This document is to help those maintainers, developers, or project managers looking to take first steps in securing their project. Ideally, adhering to best practices can address low-hanging security issues, harden against basic vulnerability exploits, and streamline project management, therefore decreasing liability to bad actors and improving transparency with your users and community.
While following best practices should help improve your project’s overall security health, they are not intended to replace security efforts like audits, bug bounties, or tooling. This document, outlining community recommended security practices, functions as an initial launching point to provide context and education on security measures for projects. As a project is living and always changing, so is this document. This self-assessment is a collaborative contribution started by the Open Source Technology Improvement Fund (OSTIF) and contributed by the community of security auditors, cybersecurity professionals, and maintainers from the open source world. If you would like to contribute, see CONTRIB.
- Introduction
- A private security reporting pipeline with a designated handler
- Internal Vulnerability Response Policies
- Follow best practices for development, build pipelines, etc.
- Up to Date Security (CVEs, necessary patches, etc)
- Updated Knowledgebase keeping track of security efforts, access privileges, etc.
- Milestones in mind for when you need to increase security efforts (e.g. harden further, get an audit, etc)
- What to do next
