | 13 | A regular meeting of the Governing Board of the Open Source Security Foundation was held on 11 Nov. 2022 at 9:00 am Pacific Time at the Resort at Squaw Creek, Olympic Valley, CA and via teleconference. 14 | 15 | **Governing Board Members In Attendance** 16 | 17 | 18 | 19 | 20 | 22 | 24 | 26 | 27 | 28 | 30 | 32 | 34 | 35 | 36 | 38 | 40 | 42 | 43 | 44 | 46 | 48 | 50 | 51 | 52 | 54 | 56 | 58 | 59 | 60 | 62 | 64 | 66 | 67 | 68 | 70 | 72 | 74 | 75 | 76 | 78 | 80 | 82 | 83 | 84 | 86 | 88 | 90 | 91 | 92 | 94 | 96 | 98 | 99 | 100 | 102 | 104 | 106 | 107 | 108 | 110 | 112 | 114 | 115 | 116 | 118 | 120 | 122 | 123 | 124 | 126 | 128 | 130 | 131 | 132 | 134 | 136 | 138 | 139 | 140 | 142 | 144 | 146 | 147 | 148 | 150 | 152 | 154 | 155 | 156 | 158 | 160 | 162 | 163 | 164 | 166 | 168 | 170 | 171 | 172 | 174 | 176 | 178 | 179 | 180 | 182 | 184 | 186 | 187 |
Company 21 | Governing Board Director 23 | Present 25 |
Atlassian 29 | Adrian Ludwig 31 | 33 |
Coinbase 37 | Scott Roberts 39 | 41 |
Dell Technologies 45 | John Roese 47 | 49 |
DeployHub* 53 | Tracy Ragan 55 | 57 |
Ericcson 61 | Per Beming 63 | 65 |
GitHub 69 | Mike Hanley 71 | via teleconference 73 |
Google 77 | Eric Brewer 79 | 81 |
Google* 85 | Bob Callaway 87 | 89 |
Huawei 93 | Jinguo Cui 95 | via teleconference 97 |
IBM Corporation 101 | Jamie Thomas (Chair) 103 | 105 |
Intel Corporation 109 | Arun Gupta 111 | 113 |
JP Morgan Chase 117 | Rao Lakkakula 119 | 121 |
Microsoft 125 | Mark Russinovich 127 | 129 |
Morgan Stanley 133 | Declan O’Donovan 135 | 137 |
NCC Group* 141 | Jennifer Fernick 143 | via teleconference 145 |
Oracle 149 | John Heimann 151 | via teleconference 153 |
OWASP* 157 | Andrew van der Stock 159 | via teleconference 161 |
Security Community Rep. 165 | Ian Coldwater 167 | via teleconference 169 |
Sonatype 173 | Brian Fox 175 | 177 |
Wipro 181 | Subha Tatavarti 183 | via teleconference 185 |
188 | 189 | 190 | **Observers, Invited Guests, and Staff Attendance** 191 | 192 | 193 | 194 | 195 | 197 | 199 | 201 | 202 | 203 | 205 | 207 | 209 | 210 | 211 | 213 | 215 | 217 | 218 | 219 | 221 | 223 | 225 | 226 | 227 | 229 | 231 | 233 | 234 | 235 | 237 | 239 | 241 | 242 | 243 | 245 | 247 | 249 | 250 | 251 | 253 | 255 | 257 | 258 | 259 | 261 | 263 | 265 | 266 | 267 | 269 | 271 | 273 | 274 |
Company 196 | 198 | Observer 200 |
AWS 204 | 206 | Debashis Das 208 |
Dell Technologies 212 | 214 | Sarah Evans 216 |
Ericsson 220 | 222 | Phil Robb 224 |
Google 228 | 230 | Anne Bertucio 232 |
IBM Corporation 236 | 238 | Jeff Borek 240 |
Microsoft 244 | 246 | Sarah Novotny 248 |
Red Hat 252 | 254 | Vincent Dannen 256 |
VMWare 260 | 262 | Tim Pepper 264 |
WiPro 268 | 270 | Andrew Aitken 272 |
275 | 276 | 277 | 278 | 279 | 280 | 282 | 284 | 286 | 287 | 288 | 290 | 292 | 294 | 295 | 296 | 298 | 300 | 302 | 303 | 304 | 306 | 308 | 310 | 311 | 312 | 314 | 316 | 318 | 319 | 320 | 322 | 324 | 326 | 327 | 328 | 330 | 332 | 334 | 335 | 336 | 338 | 340 | 342 | 343 | 344 | 346 | 348 | 350 | 351 |
TAC Representatives and Invited Guests 281 | 283 | 285 |
TAC Representative 289 | 291 | Aeva Black 293 |
TAC Representative via teleconference 297 | 299 | Christopher ‘CRob’ Robinson 301 |
TAC Representative via teleconference 305 | 307 | Luke Hinds 309 |
TAC Representative via teleconference 313 | 315 | Dan Lorenc 317 |
TAC Representative 321 | 323 | Abhishek Arya 325 |
TAC Representative via teleconference 329 | 331 | Josh Bressers 333 |
Invited Guest 337 | 339 | Emily Fox via teleconference 341 |
Invited Guest 345 | 347 | Kelly Ann via teleconference 349 |
352 | 353 | 354 | 355 | 356 | 357 | 359 | 361 | 363 | 364 | 365 | 367 | 369 | 371 | 372 | 373 | 375 | 377 | 379 | 380 | 381 | 383 | 385 | 387 | 388 | 389 | 391 | 393 | 395 | 396 | 397 | 399 | 401 | 403 | 404 | 405 | 407 | 409 | 411 | 412 | 413 | 415 | 417 | 419 | 420 | 421 | 423 | 425 | 427 | 428 | 429 | 431 | 433 | 435 | 436 | 437 | 439 | 441 | 443 | 444 | 445 | 447 | 449 | 451 | 452 |
OpenSSF and Linux Foundation Staff 358 | 360 | 362 |
General Manager 366 | 368 | Brian Behlendorf 370 |
Director of Open Source Supply Chain Security 374 | 376 | David A. Wheeler 378 |
Program Director 382 | 384 | Jory Burson 386 |
Sr. Marketing Manager 390 | 392 | Jennifer Bly 394 |
SVP, GM of Projects 398 | 400 | Mike Dolan 402 |
Executive Director 406 | 408 | Jim Zemlin 410 |
Strategic Advisor 414 | 416 | Sam Ramji 418 |
Strategic Advisor 422 | 424 | Jerry Michalski 426 |
Program Manager 430 | 432 | Khahil White via teleconference 434 |
VP, Dependable Embedded Systems 438 | 440 | Kate Stewart 442 |
CTO, Linux Foundation 446 | 448 | Nirav Patel 450 |
453 | 454 | 455 | **Call to Order** 456 | 457 | Brian Behlendorf (BB) called the meeting to order at 9:02 am Pacific Time, and Jory Burson (JB) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 458 | 459 | **Agenda and Welcome** 460 | 461 | BB introduced the objectives and agenda for the meeting, and reminded participants of the pre-reads that were shared with the participants prior to the meeting. There were no additional topics added. 462 | 463 | 464 | 465 | **Antitrust Policy Notice** 466 | 467 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 468 | 469 | **Welcome and Highlights of the past year** 470 | 471 | BB presented highlights from the past year of OpenSSF operations. BB drew attention to several OpenSSF projects and Working Groups that made significant impact and improvements over the course of the past year, including Sigstore’s General Availability release, increased publication of security education and content, new features and maintenance improvements to Scorecard and SLSA, new specification development efforts, the publication of the State of OSS Security Report, and the Open Source Software Security Mobilization Plan. BB also gave an overview of the community grants made through Project Alpha-Omega as well as the OpenSSF events that were hosted in 2022. 472 | 473 | BB then invited Jim Zemlin (JZ) to welcome the group and comment on OpenSSF’s successes as well as his enthusiasm for the future. JZ shared that the LF would be investing in additional staff to advance the SBOM work and investing additional funds into census research. JZ cited insights from the State of OSS Security Report that could inform the OpenSSF’s priorities in 2023. 474 | 475 | **Scene Setting** 476 | 477 | BB then introduced Sam Ramji (SR) to provide context and framing for the remainder of the meeting agenda. SR described his role, as well as methods used to assist the group in developing a shared strategy. SR reviewed the synthesized output from the stakeholder interviews, noting that the discussions produced four distinct visions for OpenSSF. These visions were summarized in a pre-read document emailed to the Board prior to the meeting. 478 | 479 | SR then invited Mark Russinovich (MRu), Tracy Ragan (TR), Eric Brewer (EB) and Jamie Thomas (JT) to describe and make a reasoned case for each of the four foundations. JT spoke to the importance of an education-focused foundation, describing a “10 Million Developer Uplift” with training, education and resources. EB spoke to the role of the foundation in producing a “Sterling Toolchain” and noted that it dovetailed nicely with education. TR spoke to the role of the Foundation as a “Funder of First Resort,” noting that money is an energy we can deploy to the benefit of open source security. MRu spoke to the need for a Rapid Threat Response Center, and the potential for the foundation to grow a response team for the open source community the way large companies provide rapid response for themselves and their customers. 480 | 481 | SR then invited an open discussion on these four positions amongst the meeting attendees. Several participants provided comments on the “four foundations'' framing. Participants noted that many issues are experienced most acutely by the end user, who may not be aware that package updates are available, for example. Participants also noted a strong connection between the “Uplift” and “Sterling Toolchain” ideas. Making end users aware of the issues, holding organizations accountable for security, and using the Linux Foundation developer community as a starting point for “Uplift” were also identified as potential opportunities. 482 | 483 | SR asked the meeting participants to consider which of the visions were most important and compelling during the break. The group then took a 20 minute recess at 10:04 a.m. 484 | 485 | **Envisioning Session: Strategic Vision for 2023** 486 | 487 | BB resumed the meeting at 10:23 a.m. and SR introduced a small-group exercise to facilitate discussion. SR asked participants to help determine which of the 4 foundations, or which combination of the foundations would be most appealing to them, by distributing a percentage of 100 to each option. The participants were then dismissed into 8 breakout groups for a 20 minute small group discussion. 488 | 489 | Jerry Michalski (JM) recalled participants to report on the small group activity. Each of the groups provided a representative to report the outcomes of the exercise. JM then facilitated a discussion of the group findings to determine common themes and preferred directions. \ 490 | \ 491 | **ACTION:** BB will synthesize notes from the discussion and provide a readout report for the group. 492 | 493 | The meeting went into a one hour recess for lunch at 12:02 p.m. 494 | 495 | BB called the meeting to order following the lunch break at 1:02 p.m. BB summarized some of the takeaways from the morning sessions from his perspective as OpenSSF’s General Manager. BB then invited Anne Bertucio (AB) to discuss OpenSSF’s structure, emphasizing the value of prioritization and encouraging the Governing Board to focus on a few, high priority items. BB suggested that certain projects or efforts, that were not deemed to be of highest priority, could be spun out into separate efforts. Governing Board members in attendance generally agreed with the statement that they would prefer not to attempt to drive forward on all four foundations all at once, and that the group’s focus should be clear and crisp. Discussion ensued on the extent to which the OpenSSF should be tightly focused vs. opportunistic (taking advantage of an unseen event or issue) on items that were not of highest priority. The group noted that the strategy it pursues will influence the shape and hiring strategy of the organization. 496 | 497 | Several board members offered suggestions related to operational efficiency, noting that with the large membership and leadership base, OpenSSF resources could be more effectively marshaled by developing and empowering committees, which could alleviate pressure on the TAC and Board. Participants also agreed that the TAC should be further empowered and supported to develop OpenSSF’s technical opinions and position on tools, best practices, and technical direction. TAC chairperson Bob Callaway (BC) aked if the group would agree that the TAC appears to be executing mostly on activities that fit the “Sterling Toolchain” and “Uplift” foundations, and participants agreed by consensus that is the case. Meeting participants from the TAC noted that, while there are many people who attend OpenSSF working group meetings, it has been challenging to activate those attendees to work on deliverables. TAC representatives requested more staff support for organizing the working groups and their deliverables, as well as for developing the toolchain and technical vision. 498 | 499 | **Technical Vision, TAC Role, and Staffing** 500 | 501 | BB then asked BC to lead a discussion of questions posed by the Technical Vision, TAC Role, and Staffing pre-read sent to Governing Board members prior to the meeting. BC shared a graphic indicating a spectrum that the TAC might operate on, from an advisory role to an active, hands-on product-oriented role. Discussion ensued regarding staffing requirements to support a more active and technically particular TAC, and what the organization would need to look like in order to support an authoritative technical body. JM then led the full group in a discussion of what would be “in scope” or “out of scope” for the TAC given the directive to develop technical leadership and tooling. It was further clarified that the purpose of identifying “out of scope” items was to determine what was not a responsibility of the TAC, though those items may be owned by other roles or functions in the organization. 502 | 503 | 504 | 505 | JM thanked everyone for the discussion and the group took a refreshment break at 2:27 p.m. 506 | 507 | BB called the meeting to order at 2:36 p.m. BB asked the group if there was general consensus among participants to approve the TAC’s request for additional staff resources, in particular filling a CTO role. Hearing no objections, BB directed staff to develop a job description for the key roles. Board members also requested a hiring committee to review the job descriptions and assist with sourcing. \ 508 | \ 509 | **ACTION:** Develop and share job descriptions for the CTO and technical program manager roles. 510 | 511 | **ACTION:** Create scope and resolution to charter a board-level hiring committee 512 | 513 | **Envisioning Session: What Does Success Look Like in 2023?** 514 | 515 | SR asked meeting participants to return to their breakout groups for further small group discussion. SR asked the group to do a visioning exercise to tell the story, “What was successful in 2023?” based on what success would look like if the organization operated to its purpose successfully next year. The participants were dismissed for 15 minutes of small group discussion. 516 | 517 | JM recalled participants for large-group discussion at 3:08 p.m., asking each group to provide their “success headlines.” Each group presented for approximately 3 minutes what was discussed in the small group discussion. 518 | 519 | JM then facilitated a short discussion about the aspirational nature of our work, noting that the headlines provided by the groups did not exist in conflict with each other or the four foundation identities discussed earlier in the meeting. 520 | 521 | BB noted that the outcomes for today will be consolidated into operational documents and a 2023 budget proposal. BB thanked everyone for their participation in discussions. 522 | 523 | **ACTION:** BB will share a budget ahead of the Dec. 2 meeting. 524 | 525 | BB asked for closing comments. Several participants noted their appreciation for the challenging but productive sessions, and thanked the staff and facilitators. Other Governing Board members suggested meeting twice a year in person would be more ideal, to which there was general approval. 526 | 527 | BB and Sarah Novotny (SN) concisely summarized the day’s key conclusions, noting that the Board has agreed 1) that the TAC should be technically opinionated and should further develop its vision and requirements for a “Sterling Toolchain”; 2) that of the four foundations, “Sterling Toolchain” should take the primary focus, with a secondary focus on “Uplift”; 3) that “Rapid Response” and “Funding” should be enabled in a more opportunistic manner; 4) that the staff should proceed with role development for a CTO and program management hires; and that 5) the Board should hold in-person meetings twice a year. 528 | 529 | **Adjournment** 530 | 531 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 3:40 PM Pacific Time. 532 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2022-12-01.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | **The Open Source Security Foundation** 5 | 6 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 7 | 8 | 1 December 2022 9 | 10 | 11 | 12 | A regular meeting of the Governing Board of the Open Source Security Foundation was held on 1 Dec. 2022 at 8:00 am Pacific Time via teleconference. 13 | 14 | **Governing Board Members In Attendance** 15 | 16 | 17 | 18 | 19 | 21 | 23 | 25 | 26 | 27 | 29 | 31 | 33 | 34 | 35 | 37 | 39 | 41 | 42 | 43 | 45 | 47 | 49 | 50 | 51 | 53 | 55 | 57 | 58 | 59 | 61 | 63 | 65 | 66 | 67 | 69 | 71 | 73 | 74 | 75 | 77 | 79 | 81 | 82 | 83 | 85 | 87 | 89 | 90 | 91 | 93 | 95 | 97 | 98 | 99 | 101 | 103 | 105 | 106 | 107 | 109 | 111 | 113 | 114 | 115 | 117 | 119 | 121 | 122 | 123 | 125 | 127 | 129 | 130 | 131 | 133 | 135 | 137 | 138 | 139 | 141 | 143 | 145 | 146 | 147 | 149 | 151 | 153 | 154 | 155 | 157 | 159 | 161 | 162 | 163 | 165 | 167 | 169 | 170 | 171 | 173 | 175 | 177 | 178 | 179 | 181 | 183 | 185 | 186 |
Company 20 | Governing Board Director 22 | Present 24 |
Atlassian 28 | Adrian Ludwig 30 | 32 |
Citibank 36 | Jon Meadows 38 | 40 |
Coinbase 44 | Scott Roberts 46 | 48 |
Dell Technologies 52 | John Roese 54 | 56 |
DeployHub* 60 | Tracy Ragan 62 | 64 |
Ericcson 68 | Per Beming 70 | 72 |
GitHub 76 | Mike Hanley 78 | 80 |
Google 84 | Eric Brewer 86 | 88 |
IBM Corporation 92 | Jamie Thomas (Chair) 94 | 96 |
Intel Corporation 100 | Arun Gupta 102 | 104 |
JP Morgan Chase 108 | Rao Lakkakula 110 | 112 |
Microsoft 116 | Mark Russinovich 118 | 120 |
Morgan Stanley 124 | Declan O’Donovan 126 | 128 |
NCC Group* 132 | Jennifer Fernick 134 | 136 |
Oracle 140 | John Heimann 142 | 144 |
Security Community Rep. 148 | Ian Coldwater 150 | 152 |
Sonatype 156 | Brian Fox 158 | 160 |
Wipro 164 | Subha Tatavarti 166 | 168 |
Snyk 172 | Gareth Rushgrove 174 | 176 |
VMWare 180 | Kit Colbert 182 | 184 |
187 | 188 | 189 | **Observers, Invited Guests, and Staff Attendance** 190 | 191 | 192 | 193 | 194 | 196 | 198 | 200 | 201 | 202 | 204 | 206 | 208 | 209 | 210 | 212 | 214 | 216 | 217 | 218 | 220 | 222 | 224 | 225 | 226 | 228 | 230 | 232 | 233 | 234 | 236 | 238 | 240 | 241 | 242 | 244 | 246 | 248 | 249 | 250 | 252 | 254 | 256 | 257 | 258 | 260 | 262 | 264 | 265 | 266 | 268 | 270 | 272 | 273 | 274 | 276 | 278 | 280 | 281 |
Company 195 | 197 | Observer 199 |
Apple 203 | 205 | Emily Fox 207 |
AWS 211 | 213 | Debashis Das 215 |
Dell Technologies 219 | 221 | Sarah Evans 223 |
Google 227 | 229 | Anne Bertucio 231 |
IBM Corporation 235 | 237 | Jeff Borek 239 |
Microsoft 243 | 245 | Sarah Novotny 247 |
Red Hat 251 | 253 | Vincent Dannen 255 |
Snyk 259 | 261 | Miki Komraz 263 |
VMWare via teleconference 267 | 269 | Tim Pepper 271 |
WiPro 275 | 277 | Andrew Aitken 279 |
282 | 283 | 284 | 285 | 286 | 287 | 289 | 291 | 293 | 294 | 295 | 297 | 299 | 301 | 302 | 303 | 305 | 307 | 309 | 310 | 311 | 313 | 315 | 317 | 318 | 319 | 321 | 323 | 325 | 326 | 327 | 329 | 331 | 333 | 334 |
TAC Representatives and Invited Guests 288 | 290 | 292 |
TAC Representative 296 | 298 | Aeva Black 300 |
TAC Representative 304 | 306 | Christopher ‘CRob’ Robinson 308 |
TAC Representative 312 | 314 | Dan Lorenc 316 |
TAC Representative 320 | 322 | Abhishek Arya 324 |
TAC Representative 328 | 330 | Josh Bressers 332 |
335 | 336 | 337 | 338 | 339 | 340 | 342 | 344 | 346 | 347 | 348 | 350 | 352 | 354 | 355 | 356 | 358 | 360 | 362 | 363 | 364 | 366 | 368 | 370 | 371 | 372 | 374 | 376 | 378 | 379 | 380 | 382 | 384 | 386 | 387 | 388 | 390 | 392 | 394 | 395 | 396 | 398 | 400 | 402 | 403 | 404 | 406 | 408 | 410 | 411 |
OpenSSF and Linux Foundation Staff 341 | 343 | 345 |
General Manager 349 | 351 | Brian Behlendorf 353 |
VP of Open Source Supply Chain Security 357 | 359 | David A. Wheeler 361 |
Program Director 365 | 367 | Jory Burson 369 |
Sr. Marketing Manager 373 | 375 | Jennifer Bly 377 |
SVP, GM of Projects 381 | 383 | Mike Dolan 385 |
Executive Director 389 | 391 | Jim Zemlin 393 |
Strategic Advisor 397 | 399 | Sam Ramji 401 |
Program Manager 405 | 407 | Khahil White 409 |
