Merge branch 'main' into osv-schema-app

Author: SecurityCRob

.github/ISSUE_TEMPLATE/funding_application.yml

@@ -6,6 +6,9 @@ labels:
   - administration
   - For Review
   - TI Funding Request
+assignees: 
+  - Naomi-Wash
+  - kj-powell
 body:
   - type: markdown
     attributes:

.gitvote.yml

@@ -1,7 +1,7 @@
 profiles:
   default:
-    duration: 6w
-    pass_threshold: 70
+    duration: 2w
+    pass_threshold: 55
     periodic_status_check: "1 week"
     allowed_voters:
       teams:

README.md

@@ -52,12 +52,13 @@ The following Technical Initiatives have been approved by the TAC. You may learn
 | Name                           | Repository                           | Notes              | Staff Contact    | Status     |
 | ------------------------------ | ------------------------------------ | ------------------ | ---------------- | ---------- |
 | AI/ML Security                 | [GitHub](https://github.com/ossf/ai-ml-security) | [Meeting Notes](https://docs.google.com/document/d/1X7lCvAHY0x7HMaCQx-7KKPjSBPQ6v02TynQpOPXnXFI/edit) | Jeff Diecks | [Incubating](process/wg-lifecycle-documents/ai_ml_incubating_stage.md) |
-| Diversity, Equity, & Inclusion | [GitHub](https://github.com/ossf/wg-dei)         | [Meeting Notes](https://docs.google.com/document/d/17j8uN_radgNcY4G8u1Ua8FN__lUL4TeUN0gb-D2TrZ4/edit)  | Khahil White | Incubating |
+| BEAR (Belonging, Empowerment, Allyship, and Representation) | [GitHub](https://github.com/ossf/wg-bear)         | [Meeting Notes](https://docs.google.com/document/d/17j8uN_radgNcY4G8u1Ua8FN__lUL4TeUN0gb-D2TrZ4/edit)  | Stacey Potter | [Incubating](process/wg-lifecycle-documents/WG_DEI_incubating_stage.md) |
+| Best Practices for Open Source Developers   | [GitHub](https://github.com/ossf/wg-best-practices-os-developers) | [Meeting Notes](https://docs.google.com/document/d/1u1gJMtOz-P5Z71B-vKKigzTbIDIS-bUNgNIcfnW4r-k/edit)  | Jeff Diecks | [Graduated](process/wg-lifecycle-documents/BEST_practices_wg_graduation_stage.md)  |
 | Global Cyber Policy            | [GitHub](https://github.com/ossf/wg-globalcyberpolicy) | [Meeting Notes](https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit) | Jeff Diecks & Kris Borchers | [Sandbox](process/wg-lifecycle-documents/Global_Cyber_Policy_WG_sandbox_stage.md) |
+| ORBIT (Open Resources for Baselines, Interoperability, and Tooling) | [GitHub](https://github.com/ossf/wg-orbit) | Meeting Notes | Jeff Diecks | [Sandbox](process/wg-lifecycle-documents/ORBIT_WG_sandbox_stage.md) |
 | Securing Critical Projects     | [GitHub](https://github.com/ossf/wg-securing-critical-projects) | [Meeting Notes](https://docs.google.com/document/d/1YkxOFs9x9YCtUfYeOG7Gy3OBX0cTDbZTEgOdvmEo6FE/edit) | Kris Borchers | [Incubating](process/wg-lifecycle-documents/securing_critical_projects_incubating_stage.md) |
 | Securing Software Repositories | [GitHub](https://github.com/ossf/wg-securing-software-repos)    | [Meeting Notes](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit)  | Kris Borchers | [Graduated](process/wg-lifecycle-documents/securing_software_repositories_graduation_stage.md) |
-| Security Best Practices        | [GitHub](https://github.com/ossf/wg-best-practices-os-developers) | [Meeting Notes](https://docs.google.com/document/d/1u1gJMtOz-P5Z71B-vKKigzTbIDIS-bUNgNIcfnW4r-k/edit)  | David A. Wheeler | [Graduated](process/wg-lifecycle-documents/BEST_practices_wg_graduation_stage.md)  |
-| Security Tooling               | [GitHub](https://github.com/ossf/wg-security-tooling) | [Meeting Notes](https://docs.google.com/document/d/190urQjwvE6DsjZ3Z1vBbNEXsJ--ccC8xHmbe_fYKRHA/edit) | Jeff Diecks | Incubating |
+| Security Tooling               | [GitHub](https://github.com/ossf/wg-security-tooling) | [Meeting Notes](https://docs.google.com/document/d/190urQjwvE6DsjZ3Z1vBbNEXsJ--ccC8xHmbe_fYKRHA/edit) | Jeff Diecks | [Graduated](process/wg-lifecycle-documents/security_tooling_wg_graduation_stage.md) |
 | Supply Chain Integrity         | [GitHub](https://github.com/ossf/wg-supply-chain-integrity)  | [Meeting Notes](https://docs.google.com/document/d/1moVFPn5pLi-uGs840_YBCrwdpHajU0ptFmlL4F9GryQ/edit)  | Kris Borchers | Incubating |
 | Vulnerability Disclosures      | [GitHub](https://github.com/ossf/wg-vulnerability-disclosures)  | [Meeting Notes](https://docs.google.com/document/d/1TdxiFofLOfpHUEQILlKq7qkjSsRXVab0uApSDJ8c5rI/edit)  | Jeff Diecks | [Graduated](process/wg-lifecycle-documents/Vuln_Disc_wg_graduation_stage.md) |
 
