Building an Understanding of Voluntary Security Attestations and Their Role in Sustaining Open Source Communities

What Are Voluntary Security Attestations?

In the context of the EU’s Cyber Resilience Act, Article 25, these could be documents that describe the security practices, processes, attributes, or assurances associated with an open source project. They could be publicly shared, perhaps in a code repository or alongside a build binary, or they could be privately shared, for example, as FreeBSD has done. However, we don’t really know what they should be, just yet, and defining that together is the purpose of this new project.

We think voluntary security attestations (not to be confused with root-of-trust attestations) will serve as a reusable statement that supports downstream compliance obligations: instead of every manufacturer individually reviewing a project’s code and processes, or doing an assessment of the project to a CRA product vertical standard (if one were applicable to the project), an attestation from the project could reduce the manufacturer’s CRA compliance costs.

On the one hand, this reduces duplication of effort across manufacturers and provides manufacturers with consistent, trustworthy information. On the other hand, this gives manufacturers a more tangible motivation to support the secure development of projects critical to their products.

Since a lot of folks across open source communities have been concerned about how the CRA will affect their projects, this bears repeating – voluntary security attestations are voluntary.** Based on our understanding of the legal text, no open source project is required to produce these, and can, quite reasonably, refuse to do so indefinitely. Open source projects can choose whether to produce them, and if they do, the attestations could be a valuable tool for creating a new pathway to incentivise manufacturers to support the open source projects they rely on.

Why Are Attestations Relevant?

Attestations matter to several different groups:

• Manufacturers: Under the CRA, manufacturers bear liability for ensuring compliance of the commercial products they place on the European market. Attestations can reduce the work manufacturers must perform independently by providing them with documentation they can trust and, thereby, encouraging upstream collaboration and participation.

• Open Source Stewards: A steward is a legal entity that supports one or more open source projects by, for example, providing a point of contact for vulnerability reporting. While the CRA does not impose legal obligations on stewards, Article 25 establishes an optional mechanism for stewards to help manufacturers by providing voluntary security attestations. Through this, open source stewards have access to a new mechanism to incentivise manufacturers to give back, financially or otherwise, to sustain the projects they depend on.

• OSS Developers: Many open source projects don’t have a legal entity, which complicates the stewardship model (the CRA definition of a steward requires it to be a legal entity, not an individual/natural person). Attestations could help open a path toward lightweight, accessible options for open source developers to support market compliance efforts without becoming overwhelmed.

In short, attestations create a bridge between regulatory compliance and the open source development model, while protecting projects from being unfairly burdened.

Developing Attestation Resources Together

The need for clarity around voluntary security attestations has inspired a community-driven effort to explore the potential requirements of voluntary security attestations in the context of CRA Article 25. We are creating a new project, which will focus on delivering:

• A Framework: Mapping the landscape of what is possible, recommended, and practical when it comes to attestations.

• A Sample Attestation: A useful template document that projects and stewards can adapt for their own projects, making compliance easier and more consistent across the ecosystem.

• Community Forum & Collaboration: Creating space for open discussions with other foundations, organisations, and open source stakeholders to explore models of economic support tied to attestations.

• Public Engagement: Hosting discussions at events such as the Attestations Workshop at Code & Compliance and (hopefully) FOSDEM. These gatherings will help ensure the work reflects the input of many voices, not just a single organisation.

All of these resources will be developed in the open and made accessible to everyone, including open source projects, industry stakeholders, and policymakers shaping the CRA.

How to Get Involved

As this community effort begins, we invite everyone in the open source ecosystem to participate in shaping the future of voluntary security attestations. Here are some ways to get involved:

• Join the conversation at Code & Compliance, where the first public workshop on attestations will be held.

• Subscribe to the ORC mailing list: updates and calls for feedback will be shared there.

• Join the Matrix Room available at OSS-Attestations:matrix.org

• Look out for the upcoming GitHub repository where drafts, proposals, and templates will be developed in the open.

This work on attestations is not about imposing new requirements; it’s about identifying and proposing new mechanisms, flowing from CRA’s Article 25, to measure and increase sustainable investments in securing open source software and reducing compliance burdens for manufacturers’ use of open source software. With your input, we can shape solutions that work for all stakeholders.