412 | 413 | 414 | **Call to Order** 415 | 416 | Brian Behlendorf (BB) called the meeting to order at 8:01 am Pacific Time, and Jory Burson (JB) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 417 | 418 | **Agenda and Welcome** 419 | 420 | BB introduced the objectives and agenda for the meeting, and reminded participants of the pre-reads that were shared with the participants prior to the meeting. There were no additional topics added. 421 | 422 | 423 | 424 | **Antitrust Policy Notice** 425 | 426 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 427 | 428 | **Approval of Minutes** 429 | 430 | BB called on the Directors to approve the minutes of the 6 October 2022 and 11 November 2022 meetings of the Governing Board, in the forms attached hereto as Exhibit A and Exhibit B. Upon motion made by Dir. Thomas, seconded by Dir. Lakkakula and approved by all Representatives in attendance, the following resolutions were: 431 | 432 | 433 | * **RESOLVED:** That the minutes of the October 6, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. 434 | 435 | * **RESOLVED:** That the minutes of the November 11, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit B, are hereby confirmed, approved and adopted. 436 | 437 | **Call for nominations for Governing Board Chair** 438 | 439 | BB opened the call for nominations from among Governing Board members to serve as the organization’s chairperson for the 2023 calendar year. BB requested nominations be sent to [operations@openssf.org](mailto:operations@openssf.org). 440 | 441 | **Chair’s Remarks on the Nov. 11 Meeting** 442 | 443 | Dir. Thomas provided brief observations about the effectiveness of the November 11 meeting in culminating in a focus area for 2023. Dir. Thomas noted that the dialogue was deep, productive, and very important for the organization’s goals and objectives next year. Dir. Thomas reiterated her thanks to fellow board members, and shared enthusiasm for planning additional in-person board meetings in 2023 in order to build on the momentum established in November. 444 | 445 | **2023 Strategic Plan - What We Learned in November ** 446 | 447 | BB introduced the OpenSSF Strategic Design document, attached to the meeting materials as Exhibit D, which is an executive summary of the outcomes of the strategic discussions held on Nov. 11. In summarizing the document, BB concluded that the bulk of the OpenSSF’s resources and staff in 2023 should focus on the “Sterling Toolchain” direction. Remaining budget and resources would be utilized to focus on education and other opportunities that might arise with efforts parallel to the toolchain. Finally, BB commented that the hiring plan be built to support this strategy. 448 | 449 | Discussion among board members ensued about the general percentage amount of budget and resources available to allocate to the Sterling Toolchain. Board members sought clarification on how non-toolchain related efforts would be supported, and clarification about the Mobilization Plan’s function. BB commented that the Mobilization Plan should be used as a tool to communicate how our goals and activities are driving impact against industry-identified needs. 450 | 451 | BB posed additional questions for discussion. Several Governing Board members commented on the need to better utilize subcommittees to improve the organization’s bandwidth. Board members generally agreed that the existing subcommittees, including public policy and budget, should be empowered to collaborate on and recommend proposals to the board in order to better delegate work. Further, board members generally agreed that the committees should focus on the needs of the toolchain, and how the TAC can be well-supported by staff and governing board committees in order to work more effectively on the toolchain. It was generally agreed that the TAC will need stronger support from Program Managers, Technical Program Managers, a CTO or Architect, and other staff in order to drive outcomes for the toolchain. 452 | 453 | Additional discussion noted the need to develop the toolchain solutions with strong participation from the community and member organizations, to ensure that developers and new contributors are not alienated by an approach that appears “top-down.” Additional commentary noted that it is easier at the moment for organizations to provide non-financial resources, and that defined parameters, constraints, and community feedback and input processes will be important to ensure consistency and cohesiveness of the whole. 454 | 455 | **2023 Budget Discussion** 456 | 457 | BB introduced the pro forma budget proposal, included with the meeting materials as Exhibit C. BB presented the proposal, noting that the budget for events and marketing includes continuing the third-party events approach rather than doing a standalone event. BB went through each item, noting that if approved, this budget would be applied to OKRs based on the toolchain. BB then went through the proposed staffing hires including their approximate salary ranges, which makes up the bulk of the proposed budget spend. BB clarified that the TAC requested roles were identified in the materials for the Nov. 11 meeting. 458 | 459 | Discussion ensued regarding the amount of deficit spending in the proposed budget. The Board generally agreed that deficit spending for 2023 would be acceptable given the amount of surplus funds carried forward, however there was some discussion about how aggressively to spend into the deficit. Board members requested staff better utilize the budget subcommittee to develop spending proposals. 460 | 461 | BB asked for a motion to approve the pro forma budget proposal, which was made by Dir. Thomas and seconded by Dir. Gupta. Dir. Colbert opposed the motion. Dirs. Roese, Beming, and Heimann abstained. BB determined that sufficient consensus had not been reached to pass the motion. 462 | 463 | ACTION: Staff to schedule a budget subcommittee meeting in early Q1. 464 | 465 | BB then proposed that the Governing Board establish a committee to assist with and address staffing needs. The Recruitment Committee would collaborate on role descriptions, assess appropriate compensation ranges, and help recruit diverse, qualified applicants for the roles. The Recruitment Committee would not make hiring decisions or offers, participate in employment discussions after hire, or be required to participate in interview loops. Upon motion made by Dir. Brewer, seconded by Dir. Roese and approved by all Representatives in attendance, the following resolution was: 466 | 467 | 468 | * **RESOLVED:** That the Governing Board of the OpenSSF shall establish a temporary Recruitment Committee for the purposes of assisting staff with the development of, and recruiting for open, 2023 job requisitions at the OpenSSF. 469 | 470 | **2023 Governance Restructuring** 471 | 472 | BB shared governance-related discussion questions that arose from the Nov. 11 meeting. BB noted suggestions that had been made so far, including accomplishing more through the subcommittees, meeting more frequently in person, meeting quarterly rather than monthly, and evaluating the organizational design needs of an “umbrella” foundation with toolchain focus. After a brief discussion, BB suggested the questions be sent to the Governance Committee to review and provide proposals. 473 | 474 | ACTION: Governance Subcommittee to provide analysis and proposals for the governance-related observations from Nov. 11. 475 | 476 | **January Governing Board Meeting** 477 | 478 | BB addressed the timing of the January 7 governing board meeting, noting that limited progress would likely be made between the December and January meetings. After a brief discussion it was agreed to cancel the Jan 7 meeting of the OpenSSF Governing Board. 479 | 480 | **Adjournment** 481 | 482 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:31 AM Pacific Time. 483 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-02-02.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | 6 | **The Open Source Security Foundation** 7 | 8 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 9 | 10 | 1 December 2022 11 | 12 | 13 | 14 | A regular meeting of the Governing Board of the Open Source Security Foundation was held on 1 Dec. 2022 at 8:00 am Pacific Time via teleconference. 15 | 16 | **Governing Board Members In Attendance** 17 | 18 | 19 | 20 | 21 | 23 | 25 | 27 | 28 | 29 | 31 | 33 | 35 | 36 | 37 | 39 | 41 | 43 | 44 | 45 | 47 | 49 | 51 | 52 | 53 | 55 | 57 | 59 | 60 | 61 | 63 | 65 | 67 | 68 | 69 | 71 | 73 | 75 | 76 | 77 | 79 | 81 | 83 | 84 | 85 | 87 | 89 | 91 | 92 | 93 | 95 | 97 | 99 | 100 | 101 | 103 | 105 | 107 | 108 | 109 | 111 | 113 | 115 | 116 | 117 | 119 | 121 | 123 | 124 | 125 | 127 | 129 | 131 | 132 | 133 | 135 | 137 | 139 | 140 | 141 | 143 | 145 | 147 | 148 | 149 | 151 | 153 | 155 | 156 | 157 | 159 | 161 | 163 | 164 | 165 | 167 | 169 | 171 | 172 | 173 | 175 | 177 | 179 | 180 | 181 | 183 | 185 | 187 | 188 |
Company 22 | Governing Board Director 24 | Present 26 |
Atlassian 30 | Adrian Ludwig 32 | 34 |
Citibank 38 | Jon Meadows 40 | 42 |
Coinbase 46 | Scott Roberts 48 | 50 |
Dell Technologies 54 | John Roese 56 | 58 |
DeployHub* 62 | Tracy Ragan 64 | 66 |
Ericcson 70 | Per Beming 72 | 74 |
GitHub 78 | Mike Hanley 80 | 82 |
Google 86 | Eric Brewer 88 | 90 |
IBM Corporation 94 | Jamie Thomas (Chair) 96 | 98 |
Intel Corporation 102 | Arun Gupta 104 | 106 |
JP Morgan Chase 110 | Rao Lakkakula 112 | 114 |
Microsoft 118 | Mark Russinovich 120 | 122 |
Morgan Stanley 126 | Declan O’Donovan 128 | 130 |
NCC Group* 134 | Jennifer Fernick 136 | 138 |
Oracle 142 | John Heimann 144 | 146 |
Security Community Rep. 150 | Ian Coldwater 152 | 154 |
Sonatype 158 | Brian Fox 160 | 162 |
Wipro 166 | Subha Tatavarti 168 | 170 |
Snyk 174 | Gareth Rushgrove 176 | 178 |
VMWare 182 | Kit Colbert 184 | 186 |
189 | 190 | 191 | **Observers, Invited Guests, and Staff Attendance** 192 | 193 | 194 | 195 | 196 | 198 | 200 | 202 | 203 | 204 | 206 | 208 | 210 | 211 | 212 | 214 | 216 | 218 | 219 | 220 | 222 | 224 | 226 | 227 | 228 | 230 | 232 | 234 | 235 | 236 | 238 | 240 | 242 | 243 | 244 | 246 | 248 | 250 | 251 | 252 | 254 | 256 | 258 | 259 | 260 | 262 | 264 | 266 | 267 | 268 | 270 | 272 | 274 | 275 | 276 | 278 | 280 | 282 | 283 |
Company 197 | 199 | Observer 201 |
Apple 205 | 207 | Emily Fox 209 |
AWS 213 | 215 | Debashis Das 217 |
Dell Technologies 221 | 223 | Sarah Evans 225 |
Google 229 | 231 | Anne Bertucio 233 |
IBM Corporation 237 | 239 | Jeff Borek 241 |
Microsoft 245 | 247 | Sarah Novotny 249 |
Red Hat 253 | 255 | Vincent Dannen 257 |
Snyk 261 | 263 | Miki Komraz 265 |
VMWare via teleconference 269 | 271 | Tim Pepper 273 |
WiPro 277 | 279 | Andrew Aitken 281 |
284 | 285 | 286 | 287 | 288 | 289 | 291 | 293 | 295 | 296 | 297 | 299 | 301 | 303 | 304 | 305 | 307 | 309 | 311 | 312 | 313 | 315 | 317 | 319 | 320 | 321 | 323 | 325 | 327 | 328 | 329 | 331 | 333 | 335 | 336 |
TAC Representatives and Invited Guests 290 | 292 | 294 |
TAC Representative 298 | 300 | Aeva Black 302 |
TAC Representative 306 | 308 | Christopher ‘CRob’ Robinson 310 |
TAC Representative 314 | 316 | Dan Lorenc 318 |
TAC Representative 322 | 324 | Abhishek Arya 326 |
TAC Representative 330 | 332 | Josh Bressers 334 |
337 | 338 | 339 | 340 | 341 | 342 | 344 | 346 | 348 | 349 | 350 | 352 | 354 | 356 | 357 | 358 | 360 | 362 | 364 | 365 | 366 | 368 | 370 | 372 | 373 | 374 | 376 | 378 | 380 | 381 | 382 | 384 | 386 | 388 | 389 | 390 | 392 | 394 | 396 | 397 | 398 | 400 | 402 | 404 | 405 | 406 | 408 | 410 | 412 | 413 |
OpenSSF and Linux Foundation Staff 343 | 345 | 347 |
General Manager 351 | 353 | Brian Behlendorf 355 |
VP of Open Source Supply Chain Security 359 | 361 | David A. Wheeler 363 |
Program Director 367 | 369 | Jory Burson 371 |
Sr. Marketing Manager 375 | 377 | Jennifer Bly 379 |
SVP, GM of Projects 383 | 385 | Mike Dolan 387 |
Executive Director 391 | 393 | Jim Zemlin 395 |
Strategic Advisor 399 | 401 | Sam Ramji 403 |
Program Manager 407 | 409 | Khahil White 411 |
414 | 415 | 416 | **Call to Order** 417 | 418 | Brian Behlendorf (BB) called the meeting to order at 8:01 am Pacific Time, and Jory Burson (JB) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 419 | 420 | **Agenda and Welcome** 421 | 422 | BB introduced the objectives and agenda for the meeting, and reminded participants of the pre-reads that were shared with the participants prior to the meeting. There were no additional topics added. 423 | 424 | 425 | 426 | **Antitrust Policy Notice** 427 | 428 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 429 | 430 | **Approval of Minutes** 431 | 432 | BB called on the Directors to approve the minutes of the 6 October 2022 and 11 November 2022 meetings of the Governing Board, in the forms attached hereto as Exhibit A and Exhibit B. Upon motion made by Dir. Thomas, seconded by Dir. Lakkakula and approved by all Representatives in attendance, the following resolutions were: \ 433 | 434 | 435 | 436 | 437 | * **RESOLVED:** That the minutes of the October 6, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. \ 438 | 439 | * **RESOLVED: **That the minutes of the November 11, 2022 meeting of the Board of Directors, in the form attached hereto as Exhibit B, are hereby confirmed, approved and adopted. 440 | 441 | **Call for nominations for Governing Board Chair** 442 | 443 | BB opened the call for nominations from among Governing Board members to serve as the organization’s chairperson for the 2023 calendar year. BB requested nominations be sent to [operations@openssf.org](mailto:operations@openssf.org). 444 | 445 | **Chair’s Remarks on the Nov. 11 Meeting** 446 | 447 | Dir. Thomas provided brief observations about the effectiveness of the November 11 meeting in culminating in a focus area for 2023. Dir. Thomas noted that the dialogue was deep, productive, and very important for the organization’s goals and objectives next year. Dir. Thomas reiterated her thanks to fellow board members, and shared enthusiasm for planning additional in-person board meetings in 2023 in order to build on the momentum established in November. 448 | 449 | **2023 Strategic Plan - What We Learned in November ** 450 | 451 | BB introduced the OpenSSF Strategic Design document, attached to the meeting materials as Exhibit D, which is an executive summary of the outcomes of the strategic discussions held on Nov. 11. In summarizing the document, BB concluded that the bulk of the OpenSSF’s resources and staff in 2023 should focus on the “Sterling Toolchain” direction. Remaining budget and resources would be utilized to focus on education and other opportunities that might arise with efforts parallel to the toolchain. Finally, BB commented that the hiring plan be built to support this strategy. 452 | 453 | Discussion among board members ensued about the general percentage amount of budget and resources available to allocate to the Sterling Toolchain. Board members sought clarification on how non-toolchain related efforts would be supported, and clarification about the Mobilization Plan’s function. BB commented that the Mobilization Plan should be used as a tool to communicate how our goals and activities are driving impact against industry-identified needs. 454 | 455 | BB posed additional questions for discussion. Several Governing Board members commented on the need to better utilize subcommittees to improve the organization’s bandwidth. Board members generally agreed that the existing subcommittees, including public policy and budget, should be empowered to collaborate on and recommend proposals to the board in order to better delegate work. Further, board members generally agreed that the committees should focus on the needs of the toolchain, and how the TAC can be well-supported by staff and governing board committees in order to work more effectively on the toolchain. It was generally agreed that the TAC will need stronger support from Program Managers, Technical Program Managers, a CTO or Architect, and other staff in order to drive outcomes for the toolchain. 456 | 457 | Additional discussion noted the need to develop the toolchain solutions with strong participation from the community and member organizations, to ensure that developers and new contributors are not alienated by an approach that appears “top-down.” Additional commentary noted that it is easier at the moment for organizations to provide non-financial resources, and that defined parameters, constraints, and community feedback and input processes will be important to ensure consistency and cohesiveness of the whole. 458 | 459 | **2023 Budget Discussion** 460 | 461 | BB introduced the pro forma budget proposal, included with the meeting materials as Exhibit C. BB presented the proposal, noting that the budget for events and marketing includes continuing the third-party events approach rather than doing a standalone event. BB went through each item, noting that if approved, this budget would be applied to OKRs based on the toolchain. BB then went through the proposed staffing hires including their approximate salary ranges, which makes up the bulk of the proposed budget spend. BB clarified that the TAC requested roles were identified in the materials for the Nov. 11 meeting. 462 | 463 | Discussion ensued regarding the amount of deficit spending in the proposed budget. The Board generally agreed that deficit spending for 2023 would be acceptable given the amount of surplus funds carried forward, however there was some discussion about how aggressively to spend into the deficit. Board members requested staff better utilize the budget subcommittee to develop spending proposals. 464 | 465 | BB asked for a motion to approve the pro forma budget proposal, which was made by Dir. Thomas and seconded by Dir. Gupta. Dir. Colbert opposed the motion. Dirs. Roese, Beming, and Heimann abstained. BB determined that sufficient consensus had not been reached to pass the motion. 466 | 467 | ACTION: Staff to schedule a budget subcommittee meeting in early Q1. 468 | 469 | BB then proposed that the Governing Board establish a committee to assist with and address staffing needs. The Recruitment Committee would collaborate on role descriptions, assess appropriate compensation ranges, and help recruit diverse, qualified applicants for the roles. The Recruitment Committee would not make hiring decisions or offers, participate in employment discussions after hire, or be required to participate in interview loops. Upon motion made by Dir. Brewer, seconded by Dir. Roese and approved by all Representatives in attendance, the following resolution was: \ 470 | 471 | 472 | 473 | 474 | * **RESOLVED: **That the Governing Board of the OpenSSF shall establish a temporary Recruitment Committee for the purposes of assisting staff with the development of, and recruiting for open, 2023 job requisitions at the OpenSSF. 475 | 476 | **2023 Governance Restructuring** 477 | 478 | BB shared governance-related discussion questions that arose from the Nov. 11 meeting. BB noted suggestions that had been made so far, including accomplishing more through the subcommittees, meeting more frequently in person, meeting quarterly rather than monthly, and evaluating the organizational design needs of an “umbrella” foundation with toolchain focus. After a brief discussion, BB suggested the questions be sent to the Governance Committee to review and provide proposals. 479 | 480 | ACTION: Governance Subcommittee to provide analysis and proposals for the governance-related observations from Nov. 11. 481 | 482 | **January Governing Board Meeting** 483 | 484 | BB addressed the timing of the January 7 governing board meeting, noting that limited progress would likely be made between the December and January meetings. After a brief discussion it was agreed to cancel the Jan 7 meeting of the OpenSSF Governing Board. 485 | 486 | **Adjournment** 487 | 488 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:31 AM Pacific Time. 489 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-03-02.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | 6 | 7 | **The Open Source Security Foundation** 8 | 9 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 10 | 11 | 2 March 2023 12 | 13 | 14 | 15 | A combined meeting of the Governing Board and Technical Advisory Council of the Open Source Security Foundation was held on 2 Feb. 2023 at 8:03 am Pacific Time via teleconference. 16 | 17 | **Governing Board Members In Attendance** 18 | 19 | 20 | 21 | 22 | 24 | 26 | 28 | 29 | 30 | 32 | 34 | 36 | 37 | 38 | 40 | 42 | 44 | 45 | 46 | 48 | 50 | 52 | 53 | 54 | 56 | 58 | 60 | 61 | 62 | 64 | 66 | 68 | 69 | 70 | 72 | 74 | 76 | 77 | 78 | 80 | 82 | 84 | 85 | 86 | 88 | 90 | 92 | 93 | 94 | 96 | 98 | 100 | 101 | 102 | 104 | 106 | 108 | 109 | 110 | 112 | 114 | 116 | 117 | 118 | 120 | 122 | 124 | 125 | 126 | 128 | 130 | 132 | 133 | 134 | 136 | 138 | 140 | 141 | 142 | 144 | 146 | 148 | 149 | 150 | 152 | 154 | 156 | 157 | 158 | 160 | 162 | 164 | 165 | 166 | 168 | 170 | 172 | 173 | 174 | 176 | 178 | 180 | 181 | 182 | 184 | 186 | 188 | 189 | 190 | 192 | 194 | 196 | 197 | 198 | 200 | 202 | 204 | 205 | 206 | 208 | 210 | 212 | 213 | 214 | 216 | 218 | 220 | 221 | 222 | 224 | 226 | 228 | 229 | 230 | 232 | 234 | 236 | 237 | 238 | 240 | 242 | 244 | 245 | 246 | 248 | 250 | 252 | 253 | 254 | 256 | 258 | 260 | 261 | 262 | 264 | 266 | 268 | 269 |
