{"id":13484348,"url":"https://github.com/ossf/wg-securing-critical-projects","last_synced_at":"2026-01-26T22:54:52.378Z","repository":{"id":37796818,"uuid":"278759005","full_name":"ossf/wg-securing-critical-projects","owner":"ossf","description":"Helping allocate resources to secure the critical open source projects we all depend on.","archived":false,"fork":false,"pushed_at":"2025-05-08T22:23:41.000Z","size":1191,"stargazers_count":352,"open_issues_count":22,"forks_count":41,"subscribers_count":57,"default_branch":"main","last_synced_at":"2025-05-08T23:29:02.164Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"governance/README.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-07-11T00:28:57.000Z","updated_at":"2025-05-08T22:23:45.000Z","dependencies_parsed_at":"2024-03-13T05:33:21.953Z","dependency_job_id":"046383e0-533b-43ec-8443-9caa4545155a","html_url":"https://github.com/ossf/wg-securing-critical-projects","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ossf/wg-securing-critical-projects","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-securing-critical-projects","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-securing-critical-projects/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-securing-critical-projects/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-securing-critical-projects/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/wg-securing-critical-projects/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fwg-securing-critical-projects/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28791162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-26T21:49:50.245Z","status":"ssl_error","status_checked_at":"2026-01-26T21:48:29.455Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:01:22.907Z","updated_at":"2026-01-26T22:54:52.365Z","avatar_url":"https://github.com/ossf.png","language":null,"funding_links":[],"categories":["Community and project health","others"],"sub_categories":[],"readme":"# WG Securing Critical Projects\n\nThis charter describes operations as an [OSSF Technical Initiative](https://github.com/ossf/tac/blob/master/charters/).\nThe [Focus](#focus) section below describes what is in and out of scope,\nand [Governance](#governance) section describes how our operations are consistent with OSSF policies with links to more detailed documents.\n\n## Motivation\n\n\u003ctable align=\"right\"\u003e\n  \u003ctr\u003e\u003ctd\u003e\u003cimg align=\"right\" src=\"https://imgs.xkcd.com/comics/dependency.png\"\u003e\u003c/td\u003e\u003c/tr\u003e\n  \u003ctr\u003e\u003ctd\u003e\u003ca href=\"https://xkcd.com/2347\"\u003eSource\u003c/a\u003e. Randall Munroe. Licensed under \u003ca href=\"https://creativecommons.org/licenses/by-nc/2.5/\"\u003eCC BY-NC 2.5\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\n\u003c/table\u003e\n\nOpen Source Software has long suffered from a \"tragedy of the commons\" problem.\nOrganizations large and small make use of OSS every day, but many projects are struggling for the time, resources and attention they need.\n\nThis is a resource allocation problem - and we can help solve it together.\nWe need ways to connect critical projects we all rely on with organizations that can provide them with support.\n\nWhether it is dedicated help from specialized experts or simply grant money or cloud credits, we recognize that no two\nprojects are the same, and support can come in many shapes.\nWe intend to work with upstream maintainers to understand what help and support they need, and then develop scalable processes to make\nthis help available.\n\n## Focus\n\n### Objective\n\nTo the best of our efforts, the goals of the working group are:\n\n1. Identify critical open source software (OSS) projects.\n2. Secure those projects.\n\nFor more details, see our [MVSR](/MVSR.md)\n\n## Current Work\n\n* [Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks](/Initiatives/Identifying-Critical-Projects/Version-1.1) - current version\n    * Leads: Amir Montazery and Jeff Mendoza\n    * Contributors: David Wheeler, Caleb Brown, Michael Scovetta, Georg Kunz, David Edelsohn\n* [criticality_score](https://github.com/ossf/criticality_score) - this attempts to estimate criticality using the algorithm described in [\"Quantifying Criticality\" by Rob Pike](https://github.com/ossf/criticality_score/blob/main/Quantifying_criticality_algorithm.pdf); you can see the [Hacker News Discussion](https://news.ycombinator.com/item?id=25381397). A known challenge is that it emphasizes activity, and some critical projects aren't active.