@@ -71,7 +72,7 @@ The following Technical Initiatives have been approved by the TAC. You may learn
 | Criticality Score      | [GitHub](https://github.com/ossf/criticality_score)        |  | Securing Critical Projects WG   | TBD        |
 | Fuzz Introspector      | [GitHub](https://github.com/ossf/fuzz-introspector)        |  | Security Tooling WG            | TBD        |
 | GUAC                   | [GitHub](https://github.com/guacsec/guac)                  | https://guac.sh | Supply Chain Integrity WG | [Incubating](process/project-lifecycle-documents/guac_incubating.md) |
-| gittuf | [GitHub](https://github.com/gittuf/gittuf) | https://gittuf.dev/ | Supply Chain Integrity WG | [Sandbox](process/project-lifecycle-documents/gittuf_sandbox_stage.md) |
+| gittuf | [GitHub](https://github.com/gittuf/gittuf) | https://gittuf.dev/ | Supply Chain Integrity WG | [Incubating](process/project-lifecycle-documents/gittuf_incubating_stage.md) |
 | OpenSSF Scorecard | [GitHub](https://github.com/ossf/scorecard)                | https://securityscorecards.dev/ | Best Practices WG | [Incubating](/process/project-lifecycle-documents/openssf_scorecard_incubating_stage.md) |
 | OpenVEX | [GitHub](https://github.com/openvex) |  | Vulnerability Disclosures WG | [Sandbox](process/project-lifecycle-documents/openvex_for_sandbox_stage.md) |
 | OSV Schema             | [GitHub](https://github.com/ossf/osv-schema)               | https://ossf.github.io/osv-schema/ | Vulnerability Disclosures WG   | TBD        |

