🏆Open Source Security Foundation (OpenSSF) Best Practices Badge (formerly Core Infrastructure Initiative (CII) Best Practices Badge)
This project identifies best practices for
Free/Libre and Open Source Software (FLOSS)
and implements a badging system for those best practices.
The “BadgeApp” badging system is a simple web application
that lets projects self-certify that they meet the criteria
and show a badge.
The real goal of this project is to encourage projects to
apply best practices, and to help users determine which FLOSS projects do so.
We believe that FLOSS projects that implement best practices are more likely
to produce better software, including more secure software.
See the
OpenSSF Best Practices badge website if you want to try to actually get a badge.
This is the development site for the criteria and badge application
software that runs the website.
Feedback is very welcome via the
GitHub site
as issues or pull (merge) requests.
There is also a
mailing list
for general discussion.
This project was originally developed under the CII, but it
is now part of the
Open Source Security Foundation (OpenSSF)
Best Practices Working Group (WG).
The original name of the project was the CII Best Practices badge, but
it is now the OpenSSF Best Practices badge project.
Interesting pages include:
This is a summary of the passing criteria, with requirements in bold:
Getting a passing badge is a significant achievement;
on average only about 10% of pursuing projects have a passing badge.
That said, some projects would like to meet even stronger criteria,
and many users would like projects to do so.
We have established two higher levels beyond passing: silver and gold.
The higher levels strengthen some of the passing criteria and add new
criteria of their own.
Here is a summary of the silver criteria, with requirements in bold
(for details, see the full list of silver criteria):
Here is a summary of the gold criteria, with requirements in bold
(for details, see the full list of gold criteria):
If you’ve used this system in the past, you may have referred to our doc
subdirectory for documentation. We have renamed that to a docs
subdirectory.
We have recently moved to the new main site
https://www.bestpractices.dev.
For many years the main site was at
https://bestpractices.coreinfrastructure.org.
However, the Core Infrastructure Initiative (CII) has ended, and we have
become part of the Open Source Security Foundation (OpenSSF).
Therefore, it made sense to change the domain name so it’s no longer tied
to the CII. The domain name is much shorter, too.
We use the “www” subdomain because there are technical challenges using
a top-level domain with our CDN; it’s more efficient to use the subdomain.
All material in this repository is released under the MIT license.
All material in this repository that is not executable,
including all text when not executed,
is also released under the
Creative Commons Attribution 3.0 International (CC BY 3.0) license or later.
In SPDX terms, everything here is licensed under MIT;
if it’s not executable, including the text when extracted from code, it’s
“(MIT OR CC-BY-3.0+)”.
Like almost all software today, this software depends on many
other components with their own licenses.
Not all components we depend on are MIT-licensed, but all
required components are FLOSS. We prevent licensing issues
using various processes (see CONTRIBUTING).
The data managed by this software is under different highly-permissive
open data licenses,
depending on when the data was last updated:
The complete collection of data managed by this application is thus
licensed with the SPDX license expression “(CC-BY-3.0 AND CDLA-Permissive-2.0)”.
Only a few old entries are under the CC-BY-3.0, so if you omitted those
oldest data values, the dataset is released under the expression
“(CC-BY-3.0+ AND CDLA-Permissive-2.0)”.
Submitters of data retain copyright (if any), and
the project license is unaffected.