Cybersecurity is a matter of global interest and concern. Stakeholders from across the ecosystem and the globe are impacted by the deluge of cybersecurity incidents and vulnerability exploits. The Global Cyber Policy Working Group seeks to assemble subject matter experts from many disciplines to collaboratively discuss legislation, regulation, and cybersecurity frameworks and standards that can help stakeholders of all background meet their compliance obligations.
Motivation
Cybersecurity is now codified in international law. The recent Regulation (EU) 2024/2847 (Cyber Resilience Act, CRA) even has provisions now speaking to open source software and open source "Stewards".
- It is important that open source maintainers are appropriately represented and informed about how these legal changes could impact the work of their projects.
- It is important that Manufacturers, commonly referred to as "vendors", understand their obligations to the law and what resources and support they need from their upstream maintainers and stewards to meet those obligations.
- It is important that Open Source Stewards, commonly manifested as Foundations (such as the Linux Foundation, Apache Foundation, and others), understand their obligations under the law and how they can support their projects, maintainers, Manufacturer members, and legal regulatory or market surveillance organizations.
Objective
The objective of this working group is to provide a forum for our members and the broader community to collaborate on Global Cybersecurity-related legislation, frameworks, and standards which facilitate conformance to regulatory requirements by open source projects and their consumers.
- This group will begin with a focus on the EU's CRA legislation, but in the future can expand into other related topics.
Scope
This group will talk about matters that intersect cybersecurity and international legislation.
Prior Work
2024 Open Source Software Stewards and Manufacturers Workshop
- List of prior and/or related projects
Active Projects
- CRA Readiness+Awareness - SIG mailing list
- CRA Tooling+Process+Formats - SIG mailing list
- CRA Spec Standardization - SIG mailing list
Inactive Projects
[Optional]
Get Involved
- Official communications occur on our:
- mailing list
- Manage your subscriptions to Open SSF mailing lists.
- Slack channel
Quick Start
- Areas that need contributions
- Build information if applicable
- Where to file issues
- Etc.
Meeting times
[TODO: Update with your WG meeting details]
- MEETING TIMES TO BE DETERMINED (Link to calendar invite)
- Meeting Minutes
Governance
[TODO: Update this link to your specific CHARTER.md file] The CHARTER.md outlines the scope and governance of our group activities.
[OPTIONAL]
- Lead name
- Co-Lead name
Intellectual Property
In accordance with the OpenSSF Charter (PDF), work produced by this group is licensed as follows:
[TODO: Select below the applicable license(s), delete those that don't apply, and update the LICENSE file accordingly. For specification development refer to the specific instructions on the Community Specification Getting Started page.
Note that for source code, instead of Apache, you may choose to use the MIT License available at https://opensource.org/licenses/MIT. Otherwise, no other license than those listed here may be used without approval from the Governing Board.]
- Software source code
- Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0;
- Data
- Any of the Community Data License Agreements, available at https://www.cdla.io;
- Specifications
- Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0
- All other Documentation
- Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/
Conduct
This group will operate according to the OpenSSF Code of Conduct.
Antitrust Policy Notice
Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.
Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.