{"id":18508458,"url":"https://github.com/ossf/tac","last_synced_at":"2025-10-31T18:30:34.660Z","repository":{"id":37333381,"uuid":"278185983","full_name":"ossf/tac","owner":"ossf","description":"Technical Advisory Council","archived":false,"fork":false,"pushed_at":"2024-05-22T18:11:37.000Z","size":6340,"stargazers_count":103,"open_issues_count":37,"forks_count":44,"subscribers_count":39,"default_branch":"main","last_synced_at":"2024-05-22T18:28:07.296Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://openssf.org","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-08T20:16:37.000Z","updated_at":"2024-05-22T18:28:08.600Z","dependencies_parsed_at":"2023-02-19T11:01:27.641Z","dependency_job_id":"b3a8470b-3fd4-4a32-9d3f-98ed05e20316","html_url":"https://github.com/ossf/tac","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Ftac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Ftac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Ftac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Ftac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/tac/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239221203,"owners_count":19602380,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T15:14:25.555Z","updated_at":"2025-10-31T18:30:34.600Z","avatar_url":"https://github.com/ossf.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenSSF Technical Advisory Council (TAC)\n\nThe OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF.\n\n## Get Involved\n\nAlthough the TAC is composed of a set of official members listed below, any community member is welcome to participate in the TAC discussions.\n\nOfficial communications occur on the [TAC mailing list](https://lists.openssf.org/g/openssf-tac/topics). [Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups).\n\nInformal discussions occur in the TAC channel of the [OpenSSF Slack](https://slack.openssf.org/).\nTo join, use the following [invite link](https://join.slack.com/t/openssf/shared_invite/zt-xoktwsef-VzM~b22G2gfT_~4woTTsQA).\n\nUse [GitHub Issues](https://github.com/ossf/tac/issues) to request and discuss agenda items.\n\nIf you need support in any part of the process, please email [operations@openssf.org](mailto:operations@openssf.org?subject=GitHub%20Issue).\n\n## Meetings\n\nThe TAC [meetings minutes](https://docs.google.com/document/d/1EieWyhKntZ7BzaZS97-BOybfMTUT4sZ72ViXq8QyYWs) are online and appear on the [OpenSSF Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ).\n\nMeetings are also recorded and posted to the [OpenSSF YouTube channel](https://www.youtube.com/channel/UCUdhiXNEBEayowJXY_v7AXQ/).\n\n## TAC Members\n\n| Name             | Position | Email                          | Organization | Term                      |\n| ---------------- | :--------: | ------------------------------ | ------------ | --------------------------|\n| Arnaud J Le\u0026nbsp;Hors | | lehors@us.ibm.com              | IBM          | January 2024 - December 2025 |\n| Bob Callaway     | Vice Chair | bcallaway@google.com           | Google       | January 2025 - December 2026 |\n| Michael Lieberman|  | mike@kusari.dev                | Kusari       | January 2025 - December 2026 |\n| Zach Steindler   | Chair | steiza@github.com         | GitHub       | January 2025 - December 2026 |\n| Marcela Melara   |  | marcela.melara@intel.com       | Intel        | January 2024 - December 2025 |\n| Jautau \"Jay\" White || jaywhite@microsoft.com         | Microsoft    | January 2024 - December 2025 |\n| Stephen Augustus | | openssf@auggie.dev | Bloomberg L.P. | January 2025 - December 2025\\* |\n| Georg Kunz | | georg.kunz@ericsson.com | Ericsson | January 2025 - December 2025\\* |\n| Michael Scovetta | | michael.scovetta@microsoft.com | Microsoft | January 2025 - December 2025\\* |\n\n*NOTE: `*`-marked entries denote TAC members appointed by the OpenSSF Governing Board; all other members are community-elected.*\n\n## Charter\n\nThe TAC is chartered as part of the [Open Source Security Foundation Charter](https://openssf.org/about/charter/).\n\n## Technical Initiatives\n\nThe governance of TIs is documented in [the process section](process). This section provides you with all the information about the different types of initiatives and how they are managed, as well as how to propose a new initiative. It also covers the different levels of maturity a TI can be in, the requirements that must be met to move up to the next level, as well as the benefits that come with each level.\n\nThe following Technical Initiatives have been approved by the TAC. You may learn more about their status through their [quarterly reports](TI-reports).