Guidance: Open Source Policy

The following points should be viewed as suggestions based on the success and best practices of organizations employing them. They are not part of SCVS.

• All organizations that use open source software should have an open source policy

• The open source policy is supported and enforced by cross-functional stakeholders

• The open source policy should address:

  • The age of a component based on its release or published date

  • How many major or minor revisions old are acceptable

  • Guidance for keeping components continuously updated via automation

  • Exclusion criteria for components with known vulnerabilities

  • Mean-time-to-remediate criteria for updating at-risk components

  • Restrictions on using components that are end-of-life or end-of-support

  • Criteria for supplier selection or exclusion

  • Usage-based list of acceptable licenses

  • Prohibited components list

  • Mechanisms and permissions for providing modifications back to the community producing the component