> For the complete documentation index, see [llms.txt](https://owasp-scvs.gitbook.io/scvs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://owasp-scvs.gitbook.io/scvs/guidance-open-source-policy.md).

# Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.

* All organizations that use open source software should have an open source policy
* The open source policy is supported and enforced by cross-functional stakeholders
* The open source policy should address:
  * The age of a component based on its release or published date
  * How many major or minor revisions old are acceptable
  * Guidance for keeping components continuously updated via automation
  * Exclusion criteria for components with known vulnerabilities
  * Mean-time-to-remediate criteria for updating at-risk components
  * Restrictions on using components that are end-of-life or end-of-support
  * Criteria for supplier selection or exclusion
  * Usage-based list of acceptable licenses
  * Prohibited components list
  * Mechanisms and permissions for providing modifications back to the community producing the component