TI-reports/2025/2025-Q1-Alpha-Omega.md

@@ -0,0 +1,59 @@
+# 2025 Q1 Alpha-Omega
+
+## Overview
+
+Alpha-Omega enters 2025 with renewed funding from Google and Amazon, a healthy pipeline of potential engagements, and updated OKRs to guide and focus on our investments. We're thankful to have such an engaging security community around us and we're looking forward to seeing their accomplishments this year.
+
+## Recent Events / News / Blogs / Etc.
+
+* [What's in the SOSS? Podcast #21 – Alpha-Omega's Michael Winser and Catalyzing Sustainable Improvements in Open Source Security](https://openssf.org/podcast/2024/12/10/whats-in-the-soss-podcast-21-alpha-omegas-michael-winser-and-catalyzing-sustainable-improvements-in-open-source-security/) (CRob, Michael Winser [Alpha-Omega])
+* FOSDEM: [How FreeBSD security audits have improved our security culture](https://fosdem.org/2025/schedule/event/fosdem-2025-6152-how-freebsd-security-audits-have-improved-our-security-culture/) (Pierre Pronchery [FreeBSD], Michael Winser [Alpha-Omega])
+* FOSDEM: [Funding FOSS together: Combining public and private efforts](https://fosdem.org/2025/schedule/event/fosdem-2025-5279-funding-foss-together-combining-public-and-private-efforts/) (Mirko Swillus [Sovereign Tech Fund], Michael Winser [Alpha-Omega])
+* FOSDEM: [Airflow Beach Cleaning - Securing Supply Chain](https://fosdem.org/2025/schedule/event/fosdem-2025-4594-airflow-beach-cleaning-securing-supply-chain/) (Jarek Potiuk [Apache], Munawar Hafiz [OpenRefactory], Michael Winser [Alpha-Omega])
+* [An Overview of Cyber Security Funding for Open Source Software](https://arxiv.org/pdf/2412.05887) (Jukka Ruohonen, Gaurav Choudharya, Adam Alami [University of Southern Denmark]
+
+
+## Upcoming Events
+
+* VulnCon: **Airflow Beach Cleaning - Supply Chain Security with Community in Mind** (Jarek Potiuk [Apache], Michael Winser [Alpha-Omega])
+* VulnCon: **Alpha-Omega: What We've Learned From Funding Open Source Security Over the Past 3 Years, What's Ahead** (Michael Winser [Alpha-Omega])
+* Alpha-Omega Public Meeting - April 2, 2025 -- **please join us!**
+
+## Objectives & Key Results
+
+| **Objective #1: Catalyze trustworthy and secure software, runtimes, and infrastructure for all the major open source ecosystems through staffing** | |
+|-|-|
+| **KR1.1**: Fund security improvements and initiatives for at least ten critical open source organizations by the end of 2025. | On Target |
+| **KR 1.2**: For each engagement, confirm progress toward improved security outcomes, evidenced through initial and/or follow-on assessments, monthly reporting, and periodic check-ins. | In Progress |
+| **KR 1.3**: Drive the organizations we work with to obtain security funding from at least one organization other than Alpha-Omega, targeting 33% by the end of 2025. | Started |
+| **KR 1.4**: Organize quarterly roundtables for at least 5 major ecosystems  to share information, build connections, and collaborate, resulting in at least one new project or joint publication started in 2025. | Started |
+| **KR1.5**: Scaling adoption, consumption, value of OSS Security projects, Getting to sustainability tipping points. | In Progress |
+|-|-|
+| **Objective #2: The top 10,000 open source projects are free of critical security vulnerabilities** | |
+| **KR2.1**: Create and collect open data sets of security-related data for open source projects to make the development of scaled security tooling easier and to make the results more consistent. | Started |
+| **KR2.2**: Expand the "beach cleaning" approach to at least 3 new projects and develop tooling and playbooks to make it easier and cheaper to do for any project | Not Started |
+| **KR2.3**:  Create an open source "Corps of Engineers" group of security expert engineers who can work within and across their communities to provide security guidance to smaller projects in times of crisis. | Started |
+|-|-|
+| **Objective #3: Enhance Alpha-Omega's effectiveness in innovation, experimentation, and marketing** | |
+| **KR3.1**: By the end of 2025, run three experiments to explore new strategies for reducing security risk within the open source ecosystems, share the results/ learnings, using them to refine our overall strategy and objectives for 2026. | Not Started |
+| **KR3.2**: More active internal marketing to stakeholders targeted at specific teams through infographics and marketing assets. | Started |
+| **KR3.3**: Continue our progress from 2024 on auditing and improving the security of the top open source AI libraries by developing guidance for organizations that use them to do so securely. | On Target |
+|-|-|
+| **Objective #4: Run an operationally efficient, growing, and effective program** | |
+| **KR4.1**: Allocate at least 85% of our yearly spend to activities directly in support of our mission. | On Target |
+| **KR4.2**: Receive at least $5 million in renewed funding in 2025. | Completed |
+| **KR4.3**: For each partner engagement, at least 70% of the objectives defined within the respective agreement are met within the defined time period. | In Progress |
+| **KR4.4**: Develop and deliver quarterly reports. Increase engagement/interest across stakeholders, grant recipients, and other target orgs. | On Target |
+| **KR4.5**: Jointly fund 3-5 engagements in partnership with other organizations (e.g. Sovereign Tech Agency). | Started |
+
+## Reporting
+
+We published our [annual report](https://alpha-omega.dev/wp-content/uploads/sites/22/2025/01/Alpha-Omega-Annual-Report-2024_012925.pdf) and [impact/outcomes report](https://alpha-omega.dev/wp-content/uploads/sites/22/2025/01/Alpha-Omega-GranteeReport-2024_012925.pdf) in January 2025. One change for this year is that we're moving to quarterly reports instead of [monthly](https://alpha-omega.dev/resources/reports/) -- our Q1 report will be out in the next few weeks.
+
+### Questions/Issues for the TAC
+
+None at this time
+
+## Additional Information
+
+N/A

