Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.

All organizations that use open source software should have an open source policy
The open source policy is supported and enforced by cross-functional stakeholders
The open source policy should address:
- The age of a component based on its release or published date
- How many major or minor revisions old are acceptable
- Guidance for keeping components continuously updated via automation
- Exclusion criteria for components with known vulnerabilities
- Mean-time-to-remediate criteria for updating at-risk components
- Restrictions on using components that are end-of-life or end-of-support
- Criteria for supplier selection or exclusion
- Usage-based list of acceptable licenses
- Prohibited components list
- Mechanisms and permissions for providing modifications back to the community producing the component

V6: Pedigree and Provenance Requirements Appendix A: Glossary