\n\n### Working Groups (WGs)\n\n| Name                           | Repository                           | Notes              | Staff Contact    | Status     |\n| ------------------------------ | ------------------------------------ | ------------------ | ---------------- | ---------- |\n| AI/ML Security                 | [GitHub](https://github.com/ossf/ai-ml-security) | [Meeting Notes](https://docs.google.com/document/d/1X7lCvAHY0x7HMaCQx-7KKPjSBPQ6v02TynQpOPXnXFI/edit) | Jeff Diecks | [Incubating](process/wg-lifecycle-documents/ai_ml_incubating_stage.md) |\n| Diversity, Equity, \u0026 Inclusion | [GitHub](https://github.com/ossf/wg-dei)         | [Meeting Notes](https://docs.google.com/document/d/17j8uN_radgNcY4G8u1Ua8FN__lUL4TeUN0gb-D2TrZ4/edit)  | Khahil White | Incubating |\n| Global Cyber Policy            | [GitHub](https://github.com/ossf/wg-globalcyberpolicy) | [Meeting Notes](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit) | Jeff Diecks \u0026 Kris Borchers | [Sandbox](process/wg-lifecycle-documents/Global_Cyber_Policy_WG_sandbox_stage.md) |\n| Securing Critical Projects     | [GitHub](https://github.com/ossf/wg-securing-critical-projects) | [Meeting Notes](https://docs.google.com/document/d/1YkxOFs9x9YCtUfYeOG7Gy3OBX0cTDbZTEgOdvmEo6FE/edit) | Kris Borchers | [Incubating](process/wg-lifecycle-documents/securing_critical_projects_incubating_stage.md) |\n| Securing Software Repositories | [GitHub](https://github.com/ossf/wg-securing-software-repos)    | [Meeting Notes](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit)  | Kris Borchers | [Graduated](process/wg-lifecycle-documents/securing_software_repositories_graduation_stage.md) |\n| Security Best Practices        | [GitHub](https://github.com/ossf/wg-best-practices-os-developers) | [Meeting Notes](https://docs.google.com/document/d/1u1gJMtOz-P5Z71B-vKKigzTbIDIS-bUNgNIcfnW4r-k/edit)  | David A. Wheeler | [Graduated](process/wg-lifecycle-documents/BEST_practices_wg_graduation_stage.md)  |\n| Security Tooling               | [GitHub](https://github.com/ossf/wg-security-tooling) | [Meeting Notes](https://docs.google.com/document/d/190urQjwvE6DsjZ3Z1vBbNEXsJ--ccC8xHmbe_fYKRHA/edit) | Jeff Diecks | Incubating |\n| Supply Chain Integrity         | [GitHub](https://github.com/ossf/wg-supply-chain-integrity)  | [Meeting Notes](https://docs.google.com/document/d/1moVFPn5pLi-uGs840_YBCrwdpHajU0ptFmlL4F9GryQ/edit)  | Kris Borchers | Incubating |\n| Vulnerability Disclosures      | [GitHub](https://github.com/ossf/wg-vulnerability-disclosures)  | [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit)  | Jeff Diecks | [Graduated](process/wg-lifecycle-documents/Vuln_Disc_wg_graduation_stage.md) |\n\n\n### Projects\n\n| Name                       | Repository | Website | Sponsoring Org | Status     |\n| ---------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------- | -------------- |---------- |\n| Best Practices Badge   | [GitHub](https://github.com/coreinfrastructure/best-practices-badge) | https://www.bestpractices.dev/ | Best Practices WG   | TBD        |\n| Bomctl   | [GitHub](https://github.com/bomctl/bomctl) |  | Security Tooling WG   | [Sandbox](process/project-lifecycle-documents/bomctl_sandbox_stage.md)        |\n| Criticality Score      | [GitHub](https://github.com/ossf/criticality_score)        |  | Securing Critical Projects WG   | TBD        |\n| Fuzz Introspector      | [GitHub](https://github.com/ossf/fuzz-introspector)        |  | Security Tooling WG            | TBD        |\n| GUAC                   | [GitHub](https://github.com/guacsec/guac)                  | https://guac.sh | Supply Chain Integrity WG | [Incubating](process/project-lifecycle-documents/guac_incubating.md) |\n| gittuf | [GitHub](https://github.com/gittuf/gittuf) | https://gittuf.dev/ | Supply Chain Integrity WG | [Sandbox](process/project-lifecycle-documents/gittuf_sandbox_stage.md) |\n| OpenSSF Scorecard | [GitHub](https://github.com/ossf/scorecard)                | https://securityscorecards.dev/ | Best Practices WG | [Incubating](/process/project-lifecycle-documents/openssf_scorecard_incubating_stage.md) |\n| OpenVEX | [GitHub](https://github.com/openvex) |  | Vulnerability Disclosures WG | [Sandbox](process/project-lifecycle-documents/openvex_for_sandbox_stage.md) |\n| OSV Schema             | [GitHub](https://github.com/ossf/osv-schema)               | https://ossf.github.io/osv-schema/ | Vulnerability Disclosures WG   | TBD        |\n| Minder                 | [GitHub](https://github.com/mindersec/minder)         |  | Security Tooling WG            | [Sandbox](process/project-lifecycle-documents/minder_sandbox_stage.md) |\n| Model signing          | [GitHub](https://github.com/sigstore/model-transparency/blob/main/README.model_signing.md) |  | AI/ML Security WG | [Sandbox](process/project-lifecycle-documents/model_signing_sandbox_stage.md) |\n| Package Analysis       | [GitHub](https://github.com/ossf/package-analysis)         |  | Securing Critical Projects WG   | TBD        |\n| Protobom | [GitHub](https://github.com/protobom/protobom) |  | Security Tooling WG | [Sandbox](process/project-lifecycle-documents/protobom_sandbox_stage.md) |\n| Repository Service for TUF | [GitHub](https://github.com/repository-service-tuf/repository-service-tuf) | https://repository-service-tuf.readthedocs.io/ | Securing Software Repositories WG | [Incubating](process/project-lifecycle-documents/repository_service_for_tuf_incubation_stage.md) |\n| S2C2F                  | [GitHub](https://github.com/ossf/s2c2f)                    |  | Supply Chain Integrity WG  | [Incubating](process/project-lifecycle-documents/s2c2f_incubation_stage.md)      |\n| SBOMit                 | [GitHub](https://github.com/sbomit)                |  | Security Tooling WG             | [Sandbox](process/project-lifecycle-documents/SBOMit_sandbox_stage.md)    |\n| Security Insights Spec | [GitHub](https://github.com/ossf/security-insights-spec)   |  | Supply Chain Integrity WG           | TBD        |\n| Sigstore               | [GitHub](https://github.com/sigstore)                      | https://www.sigstore.dev/ | OpenSSF TAC    | [Graduated](process/project-lifecycle-documents/sigstore_graduated_stage.md)        |\n| SLSA                   | [GitHub](https://github.com/slsa-framework/slsa) | https://slsa.dev/ | Supply Chain Integrity WG   | TBD        |\n| Zarf          | [GitHub](https://github.com/zarf-dev/zarf) | https://zarf.dev/ | Supply Chain Integrity WG   | [Sandbox](process/project-lifecycle-documents/zarf_sandbox_stage.md)       |\n\n### OpenSSF affiliated projects\n\n| Name                         | Repository                          | Status |\n| --------------------------   | ----------------------------------- | ------ |\n| Core Toolchain Infrastructure | https://git.coretoolchain.dev/     |  TBD   |\n| Alpha Omega                  | https://github.com/ossf/alpha-omega |  TBD   |\n\n### Special Interest Groups (SIGs)\n\nSIGs can be created and managed without formal approval from the TAC. The following is for information purpose only.\n\n| Name                       | Repository/Home Page | Governing Org                 |\n| -------------------------- | -------------------- | ----------------------------- |\n| CVD Guides             | https://github.com/ossf/oss-vulnerability-guide        | Vulnerability Disclosures WG |\n| OpenVEX                | https://github.com/ossf/OpenVEX                        | Vulnerability Disclosures WG |\n| Education              | https://github.com/ossf/education                      | Best Practices WG            |\n| Memory Safety          | https://github.com/ossf/Memory-Safety                  | Best Practices WG            |\n| C/C++ Compiler Options | https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Compiler-Hardening-Guides | Best Practices WG |\n| Python Hardening       | https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python | Best Practices WG |\n| Security Baseline      | https://github.com/ossf/security-baseline              | Best Practices WG            |\n| SBOM Everywhere        | https://github.com/ossf/sbom-everywhere                | Security Tooling WG          |\n| OSS Fuzzing            | https://github.com/ossf/wg-security-tooling?tab=readme-ov-file#oss-fuzzing-sig | Security Tooling WG |\n\n### Overview Diagrams\n\nDiagrams with an overview of the OpenSSF, including its projects and SIGs, are available in the presentation [OpenSSF Introduction (including Diagrammers’ Society diagrams)](https://docs.google.com/presentation/d/1DpB-WPz4yimdF7DDH4waR_zdi7X5WumgoptcqwkMg-s/edit?usp=sharing) as created and maintained by the [OpenSSF Diagrammer's Society](https://github.com/ossf/Diagrammers-Society).\n\n\n## Antitrust Policy\n\nLinux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.\n\nExamples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at \u003chttp://www.linuxfoundation.org/antitrust-policy\u003e. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Ftac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Ftac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Ftac/lists"}