Step 2: Establish a Written Security Policy

Develop, publish, and follow a written security policy for your project.

Article 24(1) of the CRA specifies that open-source software stewards should “put in place and document in a verifiable manner a cybersecurity policy…”

Under Article 24(1), the security policy should include documentation describing how the project:

• uses secure software development practices; and

• handles vulnerabilities in an effective manner, including:

  • documenting, addressing, and remediating vulnerabilities;

  • promoting sharing of vulnerability information within the OSS community; and

  • voluntarily reporting vulnerabilities to CSIRT coordinator / ENISA

If your project already has in place and follows a written policy regarding these matters, great!

If you have informal processes for some of these items, write them down and publish them as part of the project’s documentation or governance materials.

For one reference point regarding vulnerability management, see the LF’s vulnerability reporting guidance at https://www.linuxfoundation.org/security. The LF’s security policy also includes links to other reference documents and guides published by OpenSSF.