Company 23 | Governing Board Member 25 | 27 |
Apple 31 | Kelly Ann 33 | 35 |
Atlassian 39 | Adrian Ludwig 41 | 43 |
AWS Security 47 | Mark Ryland 49 | 51 |
Capital One 55 | TBD 57 | 59 |
Chainguard 63 | Tracy Miranda (General Membership Representative) 65 | 67 |
Cisco 71 | Stephen Augustus 73 | 75 |
Citi 79 | Jonathan Meadows 81 | 83 |
Coinbase 87 | Scott Roberts 89 | 91 |
Dell Technologies 95 | John Roese 97 | 99 |
Ericsson 103 | 105 | 107 |
GitHub 111 | Mike Hanley 113 | 115 |
Google 119 | Eric Brewer 121 | 123 |
Google* 127 | Bob Callaway (TAC Representative) 129 | 131 |
Huawei 135 | Jingou Cui 137 | 139 |
IBM Corporation 143 | Jamie Thomas (Chair) 145 | 147 |
Indeed 151 | Duane O’Brien (General Membership Representative) 153 | 155 |
Intel Corporation 159 | Arun Gupta 161 | 163 |
JFrog 167 | Stephen Chin (General Membership Representative) 169 | 171 |
JP Morgan Chase 175 | Rao Lakkakula 177 | 179 |
Meta 183 | Clyde Rodriguez 185 | 187 |
Microsoft 191 | Mark Russinovich 193 | 195 |
Morgan Stanley 199 | Declan O’Donovan 201 | 203 |
OWASP* 207 | Andrew van der Stock (Associate Member Rep) 209 | 211 |
Oracle 215 | John Heimann 217 | 219 |
Red Hat, Inc. 223 | Vincent Danen 225 | 227 |
Snyk 231 | Gareth Rushgrove 233 | 235 |
Sonatype 239 | Brian Fox 241 | 243 |
Self-employed 247 | Ian Coldwater (Security Community Individual Rep) 249 | 251 |
VMWare 255 | Kit Colbert 257 | 259 |
Wipro 263 | Subha Tatavarti 265 | 267 |
270 | 271 | 272 | **Observers, Invited Guests, and Staff Attendance** 273 | 274 | 275 | 276 | 277 | 279 | 281 | 283 | 284 | 285 | 287 | 289 | 291 | 292 | 293 | 295 | 297 | 299 | 300 | 301 | 303 | 305 | 307 | 308 | 309 | 311 | 313 | 315 | 316 | 317 | 319 | 321 | 323 | 324 | 325 | 327 | 329 | 331 | 332 | 333 | 335 | 337 | 339 | 340 | 341 | 343 | 345 | 347 | 348 | 349 | 351 | 353 | 355 | 356 |
Company 278 | 280 | Observer 282 |
Dell Technologies 286 | 288 | Sarah Evans 290 |
Ericsson 294 | 296 | Georg Kunz 298 |
Google 302 | 304 | Anne Bertucio 306 |
IBM Corporation 310 | 312 | Jeff Borek 314 |
Microsoft 318 | 320 | Sarah Novotny (for Mark Russinovich) 322 |
VMWare 326 | 328 | Tim Pepper 330 |
WiPro 334 | 336 | Andrew Aitken 338 |
Apple 342 | 344 | Emily Fox 346 |
Atlassian 350 | 352 | Robbie Gallagher 354 |
357 | 358 | 359 | 360 | 361 | 362 | 364 | 366 | 368 | 369 | 370 | 372 | 374 | 376 | 377 | 378 | 380 | 382 | 384 | 385 | 386 | 388 | 390 | 392 | 393 | 394 | 396 | 398 | 400 | 401 | 402 | 404 | 406 | 408 | 409 | 410 | 412 | 414 | 416 | 417 | 418 | 420 | 422 | 424 | 425 |
TAC Representatives and Invited Guests 363 | 365 | 367 |
TAC Representative 371 | 373 | Aeva Black 375 |
TAC Representative 379 | 381 | Abhishek Arya 383 |
TAC Representative 387 | 389 | CRob Robinson 391 |
TAC Representative 395 | 397 | Dan Lorenc 399 |
TAC Representative 403 | 405 | Josh Bressers 407 |
TAC Representative 411 | 413 | Luke Hinds 415 |
Invited Guest 419 | 421 | Francis Perron 423 |
426 | 427 | 428 | 429 | 430 | 431 | 433 | 435 | 437 | 438 | 439 | 441 | 443 | 445 | 446 | 447 | 449 | 451 | 453 | 454 | 455 | 457 | 459 | 461 | 462 | 463 | 465 | 467 | 469 | 470 | 471 | 473 | 475 | 477 | 478 | 479 | 481 | 483 | 485 | 486 | 487 | 489 | 491 | 493 | 494 | 495 | 497 | 499 | 501 | 502 |
OpenSSF and Linux Foundation Staff 432 | 434 | 436 |
General Manager 440 | 442 | Brian Behlendorf 444 |
VP of Open Source Supply Chain Security 448 | 450 | David A. Wheeler 452 |
Sr. Marketing Manager 456 | 458 | Jennifer Bly 460 |
SVP, GM of Projects 464 | 466 | Mike Dolan 468 |
Strategic Advisor 472 | 474 | Sam Ramji 476 |
Program Manager 480 | 482 | Khahil White 484 |
Sr. Program Manager 488 | 490 | Kurt Taylor 492 |
SVP, Program Operations 496 | 498 | Todd Moore 500 |
503 | 504 | 505 | **Call to Order** 506 | 507 | Brian Behlendorf (BB) called the meeting to order at 8:03 am Pacific Time, Kurt Taylor, and Khahil White recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 508 | 509 | **Agenda and Welcome** 510 | 511 | BB introduced the objectives and agenda for the meeting. There were no additional topics added. 512 | 513 | **Antitrust Policy Notice** 514 | 515 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 516 | 517 | **Approval of Minutes** 518 | 519 | BB called on the Directors to approve the minutes of the 2 February 2023 meeting of the Governing Board, in the form attached hereto as Exhibit A. Upon motion made by Dir. Thomas, seconded by Dir. Gupta and approved by all Representatives in attendance, the following resolution was: \ 520 | 521 | 522 | 523 | 524 | * **RESOLVED:** That the minutes of the 2 February 2023 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. Andrew Van Der Stock, Tracy Miranda, and Stephen Chin abstained. 525 | 526 | **Staffing changes ** 527 | 528 | BB updated the board on the recent staffing changes within the OpenSSF with the departure of Jory Burson, and the introduction of senior program manager Kurt Taylor. Francis Perron announced as a Technical Program Manager volunteering from Google. Sam Ramji will be temporarily acting Chief of Staff to BB. 529 | 530 | **Combined Session of TAC and Governing Board [80 min]** 531 | 532 | **2023 Strategy Review** 533 | 534 | BB Presented a review of the overall 2023 strategy (exhibit B) - develop Sterling Toolchain concept. 535 | 536 | **Recruiting update** 537 | 538 | BB gave an update on the 4 open roles and recruiting status of those positions. BB shared that the applicants for the Chief of Staff role have narrowed to 10 candidates. There were no questions. 539 | 540 | **Upcoming Budget & Finance Committee Meeting** 541 | 542 | Sam Ramji (SR) presented on the 2023 budget, and the establishment of a Budget & Finance Committee made up of 5 GB members, several candidates have volunteered to be a representative. 543 | 544 | ACTION ITEM: SR to meet with potential committee members ahead of the first committee meeting. 545 | 546 | **Marketing Committee and DevRel Committee** 547 | 548 | SR presented an update on the Marketing Committee, and asked members to send marketing leads to the committee. SR discussed the differences between the DevRel and Outreach functions. 549 | 550 | Q: How is the DevRel committee different from an Ambassador program? 551 | 552 | A: The DevRel committee would be an executive committee that would define and manage an Ambassador program. It would support and be supported by a Community Manager FTE, and chaired by a member of the Governing Board. 553 | 554 | Ian Coldwater (IC) asked for more detail: how does this relate to the sec community representative? SR answered that it was orthogonal to the SCIR, as the SCIR is a Governing Board role; the SCIR is welcome to participate in a DevRel committee and may be ideal in helping to define this committee. 555 | 556 | IC volunteered to assist in defining the DevRel committee. 557 | 558 | Governance committee to work out a proposal for the Governing board for the new committee organization. 559 | 560 | **Mobilization Plan Review** 561 | 562 | BB presented a color coded short status overview mobilization plan slide, along with the funding status of each stream of the mobilization plan. 563 | 564 | ACTION ITEMS: Add funding column to overview slide; Mike Hanley and Francis Perron to meet on how to accelerate spending funds on Mobilization Plan in 2023. 565 | 566 | Call to action: GB members to formulate proposals that we can drive funding for. Examples are the [EDU.SIG](https://github.com/ossf/education/blob/main/plan/proposal_summary.md) and [SIRT](https://github.com/ossf/SIRT/blob/main/plan/proposal_summary.md) proposals. 567 | 568 | **Visualizing the OpenSSF: the Work of the “Diagrammers Society” SIG** 569 | 570 | CRob presented the work of the Diagrammers’ Society SIG (Exhibit D - OpenSSF 1000s of Words) to the GB for review. GB attendees stated that the CI/CD map was helpful in explaining the OpenSSF to newcomers. 571 | 572 | Will involve Marketing (Jennifer Bly) and LF Creative Services as the process progresses in order to ensure readability and accessibility of the diagrams. 573 | 574 | **Adjournment** 575 | 576 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:25 AM Pacific Time. 577 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-04-06.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | 6 | 7 | **The Open Source Security Foundation** 8 | 9 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 10 | 11 | 6 April 2023 12 | 13 | 14 | 15 | A combined meeting of the Governing Board and Technical Advisory Council of the Open Source Security Foundation was held on 6 April 2023 at 8:03 am Pacific Time via teleconference. 16 | 17 | **Governing Board Members In Attendance** 18 | 19 | 20 | 21 | 22 | 24 | 26 | 28 | 29 | 30 | 32 | 34 | 36 | 37 | 38 | 40 | 42 | 44 | 45 | 46 | 48 | 50 | 52 | 53 | 54 | 56 | 58 | 60 | 61 | 62 | 64 | 66 | 68 | 69 | 70 | 72 | 74 | 76 | 77 | 78 | 80 | 82 | 84 | 85 | 86 | 88 | 90 | 92 | 93 | 94 | 96 | 98 | 100 | 101 | 102 | 104 | 106 | 108 | 109 | 110 | 112 | 114 | 116 | 117 | 118 | 120 | 122 | 124 | 125 | 126 | 128 | 130 | 132 | 133 | 134 | 136 | 138 | 140 | 141 | 142 | 144 | 146 | 148 | 149 | 150 | 152 | 154 | 156 | 157 | 158 | 160 | 162 | 164 | 165 | 166 | 168 | 170 | 172 | 173 | 174 | 176 | 178 | 180 | 181 | 182 | 184 | 186 | 188 | 189 | 190 | 192 | 194 | 196 | 197 | 198 | 200 | 202 | 204 | 205 | 206 | 208 | 210 | 212 | 213 | 214 | 216 | 218 | 220 | 221 | 222 | 224 | 226 | 228 | 229 | 230 | 232 | 234 | 236 | 237 | 238 | 240 | 242 | 244 | 245 | 246 | 248 | 250 | 252 | 253 | 254 | 256 | 258 | 260 | 261 | 262 | 264 | 266 | 268 | 269 |
Company 23 | Governing Board Member 25 | 27 |
Apple 31 | Kelly Ann 33 | 35 |
Atlassian 39 | Adrian Ludwig 41 | 43 |
AWS Security 47 | Mark Ryland 49 | 51 |
Capital One 55 | TBD 57 | 59 |
Chainguard 63 | Tracy Miranda (General Membership Representative) 65 | 67 |
Cisco 71 | Stephen Augustus 73 | 75 |
Citi 79 | Jonathan Meadows 81 | 83 |
Coinbase 87 | Scott Roberts 89 | 91 |
Dell Technologies 95 | John Roese 97 | 99 |
Ericsson 103 | Erik Ekkuden 105 | 107 |
GitHub 111 | Mike Hanley 113 | 115 |
Google 119 | Eric Brewer 121 | 123 |
Google* 127 | Bob Callaway (TAC Representative) 129 | 131 |
Huawei 135 | Jingou Cui 137 | 139 |
IBM Corporation 143 | Jamie Thomas (Chair) 145 | 147 |
Indeed 151 | Duane O’Brien (General Membership Representative) 153 | 155 |
Intel Corporation 159 | Arun Gupta 161 | 163 |
JFrog 167 | Stephen Chin (General Membership Representative) 169 | 171 |
JP Morgan Chase 175 | Rao Lakkakula 177 | 179 |
Meta 183 | Clyde Rodriguez 185 | 187 |
Microsoft 191 | Mark Russinovich 193 | 195 |
Morgan Stanley 199 | Declan O’Donovan 201 | 203 |
OWASP* 207 | Andrew van der Stock (Associate Member Rep) 209 | 211 |
Oracle 215 | John Heimann 217 | 219 |
Red Hat, Inc. 223 | Vincent Danen 225 | 227 |
Snyk 231 | Gareth Rushgrove 233 | 235 |
Sonatype 239 | Brian Fox 241 | 243 |
Self-employed 247 | Ian Coldwater (Security Community Individual Rep) 249 | 251 |
VMWare 255 | Kit Colbert 257 | 259 |
Wipro 263 | Subha Tatavarti 265 | 267 |
270 | 271 | 272 | **Observers, Invited Guests, and Staff Attendance** 273 | 274 | 275 | 276 | 277 | 279 | 281 | 283 | 284 | 285 | 287 | 289 | 291 | 292 | 293 | 295 | 297 | 299 | 300 | 301 | 303 | 305 | 307 | 308 | 309 | 311 | 313 | 315 | 316 | 317 | 319 | 321 | 323 | 324 | 325 | 327 | 329 | 331 | 332 | 333 | 335 | 337 | 339 | 340 | 341 | 343 | 345 | 347 | 348 | 349 | 351 | 353 | 355 | 356 | 357 | 359 | 361 | 363 | 364 | 365 | 367 | 369 | 371 | 372 |
Company 278 | 280 | Observer 282 |
Dell Technologies 286 | 288 | Sarah Evans 290 |
Ericsson 294 | 296 | Georg Kunz 298 |
Google 302 | 304 | Anne Bertucio 306 |
IBM Corporation 310 | 312 | Jeff Borek 314 |
Microsoft 318 | 320 | Sarah Novotny (for Mark Russinovich) 322 |
VMWare 326 | 328 | Tim Pepper 330 |
WiPro 334 | 336 | Andrew Aitken 338 |
Apple 342 | 344 | Emily Fox 346 |
Atlassian 350 | 352 | Robbie Gallagher 354 |
Intel 358 | 360 | Ryan Ware 362 |
Coinbase 366 | 368 | Micheal Brown 370 |
373 | 374 | 375 | 376 | 377 | 378 | 380 | 382 | 384 | 385 | 386 | 388 | 390 | 392 | 393 | 394 | 396 | 398 | 400 | 401 | 402 | 404 | 406 | 408 | 409 | 410 | 412 | 414 | 416 | 417 | 418 | 420 | 422 | 424 | 425 | 426 | 428 | 430 | 432 | 433 |
TAC Representatives and Invited Guests 379 | 381 | 383 |
TAC Representative 387 | 389 | Aeva Black 391 |
TAC Representative 395 | 397 | Abhishek Arya 399 |
TAC Representative 403 | 405 | CRob Robinson 407 |
TAC Representative 411 | 413 | Dan Lorenc 415 |
TAC Representative 419 | 421 | Josh Bressers 423 |
TAC Representative 427 | 429 | Luke Hinds 431 |
434 | 435 | 436 | 437 | 438 | 439 | 441 | 443 | 445 | 446 | 447 | 449 | 451 | 453 | 454 | 455 | 457 | 459 | 461 | 462 | 463 | 465 | 467 | 469 | 470 | 471 | 473 | 475 | 477 | 478 | 479 | 481 | 483 | 485 | 486 | 487 | 489 | 491 | 493 | 494 | 495 | 497 | 499 | 501 | 502 | 503 | 505 | 507 | 509 | 510 | 511 | 513 | 515 | 517 | 518 |
OpenSSF and Linux Foundation Staff 440 | 442 | 444 |
General Manager 448 | 450 | Brian Behlendorf 452 |
VP of Open Source Supply Chain Security 456 | 458 | David A. Wheeler 460 |
Director of Program Management 464 | 466 | Amanda Martin 468 |
Sr. Marketing Manager 472 | 474 | Jennifer Bly 476 |
SVP, GM of Projects 480 | 482 | Mike Dolan 484 |
Strategic Advisor 488 | 490 | Sam Ramji 492 |
Program Manager 496 | 498 | Khahil White 500 |
Sr. Program Manager 504 | 506 | Kurt Taylor 508 |
SVP, Program Operations 512 | 514 | Todd Moore 516 |
519 | 520 | 521 | **Call to Order** 522 | 523 | Brian Behlendorf (BB) called the meeting to order at 8:03 am Pacific Time, Khahil White (KW) and Amanda Martin (AM) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 524 | 525 | **Agenda and Welcome** 526 | 527 | BB introduced the objectives and agenda for the meeting. There were no additional topics added. 528 | 529 | **Antitrust Policy Notice** 530 | 531 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 532 | 533 | **Approval of Minutes** 534 | 535 | BB called on the Governing Board Members to approve the minutes of the 2 March 2023 meeting of the Governing Board, with the correction of Georg Kunz as the Ericsson representative in the form attached hereto as Exhibit A. Upon motion made by Ms. Thomas, seconded by Mr. Gupta and approved by all representatives in attendance, the following resolution was: \ 536 | 537 | 538 | 539 | 540 | * **RESOLVED:** That the minutes of the 2 March 2023 meeting of the Governing Board, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. Ms. Thomas motioned to approve, Mr. Chin seconded the motion, approved by the Governing Board. 541 | 542 | **Staffing changes & Recruiting Updates** 543 | 544 | BB presented on the recent staffing changes and introduced Governing Board Members Martin. 545 | 546 | BB presented an update on the pipeline and state of recruiting for the open roles. 547 | 548 | **Combined Session of TAC and Governing Board [70 min]** 549 | 550 | **Budget Committee recommendations [Exhibit B]** 551 | 552 | BB informed the GB of the current state of the budget and finance committee, and presented the committee recommendations to the governing board (Exhibit: B) 553 | 554 | **Governance Committee recommendations** 555 | 556 | BB updated the board on the state of the Governance Committee, and introduced Jeff Borek (JB) as the new chair of the committee. 557 | 558 | JB added that the Governance Committee is there to provide guidance and structure to the GB and TAC. 559 | 560 | BB clarified the relationship between OpenSSF and Alpha Omega, and proposed a question on when funding is internal vs external associated project. 561 | 562 | **Sterling Toolchain** 563 | 564 | Discussion on the sterling toolchain concept with the new TAC in place. This document is not for agreement until the new TAC approves it. Members noted this is the correct process for such concepts. 565 | 566 | Document was shared with GB and permissions now open for public comment. 567 | 568 | **Open SSF Day North America: 5/10/23 [Exhibit C]** 569 | 570 | BB presented on the state of OpenSSF Day North America 2023 (Wednesday in Vancouver Canada.) BB informed the board that the schedule is now live, and is working with the public policy committee to build questions for the opening keynote with our government speakers. 571 | 572 | **In-person GB meeting** 573 | 574 | Proposed in person GB in person strategy meeting to take place at the Linux Foundation Member Summit on October 27. No objections, approved by rough consensus. Additional discussion on possibly having it outside of North America in the future. 575 | 576 | **2023 OKRs [Exhibit D]** 577 | 578 | BB presented the proposed 2023 OKR’s for the OpenSSF (Exhibit: D.) Motion to approve and amend was presented during the meeting. JT motioned to approve, Andrew van der Stock seconded. Result, 2023 OKR’s approved unanimously. 579 | 580 | **TAC and SCIR election** 581 | 582 | BB presented the TAC election data and results. 583 | 584 | TAC: Dustin Ingram - Google (new), Bob Callaway - Google (returning), 585 | 586 | Aeva Black - Microsoft (returning), and Daniel Lorenc - Chainguard (returning) 587 | 588 | SCIR: Luke Hinds - Red Hat 589 | 590 | Congratulations to the winners! BB then requested TAC members drop from the call for the executive session of the GB. 591 | 592 | **END OF PUBLIC NOTES** 593 | 594 | **Adjournment** 595 | 596 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:11 AM Pacific Time. 597 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-05-04.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | 6 | **The Open Source Security Foundation** 7 | 8 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 9 | 10 | 4 May 2023 11 | 12 | 13 | 14 | A combined meeting of the Governing Board and Technical Advisory Council of the Open Source Security Foundation was held on 4 May 2023 at 8:03 am Pacific Time via teleconference. 15 | 16 | **Governing Board Members In Attendance** 17 | 18 | 19 | 20 | 21 | 23 | 25 | 27 | 28 | 29 | 31 | 33 | 35 | 36 | 37 | 39 | 41 | 43 | 44 | 45 | 47 | 49 | 51 | 52 | 53 | 55 | 57 | 59 | 60 | 61 | 63 | 65 | 67 | 68 | 69 | 71 | 73 | 75 | 76 | 77 | 79 | 81 | 83 | 84 | 85 | 87 | 89 | 91 | 92 | 93 | 95 | 97 | 99 | 100 | 101 | 103 | 105 | 107 | 108 | 109 | 111 | 113 | 115 | 116 | 117 | 119 | 121 | 123 | 124 | 125 | 127 | 129 | 131 | 132 | 133 | 135 | 137 | 139 | 140 | 141 | 143 | 145 | 147 | 148 | 149 | 151 | 153 | 155 | 156 | 157 | 159 | 161 | 163 | 164 | 165 | 167 | 169 | 171 | 172 | 173 | 175 | 177 | 179 | 180 | 181 | 183 | 185 | 187 | 188 | 189 | 191 | 193 | 195 | 196 | 197 | 199 | 201 | 203 | 204 | 205 | 207 | 209 | 211 | 212 | 213 | 215 | 217 | 219 | 220 | 221 | 223 | 225 | 227 | 228 | 229 | 231 | 233 | 235 | 236 | 237 | 239 | 241 | 243 | 244 | 245 | 247 | 249 | 251 | 252 | 253 | 255 | 257 | 259 | 260 |