TI-reports/2025/2025-Q1-GCP-WG.md

@@ -0,0 +1,56 @@
+# 2025 Q1 TAC Report for Global Cybersecurity Policy Working Group
+
+## Overview
+
+* GitHub repo: https://github.com/ossf/wg-globalcyberpolicy/
+* Minutes doc: https://docs.google.com/document/d/1iAplSQheMgemdMnEw74uPj3oi_6rLLbFFXhg4svqIDo/edit?tab=t.0#heading=h.9m0zi4b0wnne 
+
+This group has been formed in January 2025, after the Linux Foundation workshop on "Stewards and Manufacturers" in Amsterdam in December 2024. The shape of this group is very much based on consensus of that workshop. The scope of the group is to provide a forum for our members and the broader community to collaborate on Global Cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers. We have been holding bi-weekly calls. We have agreed [our charter](https://github.com/ossf/wg-globalcyberpolicy/blob/main/CHARTER.md) and formed 3 SIGs - Awareness, Tooling and Standards. The group is focusing most of its attention on the European Cyber Resilience Act (CRA). We also have drafted a [liaisons list](https://github.com/ossf/wg-globalcyberpolicy/blob/main/governance/external-liaisons.md) which is a list of external organizations we feel we need to liaise with.
+
+We have two working group co-leads: [Daniel Appelquist | Samsung](https://github.com/torgo) and [Mike Bursell | Confidential Compute Consortium](https://github.com/MikeCamel) with support from [Crob](https://github.com/SecurityCRob), [Jeff Diecks](https://github.com/GeauxJD) and [Fukami](https://github.com/fukami) from OpenSSF staff.
+
+We are also exploring folding in the "CRA tech bi-weekly" call into the remit of this group.
+
+Since forming, we have spent a fair amount of time refining the charter, in particular the wording around how we open up the group as much as possible while also making it clear who gets to vote when and if a vote is required.
+
+We now have a schedule of calls for our SIGs and have started to take minutes in our main minutes doc. We are operating in a similar mode to the Best Practices Working group, with our SIGs reporting into the main working group call. 
+
+We held a special session at LF Member Summit which is also minuted in our minutes doc.
+
+## Awareness SIG
+
+The awareness SIG is the furthest along. It's led by [Megan Knight](https://github.com/businesscasualkesha), Arm. The scope is activities that drive awareness of the work of this group and of the regulatory landscape in general. The SIG has been marshalling blog posts, upcoming conference schedule, as well as the CRA introductory course.
+
+Blog Posts:
+* [Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation
+](https://openssf.org/press-release/2025/01/31/linux-foundation-europe-and-openssf-launch-initiative-to-prepare-maintainers-manufacturers-and-open-source-stewards-for-global-cybersecurity-legislation/)
+* [What Will My Business Need to do for the CRA?](https://openssf.org/blog/2025/03/24/what-will-my-business-need-to-do-for-the-eu-cra/)
+* [Does the EU CRA affect my business?](https://openssf.org/blog/2025/02/20/does-the-eu-cra-affect-my-business/)
+* [OpenSSF Policy Summit DC 2025 Recap](https://openssf.org/blog/2025/03/14/openssf-policy-summit-dc-2025-recap/)
+
+## Tooling SIG
+
+The Tooling SIG has is still in start-up mode. However we have one lead, [Puerco](https://github.com/puerco), and we're looking for a co-lead. The scope is to coordinate work on relevant tooling and processes. What tools already exist out there that can help maintainers, stewards and manufacturers? What additional features do we need from existing tools?
+
+## Standards SIG
+
+The Standards work stream is progressing. Currently we have one lead [Tobias](https://github.com/0xAverageUser), we are actively seeking a co-lead.
+The SIGs mission was defined as: 
+
+> The OpenSSF Global Cyber Policy WG - Standardisation SIG’s mission is to align regulatory (e.g., the EU CRA) compliance strategies & standards across open-source participants to ensure clarity, consistency, and industry-wide adoption and coordination.
+
+To meet that objective, we will likely start developing an index of curated Minutes, Resources, and References from OpenSSF, Eclipse, and OpenJS, as a building, deploying maintaining and a database ("index") for the EU CRA. 
+
+Initially, the SIG will promote "Baseline" as a potential standard for CRA compliance. CRob, Jory Burson and Wheeler will present recommended OpenSSF and LF specifications for ETSI and CEN/CENELEC consideration during the April 1, 2025 call.
+
+Minutes available here: [SIG Minutes Document](https://docs.google.com/document/d/1XjE5VYdyIdH32T94ZQIj0Hf5btRiKG58z3jSInY77wA/view?tab=t.0).
+
+## Questions/Issues for the TAC
+
+None at this time.
+
+## Additional Information
+
+Security Insights spec recently [incorporated](https://github.com/ossf/security-insights-spec/pull/117#pullrequestreview-2728878937) `steward` as a field in their schema. This is in response to an [issue](https://github.com/ossf/security-insights-spec/issues/106) we raised about how a project can specify its steward, which in turn came out of a [discussion](https://github.com/ossf/wg-globalcyberpolicy/issues/43) in this working group about whether we need a `steward.md` file so that projects can indicate what organization is playing a "stewardship" role for them, which has a specific meaning under the CRA. This also showcases how this group seeks to work with other groups.
+
+

