Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.

  • All organizations that use open source software should have an open source policy

  • The open source policy is supported and enforced by cross-functional stakeholders

  • The open source policy should address:

    • The age of a component based on its release or published date

    • How many major or minor revisions old are acceptable

    • Guidance for keeping components continuously updated via automation

    • Exclusion criteria for components with known vulnerabilities

    • Mean-time-to-remediate criteria for updating at-risk components

    • Restrictions on using components that are end-of-life or end-of-support

    • Criteria for supplier selection or exclusion

    • Usage-based list of acceptable licenses

    • Prohibited components list

    • Mechanisms and permissions for providing modifications back to the community producing the component