Company 22 | Governing Board Member 24 | 26 |
Apple 30 | Kelly Ann 32 | X 34 |
Atlassian 38 | Adrian Ludwig 40 | 42 |
AWS Security 46 | Mark Ryland 48 | X 50 |
Capital One 54 | TBD 56 | 58 |
Chainguard 62 | Tracy Miranda (General Membership Representative) 64 | X 66 |
Cisco 70 | Stephen Augustus 72 | X 74 |
Citi 78 | Jonathan Meadows 80 | 82 |
Coinbase 86 | Scott Roberts 88 | 90 |
Dell Technologies 94 | John Roese 96 | 98 |
Ericsson 102 | Erik Ekkuden 104 | 106 |
GitHub 110 | Mike Hanley 112 | X 114 |
Google 118 | Eric Brewer 120 | X 122 |
Google* 126 | Bob Callaway (TAC Representative) 128 | X 130 |
Huawei 134 | Jingou Cui 136 | X 138 |
IBM Corporation 142 | Jamie Thomas (Chair) 144 | X 146 |
Indeed 150 | Duane O’Brien (General Membership Representative) 152 | 154 |
Intel 158 | Arun Gupta 160 | X 162 |
JFrog 166 | Stephen Chin (General Membership Representative) 168 | X 170 |
JP Morgan Chase 174 | Rao Lakkakula 176 | X 178 |
Meta 182 | Clyde Rodriguez 184 | 186 |
Microsoft 190 | Mark Russinovich 192 | X 194 |
Morgan Stanley 198 | Declan O’Donovan 200 | X 202 |
OWASP* 206 | Andrew van der Stock (Associate Member Rep) 208 | X 210 |
Oracle 214 | John Heimann 216 | 218 |
Red Hat, Inc. 222 | Vincent Danen 224 | X 226 |
Snyk 230 | Gareth Rushgrove 232 | 234 |
Sonatype 238 | Brian Fox 240 | 242 |
VMWare 246 | Kit Colbert 248 | X 250 |
Wipro 254 | Subha Tatavarti 256 | 258 |
261 | 262 | 263 | **Zach Steindler** 264 | 265 | **Stepehen Walli** 266 | 267 | **Dustin Ingram (Google)** 268 | 269 | **EdWarnicke** 270 | 271 | **Per Beming** 272 | 273 | **Observers, Invited Guests, and Staff Attendance** 274 | 275 | 276 | 277 | 278 | 280 | 282 | 284 | 285 | 286 | 288 | 290 | 292 | 293 | 294 | 296 | 298 | 300 | 301 | 302 | 304 | 306 | 308 | 309 | 310 | 312 | 314 | 316 | 317 | 318 | 320 | 322 | 324 | 325 | 326 | 328 | 330 | 332 | 333 | 334 | 336 | 338 | 340 | 341 | 342 | 344 | 346 | 348 | 349 | 350 | 352 | 354 | 356 | 357 | 358 | 360 | 362 | 364 | 365 | 366 | 368 | 370 | 372 | 373 |
Company 279 | 281 | Observer 283 |
Dell Technologies 287 | X 289 | Sarah Evans 291 |
Ericsson 295 | X 297 | Georg Kunz 299 |
Google 303 | X 305 | Anne Bertucio 307 |
IBM Corporation 311 | X 313 | Jeff Borek 315 |
Microsoft 319 | 321 | Sarah Novotny (for Mark Russinovich) 323 |
VMWare 327 | X 329 | Tim Pepper 331 |
WiPro 335 | 337 | Andrew Aitken 339 |
Apple 343 | X 345 | Emily Fox 347 |
Atlassian 351 | 353 | Robbie Gallagher 355 |
Intel 359 | X 361 | Ryan Ware 363 |
Coinbase 367 | 369 | Micheal Brown 371 |
374 | 375 | 376 | 377 | 378 | 379 | 381 | 383 | 385 | 386 | 387 | 389 | 391 | 393 | 394 | 395 | 397 | 399 | 401 | 402 | 403 | 405 | 407 | 409 | 410 | 411 | 413 | 415 | 417 | 418 | 419 | 421 | 423 | 425 | 426 | 427 | 429 | 431 | 433 | 434 |
TAC Representatives and Invited Guests 380 | 382 | 384 |
TAC Representative 388 | X 390 | Aeva Black 392 |
TAC Representative 396 | 398 | Abhishek Arya 400 |
TAC Representative 404 | X 406 | CRob Robinson 408 |
TAC Representative 412 | 414 | Dan Lorenc 416 |
TAC Representative 420 | 422 | Josh Bressers 424 |
TAC Representative 428 | X 430 | Luke Hinds 432 |
435 | 436 | 437 | 438 | 439 | 440 | 442 | 444 | 446 | 447 | 448 | 450 | 452 | 454 | 455 | 456 | 458 | 460 | 462 | 463 | 464 | 466 | 468 | 470 | 471 | 472 | 474 | 476 | 478 | 479 | 480 | 482 | 484 | 486 | 487 | 488 | 490 | 492 | 494 | 495 | 496 | 498 | 500 | 502 | 503 | 504 | 506 | 508 | 510 | 511 | 512 | 514 | 516 | 518 | 519 | 520 | 522 | 524 | 526 | 527 | 528 | 530 | 532 | 534 | 535 |
OpenSSF and Linux Foundation Staff 441 | 443 | 445 |
General Manager 449 | 451 | Omkar Arasaratnam 453 |
CTO 457 | 459 | Brian Behlendorf 461 |
VP of Open Source Supply Chain Security 465 | 467 | David A. Wheeler 469 |
Director of Program Management 473 | 475 | Amanda Martin 477 |
Sr. Marketing Manager 481 | 483 | Jennifer Bly 485 |
SVP, GM of Projects 489 | 491 | Mike Dolan 493 |
497 | 499 | Todd Moore 501 |
Program Manager 505 | 507 | Khahil White 509 |
Sr. Program Manager 513 | 515 | Kurt Taylor 517 |
521 | 523 | Francis 525 |
529 | 531 | Jim Zemlin 533 |
536 | 537 | 538 | **Call to Order** 539 | 540 | Brian Behlendorf (BB) called the meeting to order at 8:03 am Pacific Time, Khahil White (KW) and Amanda Martin (AM) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 541 | 542 | **Agenda and Welcome [10 min]** 543 | 544 | BB introduced the objectives and agenda for the meeting. There were no additional topics added. 545 | 546 | **Antitrust Policy Notice** 547 | 548 | BB reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 549 | 550 | **Staffing Directory** 551 | 552 | ADD LUKE!!! 553 | 554 | **Approval of Minutes** 555 | 556 | BB called on the Governing Board Members to approve the minutes of the 6 April 2023 meeting of the Governing Board 557 | 558 | Jamie motioned to approve. 559 | 560 | Stephen from seco seconded the motion. 561 | 562 | All in favor 563 | 564 | **Staffing changes & Recruiting Updates** 565 | 566 | BB presented on the recent staffing changes and introduced Omkhar as the new OpenSSF General Manager, and BB’s move to CTO. 567 | 568 | Omkhar introduced himself to the governing board 569 | 570 | **Combined Session of TAC and Governing Board [80 min]** 571 | 572 | **Quick Highlights ** 573 | 574 | BB presented on quick updates including the launch of SLSA 1.0 stable, RSTUF donation, OpenVEX donation, the upcoming OpenSSF vulnerability disclosure polices, and recent OpenSSF community blogs 575 | 576 | BB asked if this update is helpful. Yes statements shown in chat. 577 | 578 | **Open SSF Day North America: 5/10/23 [Exhibit C]** 579 | 580 | BB presented on the state of OpenSSF Day North America 2023 (Wednesday in Vancouver Canada.) OpenSSF Day is next week! 581 | 582 | Invited people to reception on Tuesday night. 583 | 584 | Mention Anjana and Jack looking to connect. 585 | 586 | **TAC election update** 587 | 588 | BB gave an update on the TAC election KW TO FILL IN NAMES VIA COPYPASTA 589 | 590 | **Mobilization Plan update** 591 | 592 | BB, close to one year mark since the document was created, the governance committee has begun to consider a process to define and then manage an update. GB recommends that OpenSSF mobilization plan have the governance committee take on the task on if the mobilization plan requires an update. 593 | 594 | Discussion ensued on how to move forward with the mobilization plan. Is it worth the time and effort? 595 | 596 | Tracy Miranda noted that this is worth the effort. 597 | 598 | Arun we must be deliberate on what we choose, we should be very conscious on if we pick up a new stream 599 | 600 | Is there agreement from the that this is an issue for the GC 601 | 602 | Eric Brewer shared that the MP needs updated. 603 | 604 | Jamie Thomas emphasized that the policy aspect is cruicial. 605 | 606 | Jeff Borek reminded us of the MP progress report a few months ago. 607 | 608 | BB opened an invitnation to the GC subcommittee meeting to the rest of the board. 609 | 610 | Emily Fox clarified the process for MP. 611 | 612 | That new streams should go through the GC and TAC. 613 | 614 | Eric Brewer chats the intention of the GC is that when the TAC needs feedback from the GB, it actually works with the GC first in more detail. 615 | 616 | Many are in agreement. 617 | 618 | Francis chats clearing up the relationships between the TAC/GB/GC is on our short list of efficiency topics to address in 2023 as well, part of Objective 1: "The OpenSSF staff, volunteers and governing board members are efficient at decision making" 619 | 620 | Mike Hanley encourages us to focus on the basics before the new things. 621 | 622 | Stephen Augustus feels that AI/ML is wanting open source opinions and now might be a good time. 623 | 624 | Arun recommends we look into exploring edge 625 | 626 | Luke Hinds drafted a proposal for a AI/ML WG 627 | 628 | Action is that the GC will look into updating the streams and that is the right place to address this problem. The GB will vote on teh final product. 629 | 630 | **CRA Update** 631 | 632 | BB presented on what the CRA is, and opened discussion on directions to the CRA. Opened call to action if any GB or TAC would like to join the Public Policy Committee. 633 | 634 | Anne Bertucio mentioned that the public policy committee needs a charter and better notes. 635 | 636 | CRob mentioned that much of the meeting is not on record but should have a charter. 637 | 638 | Jamie Thomas shared that many parties are working on this and Part A might be the easier approach. 639 | 640 | Action: BB to get historical public policy committee charter and circulate. 641 | 642 | **Adjournment** 643 | 644 | BB called the meeting to a close and the meeting of the Governing Board adjourned at 9:1 AM Pacific Time. 645 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-07-13.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | 6 | 7 | **The Open Source Security Foundation** 8 | 9 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 10 | 11 | 13 July 2023 12 | 13 | 14 | 15 | A meeting of the Governing Board of the Open Source Security Foundation was held on 13 July 2023 at 8:07 am Pacific Time via teleconference. 16 | 17 | **Governing Board Members In Attendance** 18 | 19 | 20 | 21 | 22 | 24 | 26 | 28 | 30 | 32 | 33 | 34 | 36 | 38 | 40 | 42 | 44 | 45 | 46 | 48 | 50 | 52 | 54 | 56 | 57 | 58 | 60 | 62 | 64 | 66 | 68 | 69 | 70 | 72 | 74 | 76 | 78 | 80 | 81 | 82 | 84 | 86 | 88 | 90 | 92 | 93 | 94 | 96 | 98 | 100 | 102 | 104 | 105 | 106 | 108 | 110 | 112 | 114 | 116 | 117 | 118 | 120 | 122 | 124 | 126 | 128 | 129 | 130 | 132 | 134 | 136 | 138 | 140 | 141 | 142 | 144 | 146 | 148 | 150 | 152 | 153 | 154 | 156 | 158 | 160 | 162 | 164 | 165 | 166 | 168 | 170 | 172 | 174 | 176 | 177 | 178 | 180 | 182 | 184 | 186 | 188 | 189 | 190 | 192 | 194 | 196 | 198 | 200 | 201 | 202 | 204 | 206 | 208 | 210 | 212 | 213 | 214 | 216 | 218 | 220 | 222 | 224 | 225 | 226 | 228 | 230 | 232 | 234 | 236 | 237 | 238 | 240 | 242 | 244 | 246 | 248 | 249 | 250 | 252 | 254 | 256 | 258 | 260 | 261 | 262 | 264 | 266 | 268 | 270 | 272 | 273 | 274 | 276 | 278 | 280 | 282 | 284 | 285 | 286 | 288 | 290 | 292 | 294 | 296 | 297 | 298 | 300 | 302 | 304 | 306 | 308 | 309 | 310 | 312 | 314 | 316 | 318 | 320 | 321 | 322 | 324 | 326 | 328 | 330 | 332 | 333 | 334 | 336 | 338 | 340 | 342 | 344 | 345 | 346 | 348 | 350 | 352 | 354 | 356 | 357 | 358 | 360 | 362 | 364 | 366 | 368 | 369 |
Company 23 | 25 | Governing Board Voting Member 27 | 29 | Governing Board Observer 31 |
Apple 35 | X 37 | Kelly Ann 39 | X 41 | Emily Fox 43 |
Atlassian 47 | X 49 | Bala Sathiamurthy 51 | 53 | Robbie Gallagher 55 |
AWS Security 59 | X 61 | Mark Ryland 63 | 65 | Debashis Das 67 |
Capital One 71 | 73 | Mike Benjamin 75 | 77 | 79 |
Cisco 83 | X 85 | Stephen Augustus 87 | 89 | Ed Warnicke 91 |
Citi 95 | 97 | Jonathan Meadows 99 | 101 | 103 |
Dell Technologies 107 | 109 | John Roese 111 | X 113 | Sarah Evans 115 |
Ericsson 119 | X 121 | Per Beming 123 | X 125 | Georg Kunz 127 |
GitHub 131 | X 133 | Mike Hanley 135 | 137 | Justin Hutchings 139 |
Google 143 | 145 | Eric Brewer 147 | X 149 | Anne Bertucio 151 |
Huawei 155 | X 157 | Jingou Cui 159 | 161 | Liang Xu 163 |
IBM Corporation 167 | X 169 | Jamie Thomas (Chair) 171 | X 173 | Jeff Borek 175 |
Intel 179 | X 181 | Arun Gupta 183 | X 185 | Ryan Ware 187 |
JP Morgan Chase 191 | X 193 | Rao Lakkakula 195 | 197 | Benjamin Flatgard 199 |
Meta 203 | 205 | Steve Clarke 207 | 209 | Chris Rohlf 211 |
Microsoft 215 | X 217 | Stephen Walli 219 | 221 | Sarah Novotny 223 |
Morgan Stanley 227 | 229 | Declan O’Donovan 231 | X 233 | Gaja Anand 235 |
Oracle 239 | X 241 | John Heimann 243 | 245 | Wim Coekaerts 247 |
Red Hat 251 | X 253 | Vincent Danen 255 | 257 | Chris Wright 259 |
Sonatype 263 | 265 | Brian Fox 267 | 269 | 271 |
VMWare 275 | 277 | Kit Colbert 279 | X 281 | Tim Pepper 283 |
Wipro 287 | 289 | Subha Tatavarti 291 | 293 | Andrew Aitken 295 |
Chainguard (General Mem. Rep) 299 | 301 | Dan Lorenc 303 | 305 | 307 |
Indeed (General Mem. Rep) 311 | 313 | Alex Thurlow 315 | 317 | 319 |
JFrog (General Mem. Rep) 323 | 325 | Stephen Chin 327 | 329 | 331 |
OWASP (Assoc. Mem. Rep) 335 | X 337 | Andrew van der Stock 339 | X 341 | 343 |
Intel (TAC Representative) 347 | X 349 | CRob Robinson 351 | 353 | Arnaud Le Hors 355 |
SCIR 359 | X 361 | Luke Hinds 363 | 365 | 367 |
370 | 371 | 372 | 373 | 374 | 375 | 377 | 379 | 381 | 382 | 383 | 385 | 387 | 389 | 390 | 391 | 393 | 395 | 397 | 398 | 399 | 401 | 403 | 405 | 406 | 407 | 409 | 411 | 413 | 414 | 415 | 417 | 419 | 421 | 422 | 423 | 425 | 427 | 429 | 430 | 431 | 433 | 435 | 437 | 438 | 439 | 441 | 443 | 445 | 446 | 447 | 449 | 451 | 453 | 454 | 455 | 457 | 459 | 461 | 462 | 463 | 465 | 467 | 469 | 470 | 471 | 473 | 475 | 477 | 478 |
OpenSSF and Linux Foundation Staff 376 | 378 | 380 |
General Manager 384 | X 386 | Omkhar Arasaratnam 388 |
CTO 392 | X 394 | Brian Behlendorf 396 |
Ecosystem Strategist 400 | X 402 | Bennett Pursell 404 |
Chief of Staff 408 | X 410 | Harry Toor 412 |
Technical Project Manager 416 | X 418 | Adrianne Marcum 420 |
VP of Open Source Supply Chain Security 424 | X 426 | David A. Wheeler 428 |
Director of Program Management 432 | X 434 | Amanda Martin 436 |
Sr. Marketing Manager 440 | X 442 | Jennifer Bly 444 |
SVP, GM of Projects 448 | X 450 | Mike Dolan 452 |
SVP of Program Operations 456 | X 458 | Todd Moore 460 |
Program Manager 464 | X 466 | Khahil White 468 |
Executive Director, The Linux Foundation 472 | X 474 | Jim Zemlin 476 |
479 | 480 | 481 | 482 | 483 | 484 | 486 | 488 | 490 | 492 | 493 | 494 | 496 | 498 | 500 | 502 | 503 |
Guests 485 | 487 | Company 489 | 491 |
Marketing Committee Co-Chair 495 | X 497 | Deploy Hub 499 | Tracy Ragan 501 |
504 | 505 | 506 | **Call to Order** 507 | 508 | Omkhar Arasaratnam (OA) called the meeting to order at 8:07 am Pacific Time, Khahil White (KW) and Adrianne Marcum (AFM) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 509 | 510 | **Agenda and Welcome [10 min]** 511 | 512 | OA introduced the objectives and agenda for the meeting. 513 | Overview of charter inconsistencies added as topic. 514 | 515 | 516 | OpenSSF commits to pre-reads be available 7 days in advance so markup for charter changes will be available by August 10th and will need ⅔ GB attendance to approve changes to the charter. 517 | 518 | **AI: OpenSSF staff will follow up with suggested charter changes ahead of the August board meeting before August 1** 519 | 520 | **Antitrust Policy Notice** 521 | 522 | OA reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 523 | 524 | **Approval of Minutes** 525 | 526 | OA called on the Resolution: 527 | 528 | _RESOLVED: That the minutes of the May 4th, 2023 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted with the change of “Intel Corporation” to “Intel.”_ 529 | 530 | Governing Board 531 | 532 | Arun Gupta motioned to approve. 533 | 534 | Andrew Van Der Stock seconded the motion. 535 | 536 | All in favor. 537 | 538 | **Message from the GM** 539 | 540 | OA commented on his first 60 days and goals for upcoming months. 541 | 542 | **Decisions requiring input this board meeting** 543 | 544 | 1. London Meetup 545 | 2. Public Policy Funding 546 | 3. DevRel Committee 547 | 548 | **Updates and information** 549 | 550 | OA went over staffing updates. Clarified that nearly all open roles are closed. 551 | 552 | Approve OpenSSF to host a [London OpenSSF ](#slide=id.g22ee13d4b4f_2_7)meet-up the week of Sept 11 ahead of OpenSSF Day EU. 553 | 554 | GB suggested pre-approvals for events within budget without having to vote on each event. 555 | 556 | 557 | 558 | 559 | 561 | 563 | 565 | 566 | 567 | 569 | 571 | 573 | 574 | 575 | 577 | 579 | 581 | 582 | 583 | 585 | 587 | 589 | 590 | 591 | 593 | 595 | 597 | 598 | 599 | 601 | 603 | 605 | 606 | 607 | 609 | 611 | 613 | 614 | 615 | 617 | 619 | 621 | 622 | 623 | 625 | 627 | 629 | 630 | 631 | 633 | 635 | 637 | 638 | 639 | 641 | 643 | 645 | 646 |
Company 560 | Voting Member 562 | London Meetup Vote 564 |
Apple 568 | Kelly Ann 570 | Aye 572 |
AWS Security 576 | Mark Ryland 578 | Aye 580 |
Cisco 584 | Stephen Augustus 586 | Aye 588 |
GitHub 592 | Mike Hanley 594 | Aye 596 |
Huawei 600 | Jingou Cui 602 | Aye 604 |
IBM Corporation 608 | Jamie Thomas (Chair) 610 | Aye 612 |
Intel 616 | Arun Gupta 618 | Abstain 620 |
JP Morgan Chase 624 | Rao Lakkakula 626 | Aye 628 |
Red Hat 632 | Vincent Danen 634 | Abstain 636 |
OWASP (Assoc. Mem. Rep) 640 | Andrew van der Stock 642 | Aye 644 |
647 | 648 | 649 | London meetup passed with quorum: 7 votes for approve, 2 for abstain 650 | 651 | **Governance updates** 652 | 653 | OA presented slides on how to improve our governance, standardization, and mobilization plan as the next set of interesting work that doesn’t have funding yet. 654 | 655 | OA offered a case study on OpenSSF’s inability to submit a position on CISA Self-Attestation public input request as an example of the need for improved structure and planning. 656 | 657 | **TAC Updates** 658 | 659 | TAC representative CRob presented working group updates for identifying security threats, GUAC, and progress on the sterling toolchain. 660 | 661 | The GUAC project moved into the incubation phase as part of the supply chain integrity working group. 662 | 663 | Tooling/SBOM WG update - [https://docs.google.com/presentation/d/1NfrSKl8vCFXe1IgZkL2tH61orM1fFdOdQmRNOmK1Ujo](https://docs.google.com/presentation/d/1NfrSKl8vCFXe1IgZkL2tH61orM1fFdOdQmRNOmK1Ujo/edit#slide=id.p1) 664 | 665 | Supply Chain Integrity WG update - [https://docs.google.com/presentation/d/1dSvWNKQYi52iGMxSpfbjVJf4SJLwWy5IcMcOYFnwBHs](https://docs.google.com/presentation/d/1dSvWNKQYi52iGMxSpfbjVJf4SJLwWy5IcMcOYFnwBHs) 666 | 667 | Sterling Toolchain details can be found here - [https://github.com/ossf/Diagrammers-Society/tree/main/SecurityToolbelt](https://github.com/ossf/Diagrammers-Society/tree/main/SecurityToolbelt) 668 | 669 | **Public Policy Committee Recommendations** 670 | 671 | Brian Behlendorf (BB) presented the Public Policy committee's proposal. The Committee asks the Governing Board for a budget of $20k (as a variance to the current budget, and to be administered by OpenSSF staff) for content development. This will assist the Committee in the timely preparation of responses to RFCs, blog posts, white papers, or other public publications, which by the current charter, will continue to require GB approval. 672 | 673 | Discussion ensued, and the committee will come back with proposed changes to the charter to address the reporting. 674 | 675 | **AI: Comeback with a list of what the PPC will be responsible for once the charter is approved by the GB - BB** 676 | 677 | 678 | 679 | 680 | 682 | 684 | 686 | 687 | 688 | 690 | 692 | 694 | 695 | 696 | 698 | 700 | 702 | 703 | 704 | 706 | 708 | 710 | 711 | 712 | 714 | 716 | 718 | 719 | 720 | 722 | 724 | 726 | 727 | 728 | 730 | 732 | 734 | 735 | 736 | 738 | 740 | 742 | 743 | 744 | 746 | 748 | 750 | 751 | 752 | 754 | 756 | 758 | 759 | 760 | 762 | 764 | 766 | 767 |
Company 681 | Voting Member 683 | Public Policy Vote 685 |
Apple 689 | Kelly Ann 691 | Abstain 693 |
AWS Security 697 | Mark Ryland 699 | Aye 701 |
Cisco 705 | Stephen Augustus 707 | Nay 709 |
GitHub 713 | Mike Hanley 715 | Aye 717 |
Huawei 721 | Jingou Cui 723 | Abstain 725 |
IBM Corporation 729 | Jamie Thomas (Chair) 731 | Aye 733 |
Intel 737 | Arun Gupta 739 | Aye 741 |
JP Morgan Chase 745 | Rao Lakkakula 747 | Aye 749 |
Red Hat 753 | Vincent Danen 755 | Aye 757 |
OWASP (Assoc. Mem. Rep) 761 | Andrew van der Stock 763 | Aye 765 |