\n    * Lead: Caleb Brown\n* Harvard research - Census III. This work follows on [Census II](https://www.linuxfoundation.org/research/census-ii-of-free-and-open-source-software-application-libraries) [Preliminary Census II](https://www.coreinfrastructure.org/programs/census-program-ii/), with a goal of having more input data and updating the results\n* [package-feeds](https://github.com/ossf/package-feeds)\n    * Lead: Caleb Brown\n* [package-analysis](https://github.com/ossf/package-analysis)\n    * Lead: Caleb Brown\n\n## Former projects\n\n* [Allstar](https://github.com/ossf/allstar) is now a part of [OpenSSF Scorecard](https://scorecard.dev/)\n\n### Role Definitions\n\n* Lead: Drives work forward\n* Contributor: Available for taking work and completing\n\n## How were critical OSS projects selected?\n\n[Securing Critical Projects: List of Critical Open Source Projects, Components, and Frameworks](https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit) is our current (in progress) list of critical OSS projects.\n\nFor our purposes, a critical OSS project is an OSS project that can have\nan especially large impact if it has a significant unintentional vulnerability,\nor if it is subverted in either its source repository or\ndistribution package(s).\nThere are literally millions of open source software (OSS) projects today,\nmaking it difficult to create a focused list of \"critical OSS projects\".\n\nThe list of critical OSS projects was developed for the Great MFA Distribution\nProject by the\n[OpenSSF Securing Critical Projects Working Group (WG)](https://github.com/ossf/wg-securing-critical-projects).\nThis OpenSSF working group has been *specifically* working on this problem!\n\nThere are many ways to identify \"critical\" projects, so the\nSecuring Critical Projects WG combined the results of several different\nanalyses (the analyses are also called \"Selection Criteria\"),\nThe WG then used human group review of this combined set of top candidates\nto create a final defensible list. The analyses (\"selection criteria\") for\nidentifying candidate critical OSS projects included:\n\n* [OpenSSF Criticality Score](https://github.com/ossf/criticality_score): A top OpenSSF criticality score value. This metric prefers projects that are extremely active on specific forges. Such projects are likely to be important (at least to the participants). However, this is not a perfect measure; some projects will score low here and yet be very critical. Also, it currently only considers GitHub-hosted projects. As of 2021-11-23 the projects with the top scores are node, kubernetes, rust, and spark.\n* [Census Program II](https://www.coreinfrastructure.org/programs/census-program-ii/): Harvard preliminary analysis, uses SCA \u0026 dependency data. This tends to emphasize lower-level libraries that are depended on, transitively, by many.\n* OSTIF Managed Audit Program: Programs OSTIF has recommended for audit. These were selected earlier from research sources, focusing on securing the most critical projects. You can see the [OSTIF Managed Audit Program (MAP25)](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0)\n* [Top Google Project](https://opensource.google/projects/list/featured):\tFeatured on Google Open Source page and widely adopted.\n* [Top Microsoft Project](https://opensource.microsoft.com/projects/): Featured on Microsoft Open Source page and widely adopted.\n* [Top Linux Foundation Project](https://www.linuxfoundation.org/projects/): \tFeatured on Linux Foundation Project page and related to supply chains.\n*  Secure Supply Chain Tool: Directly related to supply chain security (identified by WG)\n* Survey Response: [Response to public survey](https://forms.gle/19PKPS17zkL5fTFUA)\n* Language implementation: Identified by community as a widely-used language implementation\n* Community Addition: Separately identified by the community as important.\n* Previously subverted: If software has been previously attacked \u0026 it made headlines, it must be critical enough to attack.\n\nEvery method for identify critical OSS projects has its strengths and\nweaknesses; we believe the combination of analysis combined with human review\nis better than trying to do any one of them.\nFor example, high criticality score tends to emphasize very busy projects;\nhuman review can remove projects that are busy but for whatever reason\nare less critical.