Software Component Verification Standard
  • Cover
  • Frontispiece
  • Preface
  • Using SCVS
  • Assessment and Certification
  • V1 Inventory
  • V2 Software Bill of Materials
  • V3 Build Environment
  • V4 Package Management
  • V5 Component Analysis
  • V6 Pedigree and Provenance
  • Guidance: Open Source Policy
  • Appendix A: Glossary
  • Appendix B: References
Powered by GitBook
On this page

Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.

  • All organizations that use open source software should have an open source policy

  • The open source policy is supported and enforced by cross-functional stakeholders

  • The open source policy should address:

    • The age of a component based on its release or published date

    • How many major or minor revisions old are acceptable

    • Guidance for keeping components continuously updated via automation

    • Exclusion criteria for components with known vulnerabilities

    • Mean-time-to-remediate criteria for updating at-risk components

    • Restrictions on using components that are end-of-life or end-of-support

    • Criteria for supplier selection or exclusion

    • Usage-based list of acceptable licenses

    • Prohibited components list

    • Mechanisms and permissions for providing modifications back to the community producing the component

PreviousV6 Pedigree and ProvenanceNextAppendix A: Glossary

Last updated 4 years ago