768 | 769 | 770 | PPC funding passed with quorum: 6 votes for approve, 1 vote for deny, 2 for abstain 771 | 772 | **Governance Committee Recommendations [Exhibit B]** 773 | 774 | Jeff Borek (JB) presented the recommendations from the governance committee to create a DevRel committee as a subcommittee of the marketing committee. 775 | 776 | The DevRel committee will be created as a marketing subcommittee that conducts all meetings publicly, allows voting by approved non-members (approval process TBD), and coordinates activities with the TAC periodically (periodicity TBD). 777 | 778 | 779 | 780 | 781 | 783 | 785 | 787 | 788 | 789 | 791 | 793 | 795 | 796 | 797 | 799 | 801 | 803 | 804 | 805 | 807 | 809 | 811 | 812 | 813 | 815 | 817 | 819 | 820 | 821 | 823 | 825 | 827 | 828 | 829 | 831 | 833 | 835 | 836 | 837 | 839 | 841 | 843 | 844 | 845 | 847 | 849 | 851 | 852 | 853 | 855 | 857 | 859 | 860 | 861 | 863 | 865 | 867 | 868 |
Company 782 | Voting Member 784 | DevRel 786 |
Apple 790 | Kelly Ann 792 | Aye 794 |
AWS Security 798 | Mark Ryland 800 | Aye 802 |
Cisco 806 | Stephen Augustus 808 | Aye 810 |
GitHub 814 | Mike Hanley 816 | Aye 818 |
Huawei 822 | Jingou Cui 824 | Aye 826 |
IBM Corporation 830 | Jamie Thomas (Chair) 832 | Aye 834 |
Intel 838 | Arun Gupta 840 | Aye 842 |
JP Morgan Chase 846 | Rao Lakkakula 848 | Aye 850 |
Red Hat 854 | Vincent Danen 856 | Aye 858 |
OWASP (Assoc. Mem. Rep) 862 | Andrew van der Stock 864 | Aye 866 |
869 | 870 | 871 | DevRel subcommittee passed with quorum: 10 votes for approve 872 | 873 | **Marketing Committee Recommendations** 874 | 875 | Tracy Ragan (TR) presented recent work from the marketing committee, the upcoming editorial calendar for blogs, and the blog guidelines for the OpenSSF: [https://openssf.org/community/blog-guidelines/](https://openssf.org/community/blog-guidelines/) 876 | 877 | **Budget and Finance Updates** 878 | 879 | OA presented the current status of the OpenSSF budget, as well as two additional scenarios, +20% and -20% projections. 880 | 881 | **OKR Snapshot Survey** 882 | 883 | AFM presented the current status of the OKR snapshot survey and asked for additional input. The survey closes on July 20th. 884 | 885 | **Closing** 886 | 887 | OA closed out the meeting with a recap of decisions made, as well as the fact that the team will be following up with additional meetings prior to the next board meeting. 888 | 889 | **Summary** 890 | 891 | OA quickly summarized the decisions. 892 | 893 | 894 | 895 | * Action Item: OpenSSF staff will follow up with suggested charter changes and give to GB for electronic vote. 896 | * London Meetup - passed 897 | * Public Policy Funding - passed and come back with what the PPC will be responsible for once the charter is approved by the GB 898 | * DevRel Committee - passed 899 | 900 | **Adjournment** 901 | 902 | OA called the meeting to a close and the meeting of the Governing Board adjourned at 9:16 AM Pacific Time. 903 | -------------------------------------------------------------------------------- /Governing Board Public Minutes/2023-12-12.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | **The Open Source Security Foundation** 6 | 7 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 8 | 9 | 12 December 2023 10 | 11 | 12 | 13 | A meeting of the Governing Board of the Open Source Security Foundation was held on 12 December 2023 at 12:00 am Eastern Time via d teleconference. 14 | 15 | **Governing Board Members In Attendance** 16 | 17 | 18 | 19 | 20 | 22 | 24 | 26 | 28 | 30 | 31 | 32 | 34 | 36 | 38 | 40 | 42 | 43 | 44 | 46 | 48 | 50 | 52 | 54 | 55 | 56 | 58 | 60 | 62 | 64 | 66 | 67 | 68 | 70 | 72 | 74 | 76 | 78 | 79 | 80 | 82 | 84 | 86 | 88 | 90 | 91 | 92 | 94 | 96 | 98 | 100 | 102 | 103 | 104 | 106 | 108 | 110 | 112 | 114 | 115 | 116 | 118 | 120 | 122 | 124 | 126 | 127 | 128 | 130 | 132 | 134 | 136 | 138 | 139 | 140 | 142 | 144 | 146 | 148 | 150 | 151 | 152 | 154 | 156 | 158 | 160 | 162 | 163 | 164 | 166 | 168 | 170 | 172 | 174 | 175 | 176 | 178 | 180 | 182 | 184 | 186 | 187 | 188 | 190 | 192 | 194 | 196 | 198 | 199 | 200 | 202 | 204 | 206 | 208 | 210 | 211 | 212 | 214 | 216 | 218 | 220 | 222 | 223 | 224 | 226 | 228 | 230 | 232 | 234 | 235 | 236 | 238 | 240 | 242 | 244 | 246 | 247 | 248 | 250 | 252 | 254 | 256 | 258 | 259 | 260 | 262 | 264 | 266 | 268 | 270 | 271 | 272 | 274 | 276 | 278 | 280 | 282 | 283 | 284 | 286 | 288 | 290 | 292 | 294 | 295 | 296 | 298 | 300 | 302 | 304 | 306 | 307 | 308 | 310 | 312 | 314 | 316 | 318 | 319 | 320 | 322 | 324 | 326 | 328 | 330 | 331 | 332 | 334 | 336 | 338 | 340 | 342 | 343 | 344 | 346 | 348 | 350 | 352 | 354 | 355 |
Company 21 | 23 | Governing Board Voting Member 25 | 27 | Governing Board Observer 29 |
Apple 33 | X 35 | Kelly Ann 37 | 39 | Mike Hepple 41 |
Atlassian 45 | 47 | Bala Sathiamurthy 49 | 51 | Robbie Gallagher 53 |
AWS Security 57 | X 59 | Mark Ryland 61 | 63 | Henri Yandell 65 |
Capital One 69 | 71 | Mike Benjamin 73 | 75 | Nureen D'Souza 77 |
Cisco 81 | 83 | Stephen Augustus 85 | 87 | Ed Warnicke 89 |
Citi 93 | X 95 | Jonathan Meadows 97 | 99 | 101 |
Dell Technologies 105 | 107 | John Roese 109 | X 111 | Sarah Evans 113 |
Ericsson 117 | X 119 | Per Beming 121 | X 123 | Georg Kunz 125 |
GitHub 129 | X 131 | Mike Hanley 133 | 135 | Mike Linksvayer 137 |
Google 141 | X 143 | Eric Brewer 145 | X 147 | Anne Bertucio 149 |
Huawei 153 | X 155 | Jingou Cui 157 | 159 | Liang Xu 161 |
IBM Corporation 165 | X 167 | Jamie Thomas (Chair) 169 | 171 | Jeff Borek 173 |
Intel 177 | X 179 | Arun Gupta 181 | X 183 | Ryan Ware 185 |
JP Morgan Chase 189 | 191 | Rao Lakkakula 193 | 195 | Benjamin Flatgard 197 |
Meta 201 | 203 | Steve Clarke 205 | 207 | Chris Rohlf 209 |
Microsoft 213 | X 215 | Mark Russinovich 217 | 219 | Stephen Walli 221 |
Morgan Stanley 225 | X 227 | Declan O’Donovan 229 | 231 | Gaja Anand 233 |
Oracle 237 | 239 | John Heimann 241 | 243 | Wim Coekaerts 245 |
Red Hat 249 | X 251 | Vincent Danen 253 | 255 | Chris Wright 257 |
Sonatype 261 | 263 | Brian Fox 265 | X 267 | Jeff Wayman 269 |
VMWare 273 | 275 | Chip Childers 277 | 279 | Tim Pepper 281 |
Wipro 285 | 287 | Subha Tatavarti 289 | 291 | 293 |
Socket (General Mem. Rep) 297 | 299 | Bradley Meck Farias 301 | 303 | 305 |
JFrog (General Mem. Rep) 309 | X 311 | Stephen Chin 313 | 315 | 317 |
OWASP (Assoc. Mem. Rep) 321 | X 323 | Andrew van der Stock 325 | 327 | 329 |
Intel (TAC Representative) 333 | X 335 | CRob Robinson 337 | 339 | Arnaud Le Hors 341 |
SCIR 345 | 347 | Luke Hinds 349 | 351 | 353 |
356 | 357 | 358 | 359 | 360 | 361 | 363 | 365 | 367 | 368 | 369 | 371 | 373 | 375 | 376 | 377 | 379 | 381 | 383 | 384 | 385 | 387 | 389 | 391 | 392 | 393 | 395 | 397 | 399 | 400 | 401 | 403 | 405 | 407 | 408 | 409 | 411 | 413 | 415 | 416 | 417 | 419 | 421 | 423 | 424 | 425 | 427 | 429 | 431 | 432 | 433 | 435 | 437 | 439 | 440 | 441 | 443 | 445 | 447 | 448 | 449 | 451 | 453 | 455 | 456 | 457 | 459 | 461 | 463 | 464 | 465 | 467 | 469 | 471 | 472 | 473 | 475 | 477 | 479 | 480 | 481 | 483 | 485 | 487 | 488 |
OpenSSF and Linux Foundation Staff 362 | 364 | 366 |
General Manager, OpenSSF 370 | X 372 | Omkar Arasaratnam 374 |
Chief of Staff, OpenSSF 378 | X 380 | Harry Toor 382 |
Ecosystem Strategist, OpenSSF 386 | X 388 | Bennett Pursell 390 |
Technical Project Manager, OpenSSF 394 | X 396 | Adrianne Marcum 398 |
VP of Open Source Supply Chain Security 402 | X 404 | David A. Wheeler 406 |
Director of Program Management 410 | X 412 | Amanda Martin 414 |
Program Manager 418 | 420 | Khahil White 422 |
Chief Architect 426 | X 428 | Dana Wang 430 |
Community Manager 434 | 436 | Cheuk Ho 438 |
Program Coordinator 442 | X 444 | Reden Martinez 446 |
Sr. Marketing Manager 450 | X 452 | Jennifer Bly 454 |
Inside Sales Representative & Manager 458 | X 460 | Randi Armour 462 |
Executive Director, The Linux Foundation 466 | 468 | Jim Zemlin 470 |
SVP, GM of Projects, The Linux Foundation 474 | 476 | Mike Dolan 478 |
SVP of Program Operations, The Linux Foundation 482 | 484 | Todd Moore 486 |
489 | 490 | 491 | 492 | ### Introduction 493 | 494 | Omkhar Arasaratnam (OA) called the meeting to order at 11:04 am Eastern Time, Reden Martinez (RM), Dr. Amanda Martin (DM) and Adrianne Marcum (AM) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 495 | 496 | 497 | ### Attendance, Antitrust, Voting 498 | 499 | OA introduced the objectives and agenda for the meeting. There were no additional topics added. 500 | 501 | OA reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 502 | 503 | 504 | ### Approval of Minutes 505 | 506 | * RESOLVED: That the minutes of the October 23th, 2023 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. Minutes attached as Exhibit A. 507 | * Stephen Chin motioned to approve. 508 | * Eric Brewer seconded the motion. 509 | * All in favor; motion carried. 510 | 511 | 512 | ### 2024 Premier Member losses 513 | 514 | * OA reviewed the loss and findings from exit interviews. Members mentioned that economic factors likely played a role as well and that new staff is now getting up to speed so 2024 will be smoother. Suggestion to survey GB members regularly, specifically less-engaged members, to gain better insights on satisfaction with the foundation. 515 | * Noted that the members that left or downgrade are not active members for a while. 516 | * Members understand the loss and there was a time of forming, norming and storming. Looking forward to next year with full staff. 517 | 518 | 519 | ### Approval of Budget 520 | 521 | * Eric Brewer reviewed the budget for 2024, highlighting that we are spending into the surplus and reforecasting in May. 522 | * Goal is to revisit the budget every quarter and would like to do this in future years. 523 | * General approval of the budget and agreement that May is a good time to revisit. 524 | * Ops model representation wants to share that the bottom two lines are new and important for the community. 525 | * [WE HEREBY APPROVE/]: That the OpenSSF Budget Overview for 2024 as defined in the attached in [Exhibit B](https://docs.google.com/document/d/1qFXFixlmgBuP122vpGxamnHXXTL_BsIGAgu05FZkaGE/edit#heading=h.9wss66n5p0gl) is approved. 526 | [/RESOLVED] 527 | * Eric Brewer motioned to approve. 528 | * Jamie Thomas seconded the motion. 529 | * All in favor; motion carried. 530 | 531 | ### Supplemental Funding Concept 532 | 533 | * OA reviewed the model as discussed with Dolan. 534 | * [WE HEREBY APPROVE/]: The supplemental funding concept and delegate the operational details of the funding model procedures to the Governance Committee. [/RESOLVED] 535 | * Arun Gupta motioned to approve. 536 | * Andrew van der Stock seconded the motion. 537 | * All in favor; motion carried. 538 | 539 | 540 | ### Governance Committee 541 | 542 | 543 | 544 | * Jeff Borek (JB) reviewed the GC updates including upcoming voting and attendance requirements to maintain voting seats. 545 | 546 | 547 | ### Ops-Model Temporary Committee Update 548 | 549 | 550 | 551 | * Sarah Evans (SE) reviewed Ops Model Committee accomplishments. 552 | 553 | [WE HEREBY APPROVE/]: A resolution to: 554 | 555 | 556 | 557 | * separate the Charter (as edited in Exhibit I) into a cleaned up Charter and distinct Policy and Procedure Resolution(s). 558 | * seek LF Legal review of Charter changes (as edited in Exhibit I) prior to a Governing Board vote on charter amendment. 559 | * publish both all P&Ps in a publicly accessible location. 560 | * adopt a rule in the OpenSSF P&P, that all P&Ps will be reviewed annually by the Governing Board, and routinely amended as policies and procedures are updated, added, and deleted. 561 | * to include the lazy consensus mechanism in the Charter, subject to LF legal review, and directs that the Charter language be cleaned up for readability, consistency, and deduplication or overuse of undefined terms. [/RESOLVED] 562 | * Stephen Chin motioned to approve. 563 | * CRob seconded the motion. 564 | * All in favor; motion carried. 565 | 566 | [WE HEREBY APPROVE/]: A resolution to: 567 | 568 | 569 | 570 | * provide each historical committee of the board a defined scope with common governance aligned to the OpenSSF P&P; including individual scope, expectations and any delegated authority. 571 | * Directs that temporary committees of the board may follow these same processes for establishment. [/RESOLVED] 572 | * Arun Gupta motioned to approve. 573 | * Brain Fox seconded the motion. 574 | * All in favor; motion carried. 575 | 576 | 577 | ### TAC Update 578 | 579 | * CRob reviewed the TAC update including Technical Initiative (TI, includes WG/SIG/Projects) changes to consistent life cycles, TI requirements and benefits (Gives and Gets), and TAC Policies and Procedures. 580 | 581 | 582 | ### MVSR Temporary Committee Update 583 | 584 | 585 | 586 | * SE reviewed the MVSR update including transitioning the Roadmap (R) under the iterative GB P&P rather than a temporary committee and recommendation to complete the roadmap in 2024 Q1. Member recommended having a roadmap ready asap to get spending underway prior to the May budget reforecasting effort. 587 | 588 | 589 | ### Elections 590 | 591 | 592 | 593 | * DM reviewed the elections to be completed through the end of 2023 including Associate Member, General Member, and SCIR Member GB representatives, TAC Community seats (#??), and GC backfill seats (2). 594 | * DM reviewed the elections to be completed by February 2024 including TAC Chair and Vice Chair, and BC/GC/MC/PPC Committee Member seats. 595 | 596 | 597 | ### Closing 598 | 599 | OA called for additional topics and gave an expression of gratitude for all the work and accomplishments of this year. OA called the meeting to a close, and the meeting of the Governing Board adjourned at 11:57 PM Eastern Time. 600 | 601 | 602 | ### Decisions 603 | 604 | 605 | 606 | 1. The 2024 Budget was approved 607 | 2. The supplemental funding concept and delegate the operational details of the funding model procedures to the Governance Committee was approved 608 | 3. The resolution below was approved: 609 | 1. separate the Charter (as edited in Exhibit I) into a cleaned up Charter and distinct Policy and Procedure Resolution(s). 610 | 2. seek LF Legal review of Charter changes (as edited in Exhibit I) prior to a Governing Board vote on charter amendment. 611 | 3. publish both all P&Ps in a publicly accessible location. 612 | 4. adopt a rule in the OpenSSF P&P, that all P&Ps will be reviewed annually by the Governing Board, and routinely amended as policies and procedures are updated, added, and deleted. 613 | 5. to include the lazy consensus mechanism in the Charter, subject to LF legal review, and directs that the Charter language be cleaned up for readability, consistency, and deduplication or overuse of undefined terms 614 | 4. The resolution below was approved: 615 | 6. provide each historical committee of the board a defined scope with common governance aligned to the OpenSSF P&P; including individual scope, expectations and any delegated authority. 616 | 7. Directs that temporary committees of the board may follow these same processes for establishment. 617 | 618 | **Action Items** 619 | 620 | 621 | 622 | * n/a -------------------------------------------------------------------------------- /Governing Board Public Minutes/2024-2-15.md: -------------------------------------------------------------------------------- 1 | 2 | ![OpenSSFLogo](https://user-images.githubusercontent.com/51727488/232104184-d3c38a36-cf1e-487f-aba2-c2d548e3f7ef.png) 3 | 4 | 5 | **The Open Source Security Foundation** 6 | 7 | MINUTES OF GOVERNING BOARD (FOR PUBLIC RELEASE) 8 | 9 | 10 | 15 February 2024 11 | 12 | 13 | 14 | A meeting of the Governing Board of the Open Source Security Foundation was held on 15 February 2024 at 12:00 am Eastern Time via d teleconference. 15 | 16 | **Governing Board Members In Attendance** 17 | 18 | 19 | 20 | 21 | 23 | 25 | 27 | 29 | 31 | 32 | 33 | 35 | 37 | 39 | 41 | 43 | 44 | 45 | 47 | 49 | 51 | 53 | 55 | 56 | 57 | 59 | 61 | 63 | 65 | 67 | 68 | 69 | 71 | 73 | 75 | 77 | 79 | 80 | 81 | 83 | 85 | 87 | 89 | 91 | 92 | 93 | 95 | 97 | 99 | 101 | 103 | 104 | 105 | 107 | 109 | 111 | 113 | 115 | 116 | 117 | 119 | 121 | 123 | 125 | 127 | 128 | 129 | 131 | 133 | 135 | 137 | 139 | 140 | 141 | 143 | 145 | 147 | 149 | 151 | 152 | 153 | 155 | 157 | 159 | 161 | 163 | 164 | 165 | 167 | 169 | 171 | 173 | 175 | 176 | 177 | 179 | 181 | 183 | 185 | 187 | 188 | 189 | 191 | 193 | 195 | 197 | 199 | 200 | 201 | 203 | 205 | 207 | 209 | 211 | 212 | 213 | 215 | 217 | 219 | 221 | 223 | 224 | 225 | 227 | 229 | 231 | 233 | 235 | 236 | 237 | 239 | 241 | 243 | 245 | 247 | 248 | 249 | 251 | 253 | 255 | 257 | 259 | 260 | 261 | 263 | 265 | 267 | 269 | 271 | 272 | 273 | 275 | 277 | 279 | 281 | 283 | 284 | 285 | 287 | 289 | 291 | 293 | 295 | 296 | 297 | 299 | 301 | 303 | 305 | 307 | 308 |
Company 22 | 24 | Governing Board Voting Member 26 | 28 | Governing Board Observer 30 |
Apple 34 | X 36 | Kelly Ann 38 | X 40 | Mike Hepple 42 |
AWS Security 46 | X 48 | Mark Ryland 50 | 52 | Henri Yandell 54 |
Capital One 58 | 60 | Mike Benjamin 62 | 64 | Nureen D'Souza 66 |
Cisco 70 | 72 | Stephen Augustus 74 | 76 | Ed Warnicke 78 |
Citi 82 | X 84 | Jonathan Meadows 86 | 88 | Rhyddian Olds 90 |
Dell Technologies 94 | X 96 | John Roese 98 | X 100 | Sarah Evans 102 |
Ericsson 106 | X 108 | Per Beming 110 | 112 | Georg Kunz 114 |
GitHub 118 | X 120 | Mike Hanley 122 | X 124 | Mike Linksvayer 126 |
Google 130 | X 132 | Eric Brewer 134 | X 136 | Anne Bertucio 138 |
Huawei 142 | 144 | Jingou Cui 146 | 148 | Liang Xu 150 |
IBM Corporation 154 | X 156 | Jamie Thomas 158 | X 160 | Jeff Borek 162 |
Intel 166 | X 168 | Arun Gupta (Chair) 170 | X 172 | Ryan Ware 174 |
JP Morgan Chase 178 | X 180 | Rao Lakkakula 182 | 184 | Benjamin Flatgard 186 |
Microsoft 190 | X 192 | Mark Russinovich 194 | X 196 | Stephen Walli 198 |
Morgan Stanley 202 | X 204 | Declan O’Donovan 206 | 208 | Gaja Anand 210 |
Red Hat 214 | X 216 | Vincent Danen 218 | X 220 | Emily Fox 222 |
Sonatype 226 | X 228 | Brian Fox 230 | 232 | Jeff Wayman 234 |
GitLab (General Mem. Rep) 238 | X 240 | David DeSanto 242 | 244 | 246 |
Kusari (General Mem. Rep) 250 | X 252 | Michael Lieberman 254 | 256 | 258 |
Lockheed Martin(General Mem. Rep) 262 | X 264 | Ian Dunbar-Hall 266 | 268 | 270 |
Rust Foundation (Assoc. Mem. Rep) 274 | X 276 | Rebecca Rumbul 278 | 280 | 282 |
Intel (TAC Representative) 286 | X 288 | CRob Robinson 290 | 292 | Arnaud Le Hors 294 |
SCIR 298 | X 300 | Justin Cappos 302 | 304 | 306 |
309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 318 | 320 | 322 | 323 | 324 | 326 | 328 | 330 | 331 | 332 | 334 | 336 | 338 | 339 | 340 | 342 | 344 | 346 | 347 | 348 | 350 | 352 | 354 | 355 | 356 | 358 | 360 | 362 | 363 | 364 | 366 | 368 | 370 | 371 | 372 | 374 | 376 | 378 | 379 | 380 | 382 | 384 | 386 | 387 | 388 | 390 | 392 | 394 | 395 | 396 | 398 | 400 | 402 | 403 | 404 | 406 | 408 | 410 | 411 | 412 | 414 | 416 | 418 | 419 | 420 | 422 | 424 | 426 | 427 | 428 | 430 | 432 | 434 | 435 | 436 | 438 | 440 | 442 | 443 | 444 | 446 | 448 | 450 | 451 |
OpenSSF and Linux Foundation Staff 317 | 319 | 321 |
General Manager, OpenSSF 325 | X 327 | Omkar Arasaratnam 329 |
Chief of Staff, OpenSSF 333 | X 335 | Harry Toor 337 |
Ecosystem Strategist, OpenSSF 341 | X 343 | Bennett Pursell 345 |
Technical Project Manager, OpenSSF 349 | X 351 | Adrianne Marcum 353 |
VP of Open Source Supply Chain Security 357 | X 359 | David A. Wheeler 361 |
Director of Program Management 365 | X 367 | Amanda Martin 369 |
Program Manager 373 | X 375 | Khahil White 377 |
Program Manager 381 | X 383 | Kenny Paul 385 |
Chief Architect 389 | X 391 | Dana Wang 393 |
Community Manager 397 | 399 | Cheuk Ho 401 |
Program Coordinator 405 | X 407 | Reden Martinez 409 |
Sr. Marketing Manager 413 | X 415 | Jennifer Bly 417 |
Inside Sales Representative & Manager 421 | X 423 | Randi Armour 425 |
Executive Director, The Linux Foundation 429 | 431 | Jim Zemlin 433 |
SVP, GM of Projects, The Linux Foundation 437 | 439 | Mike Dolan 441 |
SVP of Program Operations, The Linux Foundation 445 | X 447 | Todd Moore 449 |
