Skip to content
@ossf

Open Source Security Foundation (OpenSSF)

OpenSSF is a community of software developers and security engineers who are working together to secure open source software for the greater public good.
OpenSSF Logo

OpenSSF is committed to working both upstream and with existing communities to advance open source security for all.

We foster collaboration, establish best practices, and develop innovative solutions to secure the development, maintenance, and consumption of open source software. OpenSSF is part of the nonprofit Linux Foundation.

Working Groups:

For any questions, concerns, reports, etc., please email [email protected].

Get Involved

Membership

We encourage all individual contributors to work with their employers to become members. We aim to grow an active, healthy community of contributors, reviewers, and code owners. Learn more about the requirements and responsibilities of membership in our Membership page or see current members.

Pinned Loading

  1. wg-best-practices-os-developers wg-best-practices-os-developers Public

    The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

    JavaScript 870 157

  2. ai-ml-security ai-ml-security Public

    Working Group on Artificial Intelligence and Machine Learning (AI/ML) Security

    77 12

  3. wg-securing-critical-projects wg-securing-critical-projects Public

    Helping allocate resources to secure the critical open source projects we all depend on.

    352 40

  4. wg-securing-software-repos wg-securing-software-repos Public

    OpenSSF Working Group on Securing Software Repositories

    104 21

  5. tac tac Public

    Technical Advisory Council

    122 67

  6. foundation foundation Public

    OpenSSF Governance and Legal Docs

    73 17

Repositories

Showing 10 of 69 repositories
  • glossary Public

    A reference for common terms when talking about OpenSSF and open source software security.

    ossf/glossary’s past year of commit activity
    JavaScript 3 Apache-2.0 2 3 1 Updated Apr 29, 2025
  • malicious-packages Public

    A repository of reports of malicious packages identified in Open Source package repositories, consumable via the Open Source Vulnerability (OSV) format.

    ossf/malicious-packages’s past year of commit activity
    Go 307 Apache-2.0 37 11 9 Updated Apr 29, 2025
  • scorecard-action Public

    Official GitHub Action for OpenSSF Scorecard.

    ossf/scorecard-action’s past year of commit activity
    Go 294 Apache-2.0 73 26 (1 issue needs help) 2 Updated Apr 28, 2025
  • fuzz-introspector Public

    Fuzz Introspector -- introspect, extend and optimise fuzzers

    ossf/fuzz-introspector’s past year of commit activity
    Python 411 Apache-2.0 69 98 (1 issue needs help) 0 Updated Apr 28, 2025
  • scorecard Public

    OpenSSF Scorecard - Security health metrics for Open Source

    ossf/scorecard’s past year of commit activity
    Go 4,876 Apache-2.0 533 350 (12 issues need help) 4 Updated Apr 29, 2025
  • wg-best-practices-os-developers Public

    The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.

    ossf/wg-best-practices-os-developers’s past year of commit activity
    JavaScript 870 Apache-2.0 157 62 (4 issues need help) 13 Updated Apr 28, 2025
  • wg-globalcyberpolicy Public

    Global Cyber Policy Working Group

    ossf/wg-globalcyberpolicy’s past year of commit activity
    48 Apache-2.0 8 6 (1 issue needs help) 0 Updated Apr 29, 2025
  • si-tooling Public
    ossf/si-tooling’s past year of commit activity
    Python 5 Apache-2.0 3 1 3 Updated Apr 28, 2025
  • scorecard-webapp Public

    Website and API for OpenSSF Scorecard

    ossf/scorecard-webapp’s past year of commit activity
    HTML 24 Apache-2.0 28 33 (1 issue needs help) 10 Updated Apr 28, 2025
  • SIRT Public

    The OSS-SIRT SIG (Open Source Software Security Incident Response Team Special Interest Group) is a group working within the OSSF's Vulnerability Disclosure Working Group that is focused on creating secure vulnerability management capabilities within the open source ecosystem to ensure effective coordinated vulnerability disclosure practices (CVD)

    ossf/SIRT’s past year of commit activity
    9 Apache-2.0 6 5 (1 issue needs help) 0 Updated Apr 28, 2025