# Guidance: Open Source Policy The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS. * All organizations that use open source software should have an open source policy * The open source policy is supported and enforced by cross-functional stakeholders * The open source policy should address: * The age of a component based on its release or published date * How many major or minor revisions old are acceptable * Guidance for keeping components continuously updated via automation * Exclusion criteria for components with known vulnerabilities * Mean-time-to-remediate criteria for updating at-risk components * Restrictions on using components that are end-of-life or end-of-support * Criteria for supplier selection or exclusion * Usage-based list of acceptable licenses * Prohibited components list * Mechanisms and permissions for providing modifications back to the community producing the component --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://owasp-scvs.gitbook.io/scvs/guidance-open-source-policy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.