452 | 453 | 454 | ### Introduction 455 | 456 | Omkhar Arasaratnam (OA) called the meeting to order at 11:00 am Eastern Time, Reden Martinez (RM), Dr. Amanda Martin (DM) and Adrianne Marcum (AM) recorded the minutes. A quorum of Governing Board Members was established for the conduct of business, and the meeting, having been duly convened, was ready to proceed with business. 457 | 458 | 459 | ### Attendance, Antitrust, Voting 460 | 461 | OA introduced the objectives and agenda for the meeting. There were no additional topics added. 462 | 463 | OA reminded the Governing Board of the Linux Foundation [antitrust policy](http://www.linuxfoundation.org/antitrust-policy) notice to which all meetings must adhere. 464 | 465 | 466 | ### Approval of Minutes 467 | 468 | 469 | 470 | * [WE HEREBY APPROVE/]: That the minutes of the December 12th, 2023 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. Minutes attached as Exhibit A. [/RESOLVED] 471 | * Stephen Walli motioned to approve. 472 | * Arun Gupta seconded the motion. 473 | * All in favor; motion carried. 474 | 475 | 476 | ### Staffing Update 477 | 478 | 479 | 480 | * OA introduced the new added members of the OpenSSF Staff. 481 | 482 | 483 | ### CISA -RFC 484 | 485 | * Brian Fox discussed the US Cybersecurity and Infrastructure Security Agency (CISA) announcement regarding the Request for Comment outlined in this [article](https://www.federalregister.gov/documents/2023/12/20/2023-27948/request-for-information-on-shifting-the-balance-of-cybersecurity-risk-principles-and-approaches-for). The request is to include comments on many related topics beyond the written content. Submissions are expected by February 20, 2024 and the response from the OpenSSF requires approval from the Governing board. 486 | * [WE HEREBY APPROVE/]: This Temporary CISA RFC Committee has delegated authority to send in the OpenSSF response, as being prepared in [Exhibit B](https://docs.google.com/document/d/1FYY7DyLI7ReltlDN0ncdt1h6NwQK61MHlBKHpJ0l60A/edit#heading=h.m6m38593npz0), when they deem ready by their own consensus vote by the February 20th deadline. [/RESOLVED] 487 | * Jamie Thomas motioned to approve. 488 | * CRob seconded the motion. 489 | * All in favor; motion carried. 490 | 491 | Technical Response Committee 492 | 493 | * Brian Fox presented the links, which include the responses from OpenSSF that require approval of the Governing Board. 494 | 495 | Clarification - This is two separate votes, one being there is a new committee and the second being that we are re-scoping the PPC committee. We are combining these into one vote for simplicity with the AND representing her a clause of “IN ADDITION TO” 496 | 497 | * [WE HEREBY APPROVE/]: That the Technical Response Committee (TRC) as defined in _[Exhibit C OpenSSF Committee Resolutions v2 - Google Docs](https://docs.google.com/document/d/1I8RlqYUBHM_Wo70_b90sHwHyr9tIj5DQ_3daniCCK6Y/edit) should be considered by the OpenSSF Governing Board as a Committee of the Board AND the Public Policy Committee (PPC) Resolutions should be rescoped giving both delegated authority. [/RESOLVED] 498 | * Brian Fox motioned to approve. 499 | * Stephen Walli seconded the motion. 500 | * All in favor; motion carried. 501 | 502 | Committees of the Board 503 | 504 | * Dr. Amanda Martin presented the current committees of the board and those requiring additional seats for a vote: 505 | * The Governance Committee has 4 seats currently open 506 | * The Public Policy Committee has 7 seats currently open 507 | * The Technical Response Committee, currently pending, has 7 seats open for nomination 508 | 509 | Marketing Advisory Board 510 | 511 | 512 | 513 | * Harry Toor discussed the proposal to establish Marketing Advisory Board 514 | * Premier Members exclusively serve on this committee or anyone employed from the member company. 515 | * The Marketing Committee received only 2 out of 7 expected nominations and heavily relies on staff support. Its successful Editorial Panel operates independently, while the committee lacks delegated authority. 516 | * Proposal: reimagine marketing committee as a task force to provide advice and take on focused initiatives 517 | * Would like to see a scope - come back to the GC with this scope 518 | * Would like to see regular reporting to the board - such as information 519 | * [WE HEREBY APPROVE/]: The Governing Board establishes a Marketing Advisory Council that allows all OpenSSF members to participate as well as Linux Foundation Members. This Advisory Council reports to the staff. [/RESOLVED] 520 | * CRob motioned to approve. 521 | * John Roese seconded the motion. 522 | * All in favor; motion carried. 523 | 524 | SOSS Task Force 525 | 526 | 527 | 528 | * UPDATE: Adrianne Marcum (AM) provided updates on the SOSS Task Force. They contacted and proposed roadmaps, shared them with other task forces and the TAC. The task forces are setting up work structures, including coordination with existing Working Groups. There's ongoing activity within the OSIS and EDU task forces. AM also highlighted the accomplishments of the Task Force. 529 | * CTA: 530 | * Original DC SOSS Summit participants for OSSIE and TRSI TFs join the discussion 531 | * Folks with experience hiring secure software engineers reach out to EDU-TF to help with Focus Area #2 and #3 532 | * AM also introduced the proposed roadmap and quarterly focus efforts for the following Task Forces for the remainder of 2024: 533 | * (OSSIE-TF) Open Source Security Integration and Enhancement Task Force 534 | * (TRSI-TF) Trusted Repository Security Initiative 535 | * (OSIS-TF) Open Source Integrity and Standardization Task Force 536 | * (EDU-TF) Open Source Education Task Force 537 | * Eric Brewer suggested that OPENSSF could potentially establish a core class model. This would involve centralized lectures, with individual colleges managing their own TA grading and sessions. He pointed out that similar practices are already in place for large classes at Berkeley, demonstrating effective scalability. 538 | * SOSS EU Task Force 539 | * Harry Toor introduced the launch of the EU Task Force for public policy advocacy, under the leadership of Georg from Ericsson. OpenSSF invites members to join this initiative. For involvement, reach out to [operations@openssf.org](mailto:operations@openssf.org). 540 | 541 | 542 | ### Training and Certification Plans 543 | 544 | 545 | 546 | * David Wheeler discussed plans for training and certification. 547 | * Feedback on the Secure Software Development Fundamentals Course was analyzed, suggesting the addition of multimedia (videos), labs, and refined questions. Related courses were analyzed, leading to the development of a proposed plan. A cybersecurity education survey will be conducted with LF Research to identify the top advanced areas. 548 | * Main Thrusts: 549 | * Enhance fundamentals course with videos, optional labs, and refinements, remaining free. 550 | * Draft a course for managers overseeing software developers by June 30, 2023, focusing on expectations for secure software development. 551 | * Develop a relatively short advanced software development course ("201") based on identified areas, potentially funded by OpenSSF with fees. 552 | 553 | 554 | ### Governance Committee Status Update 555 | 556 | 557 | 558 | * Jeff Borek (JB) provided updates on the GC status, highlighting its ongoing role as a catalyst between the GB, TAC, and LF staff, facilitating timely progress towards organizational and community goals. JB also shared the list of current voting members for 2024. 559 | 560 | TAC Updates 561 | 562 | 563 | 564 | * CRob presented the TAC of 2024 and the TI updates of each working group 565 | * New TAC with expanded diversity and staggered seat terms. 566 | * "Identifying Security Threats WG" renamed to "Metrics & Metadata WG." 567 | * Adoption of DEI WG and protobom by Tooling WG. 568 | * Ongoing efforts include conducting a TI documentation audit, clarifying TAC election processes, and enhancing the "Maintainer Experience" within the OpenSSF. 569 | 570 | 571 | ### Upcoming Events 572 | 573 | 574 | 575 | * Harry Toor shared the upcoming OpenSSF events for the first half of 2024 576 | 577 | 578 | ### Closing 579 | 580 | OA called for additional topics and called the meeting to a close, and the meeting of the Governing Board adjourned at 12:18 PM Eastern Time. 581 | 582 | 583 | ### Decisions 584 | 585 | 586 | 587 | 588 | 590 | 591 | 592 | 594 | 595 | 596 | 598 | 599 | 600 | 602 | 603 |
That the minutes of the December 12st, 2023 meeting of the Board of Directors, in the form attached hereto as Exhibit A, are hereby confirmed, approved and adopted. Minutes attached as Exhibit A. 589 |
This Temporary CISA RFC Committee has delegated authority to send in the OpenSSF response, as being prepared in Exhibit B, when they deem ready by their own consensus vote by the February 20th deadline. 593 |
That the Technical Response Committee (TRC) as defined in Exhibit C OpenSSF Committee Resolutions v2 - Google Docs should be considered by the OpenSSF Governing Board as a Committee of the Board AND the Public Policy Committee (PPC) Resolutions should be rescoped giving both delegated authority. 597 |
The Governing Board establish a Marketing Advisory Council that allows all OpenSSF members to participate as well as Linux Foundation Members. This Advisory Council reports to the staff and shares information with the GB. 601 |
604 | 605 | 606 | **Action Items** 607 | 608 | 609 | 610 | * Harry Toor will work with the Governance Committee to help develop a scope for the Marketing Advisory Council 611 | * Amanda Martin to send out the Interest form for TRC -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /OpenSSF Committee Resolutions.md: -------------------------------------------------------------------------------- 1 | # OpenSSF Committee Resolutions 2 | 3 | ## Budget and Finance Committee Resolution 4 | Whereas, the Budget and Finance Committee has been running for some period of time, the 5 | OpenSSF Governing Board resolves to recreate the Budget and Finance Committee (B&F), 6 | with the following Scope, Initial Membership, and Delegated Authority, and the 7 | understanding that the B&F is subject to the GB P&P. 8 | 9 | ### Scope: 10 | The Committee shall support the Governing Board by providing financial and 11 | budgeting oversight. 12 | 13 | ### The activities of the committee include: 14 | - The chair of the budget committee will assist LF staff in the preparation of budgets for 15 | Governing Board approval, monitor expenses against the budget and authorize 16 | expenditures approved in the budget. 17 | - Propose to Governing Board an annual budget/operating plan 18 | - Propose to Governing Board membership dues 19 | - Propose to Governing Board process for receiving and evaluating external projects 20 | for OpenSSF sponsorship 21 | - All technical proposals for funded projects, after approval by the TAC, must be 22 | approved by the GB. (GB) [this will be decided by Budget committee when deciding 23 | rules/policy for funding things] 24 | - Propose to Governing Board which long or short term financial commitments to make 25 | - Propose to Governing Board what fundraising campaigns to run for openSSF 26 | initiatives 27 | - Propose to Governing Board which financial or in-kind contributions to accept or 28 | reject 29 | - Budget committee to ensure we are in compliance for financial ops with LF rules 30 | - Explore if someone is needed to do monthly financial ops/reviews, such as a 31 | Treasurer. 32 | - Decide funding for creating training program or materials 33 | 34 | ### Initial Membership: 35 | The Governing Board Policies & Procedures defines Committee membership and the GB 36 | encourages members to name their finance, budgeting and oversight experts to participate 37 | in the committee. 38 | 39 | ### Delegated Authority: 40 | The B&F has the following delegated authority: Follow the “Funding Release” Method. 41 | Review requests from the GM for funding requests greater than $100,000 but less than 42 | $250,000. Review underspend for more than $100,000, and move to different budget 43 | categories as needed to meet OpenSSF strategic priorities. Distribution of funds should 44 | follow the “funding release” method in the GB Policies and Procedures document. For 45 | delegated authority to apply, there must be a line item for the budget item, and that budget 46 | item must have the available funds. 47 | 48 | The Committee will follow the “lazy consensus” method: For funding requests within the GM 49 | remit amount, the GM will ensure a communication (e.g. email) is sent to report the intent to 50 | approve a funding request to the B&F committee members. If no B&F committee input is 51 | received in the 5 day window, the funding request will be considered approved by the B&F 52 | committee. 53 | 54 | For funding requests within the remit of the B&F Committee amount, the B&F chair will 55 | ensure a communication (e.g. email) is sent to report the intent to approve a funding request 56 | to the GB members. If no B&F committee input is received in the 5 day window, the funding 57 | request will be considered approved by the GB. 58 | 59 | ## DevRel Committee Resolution 60 | 61 | Whereas, the DevRel Committee has been running for some period of time, the OpenSSF 62 | Governing Board resolves to recreate the DevRel Committee, with the following Scope, 63 | Initial Membership, and Delegated Authority, and the understanding that the DevRel 64 | Committee is subject to the GB P&P. 65 | 66 | ### Scope: 67 | The DevRel Community is affiliated with and managed by the Marketing Committee 68 | for the purpose of evangelizing the mission and work of the OpenSSF and building strong 69 | community outreach around end-users and open-source maintainers and contributors. 70 | The DevRel Community Initiative is responsible for designing, developing, and executing 71 | developer relations and outreach efforts on behalf of the Marketing Committee. A TAC Representative will be appointed by the DevRel Community to keep the OpenSSF TAC 72 | apprised of DevRel activities. 73 | 74 | ### The activities of the committee include: 75 | - Increase tooling adoption in critical OSS projects 76 | - Build easy adoption on-ramps for existing Projects. For the following projects, 77 | a DevRel Representative will work with the project leads to leverage the 78 | messaging and resource work these projects have already completed. 79 | Review and improve the on-ramping and adoption of these programs. Identify 80 | any gaps in community building, technical support, and guidance. 81 | Cross-pollinate DevRel activities are focusing on existing programs that are 82 | producing results. 83 | - Alpha-Omega 84 | - Sigstore 85 | - SLSA 86 | - Scorecard 87 | - Coordinate prioritized, individualized outreach to critical OSS projects. 88 | - Define approximate Personas for critical OSS projects to develop an 89 | outreach program for OpenSSF solutions. It will be important to 90 | understand who the target audience is, their characteristics, 91 | motivations, and their pain points in order to develop a unique 92 | message for each Persona type. Some work may have already been 93 | done in this area and could be leveraged. If there is no clear Persona 94 | roadmap, it is recommended this committee work with the GB 95 | Marketing Committee and TAC to develop. 96 | - The DevRel Committee will create a plan for reaching out to critical 97 | OSS projects and offering OpenSSF’s expertise and solutions. They’ll 98 | do this in collaboration with the TAC, knowing the TAC has existing 99 | relationships and insights into these critical projects. The goal is to 100 | minimize noise sent to OSS projects and establish the OSS 101 | maintainer-buy in it will take to adopt OpenSSF projects. 102 | - Build and maintain relationships with the greater end-user and open-source 103 | communities. 104 | - Develop and communicate various channels for end-user and OSS 105 | contributor participation to raise awareness of OpenSSF. This will include the 106 | development of new channels which will allow participants to gain recognition 107 | for their efforts including: competitions, hack-a-thons, blog-a-thons, and a 108 | recognition program. 109 | - Create an “OpenSSF Contributor Community” through easy contributor on-ramps 110 | and contributor-led project events. 111 | - Ensure there is clear, welcoming documentation and pathways for individuals 112 | wanting to contribute to OpenSSF projects (SLSA, OpenVex, sigstore). 113 | Coordinate with OpenSSF staff to create OpenSSF contributor-driven 114 | programming and space at events (such as OpenSSF Day). 115 | 116 | ### Membership: 117 | The Governing Board Policies & Procedures defines Committee membership and the GB 118 | encourages members to name their DevRel experts to participate in the committee. 119 | 120 | ### Delegated Authority: 121 | None 122 | 123 | ## Governance Committee Resolution 124 | Whereas, the Governance Committee has been running for some period of time, the 125 | OpenSSF Governing Board resolves to recreate the Governance Committee (GC), with the 126 | following Scope, Initial Membership, and Delegated Authority, and the understanding that the 127 | GC is subject to the GB P&P. 128 | 129 | ### Scope: 130 | This committee’s mission is to support the three governing bodies of the OpenSSF, which 131 | includes the Governing Board(GB), Technical Advisory Committee (TAC), and OpenSSF 132 | Staff (Staff) in helping them to fulfill their respective responsibilities by ensuring alignment, 133 | communication, and constant collaboration among all. Execution of this mission may occur 134 | through servicing specific requests from one or more branches in a higher-bandwidth, 135 | focused forum to provide recommendations to all bodies. 136 | 137 | This committee’s scope is to make recommendations to, raise awareness across, and share 138 | information between the GB, TAC, and LF Staff, as this committee deems appropriate. This 139 | committee is not empowered to make decisions but will vote on its recommendations. 140 | 141 | ### Membership: 142 | The Governing Board Policies & Procedures defines Committee membership, and 143 | encourages members to send their GB members and observers to participate in the 144 | committee. The TAC chair and GM are key parts of operations, and are strongly encouraged 145 | to participate to facilitate a high-bandwidth communications arm of the GB. 146 | 147 | ### Delegated Authority: 148 | There is no specific delegated authority from the GB to the GC, but from time to time the GB 149 | may delegate work to the GC and may delegate authority to the GC for that work activity. 150 | 151 | ## Marketing Committee 152 | Whereas, the Marketing Committee has been running for some period of time, the OpenSSF 153 | Governing Board resolves to recreate the Marketing Committee, with the following Scope, 154 | Initial Membership, and Delegated Authority, and the understanding that the Marketing 155 | Committee is subject to the GB P&P. 156 | 157 | ### Scope: 158 | The Committee shall coordinate closely with the Governing Board and technical 159 | communities to maximize the outreach and visibility of the OpenSSF throughout the industry. 160 | Responsibilities include designing, developing and executing marketing efforts on behalf of 161 | the Governing Board. This work includes support of end-users and ambassadors for the 162 | Technical Initiatives. 