An aspirational view of the future we seek to create in 2-5 years:
The OpenSSF is a trusted partner to affiliated open source foundations and projects, and provides valuable services to those projects and foundations.
- The OpenSSF is well positioned within the broader ecosystem and has a clearly articulated charter which supports the activities of the broader community of open source practitioners
- To maintain that trusted relationship, the OpenSSF's mission and value proposition is periodically reviewed with community representatives and constituents, as well as its funding Members
- OpenSSF resources are responsibly managed and utilized towards this Vision in clear, consistent, transparent, and democratic ways.
- Where overlap exists between the OpenSSF's mission and that of another organization, the OpenSSF strives to support other organizations through partnership first, and does not engage in "picking winners and losers".
- OpenSSF is clearly positioned within broader ecosystem with a clear, altruistic charter
- Periodically review the value proposition of OpenSSF with key stakeholders
- Joint OKRs on shared execution, utilization of OpenSSF-managed tools & content
- Roadmap alignment: if overlap exists between OpenSSF and another stakeholder, either publicly document rationale OR create/document/execute a convergence plan
- OpenSSF speaks with a trusted voice to users, contributors, and the broader market
OpenSSF is an influential advocate for mutually-beneficial external efforts and an educator of policy decision makers
- Support creation & use of meaningful, actionable standards (e.g. SBOM formats, MFA)
- OpenSSF advocates for various actors (including maintainers, contributors, and adopters) in the open source ecosystem to improve their default security posture, and catalyzes efforts to reduce or eliminate friction in achieving that state; for example (but not exclusively):
- SLSA ensures tampering and other security threats to the software supply chain of open source projects, groups, and communities are reduced and/or eliminated
- Memory Safety efforts that aim to eliminate entire classes of security threats through using memory safe programming languages where possible
- Advocacy may be statements of support, education material, and/or direct funding
Consumers of OSS can leverage clear & consistent trusted signals to better understand the security profile of open source content
- Including (but not exclusively) provenance of source code & artifacts, security posture of projects and artifacts, community health metrics, vulnerability information, and measures of consumer demand (e.g. criticality score)
- Consumers of OSS quickly understand the maintainer’s intentions regarding not only the license but also the project’s security posture (e.g. project archived, accepting PRs, etc)
- All consumers of OSS (including producers of OSS who consume dependencies) will have zero-cost access to training, tooling, and security information to make educated choices as they interact with the open source ecosystem
Producers of OSS (of all skill levels) have the ability to proactively and reactively address both existing and emergent security threats
- Best practices guides & education materials that ensure both current and future OSS developers obtain & maintain sufficient secure development skills
- Extremely low-friction, automated tooling to make security processes less onerous, more accurate, and trusted (burden of maintenance offloaded through opt-in automation); these tools and improvements will be made available at zero cost
- Ability to start new projects from a more secure default position
- Ensure sufficient staffing, auditing, continuous testing, rigor for critical projects