Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.
  • All organizations that use open source software should have an open source policy
  • The open source policy is supported and enforced by cross-functional stakeholders
  • The open source policy should address:
    • The age of a component based on its release or published date
    • How many major or minor revisions old are acceptable
    • Guidance for keeping components continuously updated via automation
    • Exclusion criteria for components with known vulnerabilities
    • Mean-time-to-remediate criteria for updating at-risk components
    • Restrictions on using components that are end-of-life or end-of-support
    • Criteria for supplier selection or exclusion
    • Usage-based list of acceptable licenses
    • Prohibited components list
    • Mechanisms and permissions for providing modifications back to the community producing the component