TI-reports/2025/2025-Q1-Repos-WG.md

@@ -0,0 +1,52 @@
+# 2025 Q1 Securing Software Repositories Working Group
+
+## Overview
+
+**Mission**: Improve security of software repositories (npm, PyPI, RubyGems, ...) by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities.
+
+**Links**:
+- [GitHub repository](https://github.com/ossf/wg-securing-software-repos)
+- [Slack channel](https://openssf.slack.com/archives/C034CBLMQ9G)
+- [WG meeting docs](https://docs.google.com/document/d/18Y8HxntL2RkcgqoFdhdLpj17e4MOSCdskP1IoDiuP1s/edit?usp=sharing)
+
+## Securing Software Repositories Working Group
+
+### Purpose
+
+Improve security of software repositories by providing a forum for discussion, a maturity model for security roadmaps, and guidance for individual security capabilities. These conversations, roadmaps, and guidance help ecosystems learn from each other, which accelerates the deployment of security capabilities.
+
+### Current Status
+
+- [Central now performs Sigstore Signature Validation](https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/)
+- [Posting for technical writer](https://jobs.smartrecruiters.com/LinuxFoundation/744000038830864-openssf-securing-repositories-working-group-technical-writer) to write package yanking guidance is live
+- Submitted letter of support to Python Software Foundation's grant request to US National Science Foundation on detecting, flagging, and quarantining malware
+- Meetings continue every other week, with async discussions in the Slack channel
+
+### Up Next
+
+- Hire contractor; publish package yanking guidance
+- [Funding request: UI/UX support for attestations on software repos](https://github.com/ossf/tac/issues/424)
+- Continue supporting landing security capabilities in software repositories
+
+### Questions/Issues for the TAC
+
+- None at this time
+
+## RSTUF Project
+
+### Purpose
+
+Provide a service to protect repository index from tampering by distributing them with The Update Framework (TUF) 
+
+### Current Status
+
+- Continuing to work towards v1.0 release to run alongside RubyGems and PyPI and sign their repository index
+- [Funding approved: 2025 cloud development costs](https://github.com/ossf/tac/issues/417)
+
+### Up Next
+
+- [Security audit with OSTIF](https://github.com/ossf/tac/issues/379) started Feb 3rd 2025
+
+### Questions/Issues for the TAC
+
+- None at this time