\nSome projects are very important yet not active; by using other measures\n(not just the OpenSSF criticality score) we can still identify them.\n\nWe have no doubt that other OSS projects will be added to the\ncritical OSS projects list over time. If you're interested in helping\nto do that, please join the working group.\n\n## Related work to quantitatively identify critical projects\n\n* [*Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software*](https://www.coreinfrastructure.org/programs/census-program-ii/) by Frank Nagle, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman, Linux Foundation \u0026 Harvard, February 2020.\n* [Open Source Software Projects Needing Security Investments (aka \"Census I\")](https://raw.githubusercontent.com/coreinfrastructure/census/master/OSS-2015-06-19.pdf) by David A. Wheeler \u0026 Samir Khakimov, June 19, 2015\n([alternative copy](https://www.coreinfrastructure.org/wp-content/uploads/sites/6/2018/04/pub_ida_lf_cii_070915.pdf))\n* [Ecosyste.ms](https://ecosyste.ms/) \"publishes open data and APIs that maps software interdependency and provides data about its usage, creation and potential impact... for a generation of researchers, policymakers, developers, and funders to build upon.\" Its leaders previously created [Libraries.io](https://libraries.io/)\n* [\"The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management\" by Risksense](https://risksense.com/wp-content/uploads/2020/09/RiskSense-Spotlight-The-Dark-Reality-of-Open-Source.pdf), which identifies OSS with the most publicly-reported vulnerabilities reported as CVEs. Having more reported vulnerabilities does not mean that the software is necessarily more vulnerable; it often means that more people are looking for vulnerabilities \u0026 that there's a robust process for processing them. However, if so many people are searching for vulnerabilities in a product, that suggests it's an important (critical) project)\n* OSTIF's list of critical projects for Managed Audit Program (link to more info [here.](https://docs.google.com/spreadsheets/d/1oytKuD7UCX6nDXWQMr6ZgYYgap_SH_JVBof5gNrgSxo/edit#gid=0)\n* [Core Infrastructure Initiative (CII) Open Source Software Census II Strategy](https://www.ida.org/research-and-publications/publications/all/c/co/core-infrastructure-initiative-cii-open-source-software-census-ii-strategy) by David A. Wheeler \u0026 Jason N. Dossett, October 2017\n* [Report on the 2020 FOSS Contributor Survey](https://www.linuxfoundation.org/blog/2020/12/download-the-report-on-the-2020-foss-contributor-survey/) by Frank Nagle, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and Jennifer L. Hoffman\n\n\n## Operations\n\nWG-Securing-Critical-Projects operations are consistent with standard operating guidelines\nprovided by the OSSF Technical Advisory Committee\n[TAC](https://github.com/ossf/tac).\n\n### Meetings Times\n\nMeetings will all be published on the [OSSF Community Calendar](https://calendar.google.com/calendar/r?cid=s63voefhp5i9pfltb5q67ngpes@group.calendar.google.com).\n\n### Communications\n\nWe have a public email list available here: https://lists.openssf.org/g/openssf-wg-securing-crit-prjs\n\nYou can also join us for day-to-day conversations on slack: https://openssf.slack.com/messages/wg_securing_critical_projects\n\n#### Meeting Notes\n\nMeeting Notes and Agendas are available on [Google Drive](https://docs.google.com/document/d/1YkxOFs9x9YCtUfYeOG7Gy3OBX0cTDbZTEgOdvmEo6FE/edit?usp=sharing). \n\nMeeting Recordings are available on Youtube at: https://www.youtube.com/playlist?list=PLVl2hFL_zAh-cAfx6y4k-fODfbHeQzb_O.\n\n## Governance\n\nThis group is chaired by Amir Montazery (OSTIF) and Jeff Mendoza (Kusari).\n\nFull details of process and roles are linked from [governance README](/governance).\n\n## Identifying Critical Projects\n\n[See information on identifying critical projects](https://github.com/ossf/wg-securing-critical-projects/tree/main/Initiatives/Identifying-Critical-Projects)\n\n## Antitrust Policy Notice\n\nLinux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.\n\nExamples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at \u003chttp://www.linuxfoundation.org/antitrust-policy\u003e. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fwg-securing-critical-projects","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fwg-securing-critical-projects","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fwg-securing-critical-projects/lists"}