Attestations in Progress

When we first outlined the thinking behind voluntary security attestations in October 2025, we framed them as a potential lever for two hard problems:

1. helping manufacturers meet their Cyber Resilience Act (CRA) obligations, and
2. improving the long-term sustainability of open source projects.

Since then, the ORC community has continued refining the attestation concept through working sessions, research, and discussions at Code & Compliance and FOSDEM, including engagement with representatives from BSI and DG-CNECT. As regulatory expectations around the CRA become clearer, we are now able to provide a practical update on how the model is being developed, tested, and refined within the community.

A Two-Tier Model

One of the most significant areas of progress has been agreement on a two-tier attestation model, reflecting the diversity of the open source ecosystem.

Lightweight Attestations

The lightweight model is designed for projects that are typically used as components or libraries and that may not have significant commercial backing. The goal here is practicality: a concise checklist that signals basic project health, secure development practices, and the ability to coordinate on vulnerabilities.

For well-maintained projects, completing a lightweight attestation should require minimal effort and can be periodically reviewed and updated. The current template draws on existing practices such as OpenSSF Scorecard and SLSA projects, as well as recently-published national cybersecurity standards from the German BSI. It combines information which is easy to verify using publicly available project artefacts and indicates a project’s readiness to respond to cybersecurity vulnerabilities and incidents, in accordance with certain parts of Annex 1 Part II of the CRA.

Heavyweight Attestations

The heavyweight model targets larger and more product-like projects, or ecosystems with substantial industry participation. Examples include platforms, operating systems, and projects that undergo only limited downstream modification when embedded in commercial products.

Based on our community research so far, we believe that, in order for these attestations to provide practical value to manufacturers, they require deeper due diligence and more sustained effort. As a result, they also offer the greatest potential to reduce duplicated compliance work across manufacturers who rely on mature and well-maintained open source software. A draft proposal for the heavyweight model is now under active review, and community feedback is especially important at this stage.

Growing Clarity and Open Questions

As CRA-related standards move closer to public review within national bodies, the working group’s understanding of expected due diligence has improved. This has begun to ground the attestation work in realistic regulatory expectations.

At the same time, several questions remain open and are being actively explored by the group:

• How might financial models around attestations work in different jurisdictions and for different types of communities and projects?
• How can larger projects engage with transitive dependencies, so that smaller projects benefit when larger ecosystems rely on their work?
• What role should third-party attestations have alongside maintainer-issued ones, and what are the situations where these will be valuable to open source communities?

Rather than delaying progress, these questions are shaping our understanding of a model that can adapt to different legal, organisational, and project realities. Ultimately, our goal is to support the broad diversity of open source communities, without creating additional or undue burden upon maintainers, while also opening additional pathways to sustainable funding for projects that wish to participate in them.

Where the Project Stands Today and Next Steps

The attestation work has now entered a validation and community input phase, where direct participation is essential. We are actively inviting maintainers, foundations, manufacturers, and policy experts to engage with the work in the following ways:

• Review the lightweight attestation template, which is now available for broader community feedback

• Provide input on the heavyweight attestation proposal, particularly if you have experience with cybersecurity standards, compliance or certification, or maintaining large-scale projects

• Join the bi-weekly working group meetings, where maintainers, foundations, manufacturers, and policy specialists collaborate on refining the model (see our community calendar)

As this project is anticipated to reach a stable draft form before summer, now is the time to get involved. Review the proposals, join a working session, and contribute your operational perspective. The next iteration of the attestation model will be shaped by those who participate.