163 | 164 | ### The activities of the committee include: 165 | - Marketing Strategy and Governing Board Support 166 | - Provide marketing and communications strategy to support the Governing 167 | - Board objectives & priorities 168 | - Provide advice on budget allocations for marketing activities 169 | - With staff, establish KPIs to track and monitor marketing activities 170 | - Provide monthly marketing updates for the Governing Board 171 | - Thought Leadership and Content Development 172 | - Determine messaging, narratives, and campaigns 173 | - Identify member-initiative synergies 174 | - Provide supporting executive comments for news releases 175 | - Work together to produce thought leadership blogs, social media posts, case 176 | studies, member spotlight webinars, white papers, etc. 177 | - Marketing Events Strategy and Coordination 178 | - Provide direction on event strategy and coordination 179 | - Represent foundation at industry events and speaking engagements 180 | - Support digital and social media event promotion 181 | - Amplify efforts through collaboration 182 | 183 | ### Membership: 184 | The Governing Board Policies & Procedures defines Committee membership the GB 185 | encourages members to name their marketing experts to participate in the committee. 186 | 187 | ### Delegated Authority: 188 | None 189 | 190 | ## Public Policy Committee Resolution 191 | Whereas the need for a Public Policy Committee is clearly outlined in the document, 192 | “OpenSSF Public Policy Committee Rationale”, the OpenSSF Governing Board resolves to 193 | create the Public Policy Committee (PPC), with the following Scope, Initial Membership, and 194 | Delegated Authority. 195 | 196 | ### Scope: 197 | The Committee shall provide the avenue for OpenSSF collaboration on public policy matters 198 | related to software supply chain, security, and assurance as it impacts the development, 199 | deployment, and use of open source software. The Committee is encouraged to solicit input 200 | from OpenSSF members and other organizations or members of the OSS ecosystem as 201 | appropriate. 202 | 203 | ### The activities of this Committee include: 204 | - Receiving and distributing information about pending legislation, regulation, or policy 205 | issues. 206 | - Evaluating and proposing priority policy developments on which the community is 207 | well-positioned to comment, exploring consensus, and establishing a committee 208 | recommendation. 209 | - Collaboratively developing and/or reviewing potential comments and responses (see 210 | ‘Purpose’ in the Rationale document) from the OpenSSF. 211 | - A vote by the Public Policy Committee is required to officially start new work or to 212 | send formal completed work from OpenSSF to another organization (e.g., a 213 | government). 214 | 215 | While the Committee may provide feedback as requested by governments and information 216 | on public policy proposals, however, it cannot lobby as noted in [the Linux Foundation bylaws 217 | section 8.8]([url](https://www.linuxfoundation.org/legal/bylaws)). 218 | 219 | The PPC work in no way is intended to prevent member organizations and individuals from 220 | responding to public organizations independently in their own capacity. 221 | 222 | ### Membership: 223 | The Governing Board Policies & Procedures defines Committee membership and the GB 224 | encourages members to name their public policy experts to participate in the committee. 225 | The PPC may invite outside experts as non-voting participants as needed from time to time. 226 | Reach out to Technical Initiatives through the TAC chair/TAC meetings for subject matter 227 | experts. 228 | 229 | ### Delegated Authority: 230 | The Public Policy Committee may propose recommendations (e.g., potential comments and 231 | responses) to governments and other organizations if approved by Committee vote without 232 | first requiring approval by the OpenSSF GB. The Committee will follow the “lazy consensus” 233 | and report approved votes to the GB (e.g., via email) within 5 days, such as a vote to take on 234 | new work or committee approval of completed work, to allow the GB time to review and 235 | request input. If no GB input is received in the 5 day window, the Public Policy committee 236 | recommendation will be considered approved by the GB. 237 | -------------------------------------------------------------------------------- /OpenSSF Content Policy.md: -------------------------------------------------------------------------------- 1 | # OpenSSF Content Policy 2 | 3 | The OpenSSF Content Policy lays out the purpose, process, and guidelines for official OpenSSF content channels including the blog, news room, social media, website, mailing list, and project websites and social media channels. 4 | 5 | 6 | # OpenSSF Blog 7 | 8 | 9 | ## Purpose 10 | 11 | The purpose of the OpenSSF Blog is to provide informative and educational content about open source software security to the wider open source community, demonstrate thought leadership, share important milestones, and highlight the value of getting involved in the work of OpenSSF. 12 | 13 | 14 | 15 | * Inform about the OpenSSF and its work 16 | * Serve as central location for project news 17 | * Highlight achievements and milestones 18 | * Drive traffic to the site and ways to get involved 19 | * Demonstrate thought leadership 20 | * Generate interest in improving open source software (OSS) security 21 | 22 | **Content Calendar** 23 | 24 | 25 | 26 | * [Content calendar](https://docs.google.com/spreadsheets/d/1O7K6XWWU7R1GUZ69XfTaFT8Xi0k_c2jJD5qsmbG9KVc/edit#gid=0) 27 | * For OpenSSF staff, Marketing Committee (MC), Technical Advisory Council (TAC), Governing Board (GB) to collaborate and help get a sense for what is in the pipeline and to source new ideas 28 | 29 | **Guidelines** 30 | 31 | We aim to keep OpenSSF blog posts short and focused on what’s newsworthy, what’s cool, and what’s important to our community. We encourage links to source material for longer descriptions and deeper dives. Content should be presented in a conversational way that provides insight from the author’s expertise and perspective. 32 | 33 | 34 | 35 | * **Topic Area**: Stick to topics directly relevant to open source software security 36 | * **Tone**: Friendly, yet authoritative with a preference for first person voice 37 | * **Word Count**: average of 300 – 900 words 38 | * **Style**: Focus on readability. Write for the non-expert. Spell out acronyms upon first use. Break content into easily digestible parts with headings. 39 | * **Attribution**: Identify author(s) and affiliations. When possible, try to have authors from multiple organizations to demonstrate breadth of support and collaboration 40 | * **Intent**: No sales pitches please. While it is ok to highlight the work of an individual company, it should remain balanced and not be at the expense of others. Blogs exclusively about a for-profit-company’s products or services will not be accepted 41 | * **Images**: Relevant graphics like charts, graphs, and photos are encouraged 42 | 43 | **Submission Process** 44 | 45 | If you’d like to suggest a topic area or volunteer to write a post, send an email to [marketing@openssf.org](mailto:marketing@openssf.org) with your name, topic, and few lines describing the post you’d like to write. We’ll let you know if we think your topic would be a good fit for our blog. You may use the template below to get started. 46 | 47 | **Topic Proposal Template:** 48 | 49 | Topic: 50 | Objective: 51 | Headline: 52 | Author(s) (Name, Title, Organization): 53 | 1-3 Key Points: 54 | Call to Action: 55 | Value to Community: 56 | Target Publish Date: 57 | Graphic(s): 58 | Next Steps: 59 | 60 | Once the topic is approved, draft and submit the blog post. 61 | 62 | **Approval Process** 63 | 64 | 65 | 66 | * The review process for blog posts is generally 2-3 weeks using a shared Google document to capture inputs and make suggestions. 67 | * For technical statements on behalf of the organization, TAC and relevant WG leads should be notified; allowing at least 24-48 hours for feedback. 68 | * For coordination on major announcements, especially those that reference member organizations, MC should be aware. 69 | * Once the author has approved the final post, OpenSSF Marketing will schedule and publish the blog; provide author with the link; share with members and on OpenSSF social media channels. Don’t forget to share with your own networks too! 70 | 71 | WGs should follow process established above, Associated Projects should either create a similar process themselves or follow the same process established above 72 | 73 | 74 | ## Reposts of OpenSSF Blogs Elsewhere 75 | 76 | 77 | 78 | * In general, reputable sources are allowed to repost as long as credit is clearly established and it links back to the original post 79 | * Individual requests can be handled on a case-by-case basis - contact [Jennifer Bly](mailto:jbly@linuxfoundation.org) 80 | * LF APAC Team has an open invitation to repost content and translate material following same guidelines above and reviewing translations for accuracy 81 | 82 | 83 | # OpenSSF News Room 84 | 85 | 86 | ## Purpose 87 | 88 | The purpose of the OpenSSF News Room is to house official press releases issued by the organization. Press releases are to provide notification about major announcements, releases, and milestones to the public and media sources. 89 | 90 | 91 | 92 | * Share newsworthy information 93 | * Serve as the home base for media pitches 94 | * Convey information about: 95 | * Major announcements 96 | * Momentum releases on a regular quarterly basis 97 | * New Premier Members - joint with new premier members 98 | 99 | 100 | ## Process 101 | 102 | 103 | 104 | 1. Develop content internally or in tandem with members in cases of joint releases 105 | 2. Confirm any quotes/outside contributions with the appropriate party 106 | 3. Enlist support from PR firm and Marketing Committee as needed 107 | 4. Notify Governing Board and TAC at least 24 hrs in advance 108 | 5. Pitch to press under embargo until release date and time 109 | 6. Post press release to OpenSSF site, Linux Foundation site, and release to the wire 110 | 7. Share on social media 111 | 112 | 113 | ## Guidelines 114 | 115 | 116 | 117 | * Follow the standard press release format including: title, city, date, OpenSSF and Linux Foundation boilerplates, and media contact information 118 | * Tone should be straightforward and tell a story that press can pick up on 119 | * Streamline content and keep brief as possible 120 | * Include quotes from spokespeople 121 | * All major releases from OpenSSF projects should be released from the OpenSSF itself 122 | 123 | 124 | # OpenSSF Social Media 125 | 126 | 127 | ## Purpose 128 | 129 | The purpose of OpenSSF Social Media accounts are to provide regular and timely updates, showcase the work of the OpenSSF, increase visibility of OpenSSF initiatives, and engage with the community on topics related to OSS security. 130 | 131 | 132 | 133 | * Increase visibility of OpenSSF and key messages 134 | * Drive participation in OpenSSF activities and events 135 | * Build reputation as go-to-resource for all things open source security 136 | * Amplify reach of the foundation and partners/members/community 137 | 138 | 139 | ## Process 140 | 141 | 142 | 143 | 1. Discovery and content creation 144 | 2. Suggestions 145 | 1. Anyone may tag OpenSSF in respective channels and doing so is encouraged 146 | 2. Marketing Committee members are encouraged to provide content suggestions during meetings 147 | 3. Share in OpenSSF Slack #outreach channel, open to everyone and designed to be a place for people to share in real time social media posts, events, and news content for sharing with one another 148 | 149 | 150 | ## Guidelines 151 | 152 | 153 | 154 | * OpenSSF official accounts: 155 | * Twitter - [https://twitter.com/openssf](https://twitter.com/openssf) 156 | * LinkedIn - [https://www.linkedin.com/company/openssf/](https://www.linkedin.com/company/openssf/) 157 | * Facebook - [https://www.facebook.com/openssf](https://www.facebook.com/openssf) 158 | * YouTube - [https://www.youtube.com/c/OpenSSF/](https://www.youtube.com/c/OpenSSF/) 159 | * GitHub - [https://github.com/ossf](https://github.com/ossf) 160 | * Blog - [https://openssf.org/blog](https://openssf.org/blog) 161 | * News Room - [https://openssf.org/news/](https://openssf.org/news/) 162 | * Website - [https://openssf.org/](https://openssf.org/) 163 | 164 | * Official project accounts: 165 | * [Sigstore](https://www.sigstore.dev/) 166 | * [Twitter](https://twitter.com/projectsigstore) 167 | * [SLSA](https://slsa.dev/) 168 | * [Scorecards](https://securityscorecards.dev/) 169 | * [Twitter](https://twitter.com/Scorecards_dev) 170 | 171 | * Tone should be casual, yet still professional 172 | * Pay attention to the norms, format, and style of each channel 173 | * Curate content about open source security that aligns with organizational objectives 174 | * Use tags and hashtags when appropriate such as #OSS #OSSsecurity #OpenSource #OpenSourceSecurity #Security #CyberSecurity #OpenSSFDay 175 | * Like/favorite/share/reshare relevant content 176 | 177 | 178 | # OpenSSF Website 179 | 180 | 181 | ## Purpose 182 | 183 | The purpose of the OpenSSF website is to be the official source of information about the OpenSSF. It is designed to communicate information about the foundation, its working groups and projects, members, leadership, how to get involved, how to access training, how to become a member, the blog, publications and other important details. It is intended to represent the brand and make it easy for anyone who wants to learn more to get a firm understanding of the OpenSSF and efforts to secure the open source software ecosystem. 184 | 185 | 186 | 187 | * Be authoritative source for OpenSSF content 188 | * Establish corporate identity 189 | * Provide resources for members, potential members, community, press, general public, etc. 190 | * Highlight opportunities to get involved 191 | 192 | 193 | ## Process 194 | 195 | 196 | 197 | 1. Managed by OpenSSF staff 198 | 2. Content suggestions should be forwarded to OpenSSF Marketing 199 | 3. Reports related to website traffic and improvements are provided to the Marketing Committee each month 200 | 201 | 202 | ## Guidelines 203 | 204 | 205 | 206 | * Style is business-oriented 207 | * Consider ease of navigation 208 | * Aim for consistency 209 | * Provide value 210 | * Include call to actions as appropriate 211 | * Help visitors accomplish their goal for coming to the website 212 | 213 | 214 | # OpenSSF Mailing List 215 | 216 | 217 | ## Purpose 218 | 219 | The purpose of the OpenSSF Mailing List is to provide informative and educational content about open source software security and the OpenSSF to the community. Via the mailing list, OpenSSF delivers announcements, event info, and the community news to the inbox of subscribers with the goal of driving increased participation and awareness of the latest OpenSSF news. 220 | 221 | 222 | 223 | * To communicate regularly with community 224 | * Send monthly newsletters and invites to upcoming events 225 | * Provide value 226 | * Inform about upcoming opportunities 227 | * Increase participation 228 | 229 | 230 | ## Process 231 | 232 | 233 | 234 | 1. Subscribe to the mailing list at: [https://openssf.org/sign-up/](https://openssf.org/sign-up/) 235 | 2. We’ll never spam you and you may unsubscribe from the mailing list at any time 236 | 3. By submitting signing up, subscribers acknowledge their information is subject to The Linux Foundation's [Privacy Policy](https://www.linuxfoundation.org/legal/privacy-policy) 237 | 238 | 239 | ## Guidelines 240 | 241 | 242 | 243 | * Keep emails brief and to the point 244 | * Ensure quality, including working links 245 | * Include main purpose and call to action 246 | * Be mindful of the volume of email people receive, so limit usage to important and timely communication only 247 | * Content suggestions are welcome 248 | 249 | 250 | # Project Websites and Social Media 251 | 252 | 253 | ## Purpose 254 | 255 | A few OpenSSF projects have their own hosted websites and social media accounts separate from the main OpenSSF channels. These are intended to be the official source of information about those projects and to communicate with the community. 256 | 257 | 258 | 259 | * Authoritative source for certain Associated Project content 260 | * Establish unique identity 261 | * Serve community needs 262 | 263 | 264 | ## Process 265 | 266 | 267 | 268 | * Managed individually 269 | * Consult with OpenSSF on best practices and recommendations 270 | * Collaborate with OpenSSF Marketing to identify and take advantage of cross-sharing opportunities 271 | * Notify OpenSSF on major updates/announcements/new content 272 | 273 | 274 | ## Guidelines 275 | 276 | 277 | 278 | * Make clear connection to OpenSSF via indication on website header or footer and in social media profile descriptions 279 | * Uphold same guidelines as OpenSSF site and social media guidelines above 280 | * Collaborate with OpenSSF to sync on content and maximize reach 281 | -------------------------------------------------------------------------------- /OpenSSF Member Participation Guide.md: -------------------------------------------------------------------------------- 1 | # Open Source Security Foundation Member Participation Guide 2 | 3 | Welcome to OpenSSF\! Our comprehensive guide simplifies the onboarding process for new members, ensuring a seamless transition into our community. Use this list to access exclusive programs, engage with industry peers, and fully leverage your organization’s membership benefits right from the start. 4 | 5 | For our existing members, thank you for your ongoing support\! This list will help you stay actively involved and ensure your organization utilizes all the resources and opportunities available to you as an OpenSSF member. 6 | 7 | 8 | ## Membership Overview 9 | - [ ] Review the OpenSSF Membership Hub page, as well as the [OpenSSF New Member Welcome](https://docs.google.com/presentation/d/1ZQ7WjNH5fQL7qvpFN3jTFt-iQHqPpUc5of_azQc8iic/edit#slide=id.gc84c2d290f_0_126) and [OpenSSF Community Membership](https://docs.google.com/presentation/d/1yiAGkDwxTSHFsjlrx4fMdfpeb5LSW064lQZMN9n9F5M/edit#slide=id.g254aa5f1c0a_0_0) slide decks. 10 | 11 | - [ ] Log into the [OpenSSF Member Support Desk](https://helpcenter.linuxfoundation.org/en/). Membership contacts receive invitations to join the Member Desk during onboarding. [Reach out](mailto:support@openssf.org) for assistance\! 12 | 13 | - [ ] Confirm your membership contacts in the [LFX Organization Dashboard](https://myorg.lfx.dev/). Your organization admins are able to make changes to these contacts. If you need assistance, please submit a [Member Support Desk ticket](https://helpcenter.linuxfoundation.org/en/). 14 | 15 | - [ ] Review your member listing on the [OpenSSF Landscape](https://landscape.openssf.org/). If any updates need to be made, please submit a ticket in the [OpenSSF Member Support Desk](https://helpcenter.linuxfoundation.org/en/). 16 | 17 | - [ ] Submit your contribution for the next OpenSSF new member press release to [OpenSSF Marketing Team](http://marketing@openssf.org). We’ll reach out to you as part of onboarding. (New members only) 18 | 19 | - [ ] Check out the OpenSSF Membership FAQ to find answers to common membership questions. 20 | 21 | 22 | ## Subscribe to OpensSF Communications 23 | 24 | - [ ] Join OpenSSF’s [Slack](https://app.slack.com/client/T019QHUBYQ3) channel. We’ll also send your contacts an invitation during onboarding. 25 | 26 | - [ ] Review OpenSSF’s [public mailing lists](https://lists.openssf.org/g/main/subgroups). We’ll add your member contacts to the private Member and Marketing lists during the onboarding process. 27 | 28 | - [ ] Subscribe to [OpenSSF communications](https://openssf.org/#newsletter) for foundation updates, event info, and the latest community news. 29 | 30 | 31 | ## Membership Benefits and Programs 32 | 33 | - [ ] Access your Linux Foundation [training benefits](https://openssf.org/training/) by submitting an OpenSSF Member Support [ticket](https://helpcenter.linuxfoundation.org/en/). 34 | 35 | - [ ] Review OpenSSF’s [Blog Program guidelines](https://openssf.org/community/blog-guidelines/) and submission process. 36 | 37 | - [ ] Submit a posting to the [OpenSSF Job Board](https://openssf.jobboard.io/) (Members get free featured posts. [Reach out](http://support@openssf.org) for assistance.) 38 | 39 | 40 | ## Participate 41 | 42 | - [ ] Display the [OpenSSF Membership Logo](https://github.com/ossf/artwork?tab=readme-ov-file#openssf-artwork-and-logos) on your website. 43 | 44 | - [ ] Sponsor an upcoming OpenSSF [event](https://openssf.org/events/). [Reach out](http://support@openssf.org) with questions\! 45 | 46 | - [ ] Review the OpenSSF [Public Events Calendar](https://calendar.google.com/calendar/u/0/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ). 47 | 48 | - [ ] Attend the OpenSSF Marketing Committee meeting. [Reach out](http://support@openssf.org) for assistance\! 49 | 50 | - [ ] Attend the OpenSSF biweekly [Technical Advisory Council](https://github.com/ossf/tac?tab=readme-ov-file) meeting. Add the [meetings](https://openssf.org/getinvolved/#calendar) to your calendar\! 51 | 52 | - [ ] To learn more about how to get involved, visit the [OpenSSF Get Involved](https://openssf.org/getinvolved/) page for more ways to participate in the community. 53 | 54 | -------------------------------------------------------------------------------- /OpenSSF Policies and Procedures.md: -------------------------------------------------------------------------------- 1 | # OpenSSF Policies & Procedures 2 | 3 | ## Preamble 4 | The Policies and Procedures (P&P) document how decisions are made, committees form 5 | and behave, and how all the other day-to-day work needs to happen. Documenting all the 6 | P&P in one place provides the following benefits: 7 | - Slow moving charter is separate from faster evolving P&P. 8 | - P&P can more easily evolve to the complexity of the growing organizational 9 | architecture of participation. 10 | - All committees get the benefit of evolving participative organizational knowledge. 11 | - The P&P are consistently documented. 12 | - It’s clear in a large organization that ALL committees are created by a board 13 | resolution that sets scope, initial membership, and any delegated authority, and then 14 | behave the same way. 15 | 16 | **These P&P are not intended to be templates for committees and other subgroups to 17 | use and edit. They are the P&P that apply to all. Differences from the P&P between 18 | committees (or TAC WGs for example) should be noted in the formation decisions of 19 | their parent organization.** 20 | 21 | # Governing Board 22 | 23 | ## Committees 24 | The Governing Board creates committees to carry out operational work. A committee can either be a standing committee that exists at all times (although it may only meet as 25 | needed), or an ad hoc committee that is created to accomplish a specific task (e.g., create a 26 | report) and possibly for a fixed period of time. 27 | 28 | ## Committee Creation/Dissolution 29 | 1. The GB creates committees by a resolution and sets their type (standing or ad hoc), 30 | scope, and mission or expected outcomes in a resolution. As well, the GB can 31 | delegate authority in the specific charter to the committee for decisions/work that 32 | does not require GB approval. 33 | 2. Ad Hoc committees cease to exist once their task is complete and delivered to the 34 | GB or time limit has expired. The GB can extend the life of Ad Hoc by resolution. 35 | 3. The GB can dissolve a committee by resolution. 36 | 4. Committees inherit rules for quorum and voting from the GB. 37 | 5. Committees are expected to report regular status to the GB. 38 | 39 | ## Committee Membership 40 | 1. The GB calls for initial member volunteers as they form the committee. Every 41 | Premier Member is entitled to appoint one representative as a voting committee 42 | member. Only premier members can be voting members. 43 | 2. The list of voting committee members is recorded and maintained by LF staff for 44 | roll-call at the beginning of meetings to establish quorum, and for voting purposes 45 | (whether in meetings or by electronic means). To maintain voting privileges, 46 | committee members must attend 2 of the last 3 meetings. 47 | 3. Newly joined (to OpenSSF premier membership) representatives may be added to a 48 | committee voting membership if they have attended the previous two meetings and 49 | have sufficient committee function context. 50 | 4. The voting membership is representative of the premier member company, not the 51 | individual. A voting member of a committee can send a delegate to act as their voting 52 | representative to a meeting. The delegate needs to identify themselves (who they are 53 | and who they are attending on behalf of) during the roll call at the beginning of the 54 | meeting. Scheduling conflicts may happen but that shouldn’t mean automatic loss of 55 | votes, delegate assignment conveys the interest of the member despite conflicts. 56 | 5. Member representatives can be replaced by their appointing Premier Member by 57 | notifying LF staff of the change in personnel. 58 | 6. A Premier Member (or their representative) can resign their committee position by 59 | notifying Linux Foundation staff. 60 | 7. If a voting committee member is deemed to be dormant and unreachable, then the 61 | rest of the voting committee members can vote to remove the member. Dormant is 62 | defined as having missed 5 consecutive meetings without sending a delegate. 63 | 8. The GB can appoint non-member specialists to a committee in special cases. Such 64 | special cases should be recorded in the formation GB resolution. These specialists 65 | will act as subject matter experts, but may not have voting rights except as defined in 66 | the charter (currently limited to premier members). 67 | 9. General members can send representatives to committees to participate, but they 68 | are non-voting members of the committee. 69 | 10. Premier members can have more than one representative of the company attend 70 | committee meetings, but only one will be a voting member. 71 | 72 | ## Committee Officers 73 | 1. The committee elects a chairperson.The committee can elect co-chairs or vice-chairs 74 | as they see fit. These roles are collectively known as the committee officers. 75 | 2. Officers must be voting members of the committee. 76 | 3. Elected positions serve for a year or until their successors are elected. A committee 77 | member serving in a position can be re-elected in subsequent years. 78 | 4. LF staff run the election (gathering candidate nominations, running the ballot, 79 | announcing and recording the outcome) in a reasonable manner. 80 | 5. The election calendar should be in the Fall, coordinating with LF staff to manage the 81 | workload of running elections. 82 | 6. The chairperson is responsible for calling the meeting, setting and publishing the 83 | agenda before the meeting, and running the meeting. 84 | 7. The chairperson is responsible for providing regular status updates to the GB. If the 85 | chairperson is invited to attend other committee meetings or the GB, they do so as a 86 | guest without voting privileges. 87 | 88 | ## Meetings 89 | 1. The Committee determines the frequency of meetings to get their work done. For 90 | example, a Code-of-Conduct Committee might only meet (in camera) if there are 91 | code-of-conduct reports to discuss, while a Marketing Committee might meet every 92 | other week. 93 | 2. A closed meeting includes only voting members of the committee. For transparency, 94 | most meetings should be open unless there is a compelling reason to have a closed 95 | meeting. An example of why a committee may choose a closed meeting is if a 96 | confidential situation arises (e.g., a Code of Conduct report). 97 | 3. Committee meeting attendees will be recorded as well as any decisions, 98 | recommendations, and reports out of the committee to the GB. 99 | 4. All committee artifacts (e.g., minutes, reports, etc.) will be recorded by LF staff and 100 | available to any GB member, unless explicitly kept private due to the sensitive nature 101 | of the work (e.g., artifacts pertaining to a code of conduct discussion). 102 | 5. While minutes covering attendance and decisions should be recorded, minutes of a 103 | Committee need not be approved by the Committee. 104 | 105 | ## Committee Work 106 | 1. A committee organizes their work as they see fit. For example, a committee can 107 | create required subcommittees to organize their work or engage specific 108 | communities (e.g., the DevRel Subcommittee under the Marketing Committee) or 109 | work towards specific tasks (e.g., prepare a conference report). 110 | 111 | ## Additional Committee Voting Policies 112 | 1. Quorum is at least 1⁄2 of all voting Members (when voting either synchronous in a 113 | meeting or asynchronous by email). 114 | 2. A vote passes if it passes by a majority of eligible voters (more than 50%) 115 | participating in the vote. Voting may be done asynchronously (by email), but in that 116 | case the voting period must be no less than 2 full US non-Federal-holiday business 117 | days or it must be approved by 50% of all eligible voters in the committee. 118 | 119 | ## General Member Representatives 120 | 1. The Governing Board determines the election process for General Member 121 | Representatives to the GB. 122 | 2. The GB: 123 | a. Requests LF staff to run a formal call for candidates within the candidate pool 124 | of General Members with a reasonable 1-2 week period for candidates to 125 | identify themselves. 126 | b. Following the collection of candidates, LF staff run a Condorcet vote amongst 127 | the General Members, and announce the winner to the General Members and 128 | GB. 129 | 4. General Member Representatives serve for a year or until their successors are 130 | elected 131 | 5. A General Member Representative can stand as a candidate for election in 132 | subsequent years. 133 | 6. The election calendar should be in the Fall, coordinating with LF staff to manage the 134 | workload of running elections. 135 | 7. If a General Member representative to the GB resigns their position, and there are 136 | still at least N months left in their term, the member with the next most votes can 137 | finish out the term. If that subsequent member on the list cannot serve for any 138 | reason, the member getting the next most votes is selected, and so on. If no member 139 | from the original election is able to finish the term, then General members should 140 | hold a new election. 141 | 142 | ## Amending the Policies & Procedures 143 | The OpenSSF Policies & Procedures may be amended by a two thirds vote (excluding 144 | abstensions) of Governing Board members in good standing [per section 7.a.i](https://cdn.platform.linuxfoundation.org/agreements/openssf.pdf). 145 | - Store in the GC github, and document pain points and suggested improvements in 146 | pull requests and issues 147 | - Review semi-annually, or as a priority ad hoc issue arises 148 | - If updates are raised, plan to make quarterly releases of updates that are raised in 149 | line with quarterly board meetings. As the GB P&P process is newly adopted, there 150 | will most likely be a flurry of activity to address, and the review / release process will 151 | go into more of a maintenance review cadence. 152 | - As ongoing work is requested, GC chair should coordinate with the GM (who will 153 | recommend the appropriate staff to participate), TAC Chair, Committee chairs, plus 154 | other interested board members and relevant SMEs. Work should be prioritized, 155 | accomplished asynchronously from the GC meetings, with updates on work progress 156 | in the GC meetings. An ongoing list of clarifications to use as a starting point: Intro to 157 | OpenSSF Charter, Policies, and Procedures - Google Docs. 158 | - GC will make recommendation vote to update P&P language, with lazy consensus by 159 | the GB 160 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Open Source Security Foundation - OpenSSF 2 | 3 | Collaborating to secure the open source ecosystem 4 | 5 | Open source software has become pervasive in data centers, consumer devices, and services, representing its value among technologists and businesses alike. Because of its development process, the OSS that ultimately reaches end users has a chain of contributors and dependencies. It is important that those responsible for their user or organization’s security are able to understand and verify the security of this dependency chain. 6 | 7 | # OpenSSF Governance and Legal Documents 8 | 9 | * [OpenSSF Funding Charter](https://cdn.platform.linuxfoundation.org/agreements/openssf.pdf) 10 | * [OpenSSF Governing Board members](https://openssf.org/about/board/) 11 | * [OpenSSF Direct Fund Agreement](https://docs.google.com/document/d/1Pkpcqoom9EFXBwQYVtma565WBA5ULYOCNiZYtnrGQuo/edit?usp=sharing) 12 | 13 | # Get Involved! 14 | * [Open SSF Community Calendar](https://calendar.google.com/calendar/r?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) 15 | * [Open SSF Mailing Lists](https://lists.openssf.org/g/main/subgroups) 16 | * [Open SSF web site](https://openssf.org/) 17 | * [Open SSF Slack](https://slack.openssf.org/) 18 | * [Index of Repositories](https://github.com/ossf/community) 19 | -------------------------------------------------------------------------------- /vulnerability-disclosure-policy.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## OpenSSF Outbound Vulnerability Disclosure Policy 4 | 5 | The OpenSSF adheres to the Model Outbound Vulnerability Disclosure Policy, Version 0.1. 6 | 7 | _IMPORTANT: This policy is not about how Open Source Security Foundation (OpenSSF) handles vulnerabilities disclosed to the OpenSSF for its software projects (i.e., incoming disclosures). Instead, it refers to how the OpenSSF publicly discloses vulnerabilities it finds in all projects (i.e., outgoing disclosures)._ 8 | 9 | 10 | ## Future Automated Disclosure+Fix 11 | 12 | Certain classes of vulnerabilities are common, widespread, easily detectable, and fixed with automated tooling. The distribution of fixes can be automated, helping maintainers - at scale. In these cases, the scope of the vulnerability class is often beyond what can be reasonably reported to each maintainer manually. \ 13 | \ 14 | The OpenSSF Vulnerability Disclosure WG Autofix SIG is working on an update to the Model Policy for automated disclosures with fixes. We will update this policy when the results of that effort are released. 15 | 16 | 17 | ## Questions? 18 | 19 | Open an issue under the [OpenSSF Vulnerability Disclosure Working Group Repository](https://github.com/ossf/wg-vulnerability-disclosures/issues), or ask in the [OpenSSF Slack](https://slack.openssf.org/) under the WG Vulnerability Disclosure channel. 20 | 21 | 22 | --- 23 | 24 | 25 | ## Model Outbound Vulnerability Disclosure Policy: Version 0.1 26 | 27 | 28 | ## Manual Disclosure Policy 29 | 30 | We believe that vulnerability disclosure is a collaborative, two-way street. All parties, maintainers[^1], as well as researchers, must act responsibly. This is why we adhere to a maximum **90-day** public disclosure time limit, the “Time Limit”. We immediately privately report to maintainers when we discover vulnerabilities within their software, the “Notice Date”. If a project responds to the private report within 21 calendar days, the details will be publicly disclosed (shared with the defensive community) after 90 days after the Notice Date, on the “Publication Date”, or sooner if the maintainer releases a fix prior to the Publication Date. That Publication Date can vary in the following ways: 31 | 32 | 33 | 34 | * If a Time Limit is due to expire on a weekend or major public holiday, the Publication Date will be moved to the next normal work day. We are a global community and if there is a conflict, we kindly request that maintainers communicate these conflicts up-front. 35 | * We expect maintainers to respond within 21 calendar days of the Notice Date to let us know how the issue is being mitigated to protect impacted end-users. If we do not receive any engagement from the maintainers within 35 days of the Notice Date, that affirms their intention to fix the vulnerability within the Time Limit, we reserve the right to fully publicly disclose the vulnerability at that point. 36 | * Before the Time Limit has expired, if maintainers let us know that remediation publication is scheduled for release or publication on a specific day that will fall within 14 days following the Publication Date, we will delay the Publication Date until the availability of the remediation. If the remediation is not published within 14 days, a publication will only be delayed if it is an extreme circumstance (as defined below). 37 | * When we observe a previously unknown (to the public) and unpatched vulnerability in software under active exploitation (a “0-day”), we believe that more urgent action is appropriate. The Publication Date for a 0-day will be accelerated to within 7 days of the Notice Date, with one exception. \ 38 | * If it is before the Publication Date, but the vulnerability is observed under active exploitation, it moves to the 0-day policy (above). 39 | * If the maintainers communicate that the reported vulnerability will not be fixed, or state it is not a vulnerability, then the details may be immediately released. 40 | 41 | As always, we reserve the right to bring the Publication Date forwards or backwards based on extreme circumstances (e.g., the maintainers live in a country hit by an earthquake, or a new class of vulnerabilities is being reported as in Spectre and Meltdown). Changes to the Publication Date will be explicitly communicated to the maintainers. 42 | 43 | 44 | ## Rationale 45 | 46 | This policy is primarily designed to minimize harm to downstream users, both in its application on the micro-scale, for individual disclosures, and the macro-scale, across all disclosures. We believe this policy does so, while also respecting the needs of both maintainers and researchers. 47 | 48 | This policy is strongly aligned with the desire to shorten the remediation time for security vulnerabilities and, where possible, support maintainers by providing fixes. We expect this to reduce harm to the ecosystem and downstream users, while softening landings for remediations marginally over the time limit. This policy was inspired by the policies from [CERT/CC](https://vuls.cert.org/confluence/display/Wiki/Vulnerability+Disclosure+Policy), [Facebook](http://facebook.com/security/advisories/Vulnerability-Disclosure-Policy), [Google](https://about.google/appsecurity/), [Rain Forest Puppy](https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt), & [The Zero Day Initiative (ZDI)](https://www.zerodayinitiative.com/advisories/disclosure_policy/). We call on all researchers to adopt disclosure time limits in some form, as appropriate, and welcome you to use this policy verbatim. We expect that all parties will benefit from more reasonably-timed remediations resulting in smaller windows of opportunity for attackers to abuse vulnerabilities. Vulnerability disclosure policies such as this result in greater overall safety for users of technology and the internet. 49 | 50 | 51 | 52 | ## Notes 53 | 54 | [^1]: 55 | Including, but not limited to: open source software maintainers, vendors, suppliers, not-for profits, and corporations. 56 | --------------------------------------------------------------------------------