White paper on security attestations

Status: 🗺️ Planned

Abstract

[Article 25][] of the CRA introduces security attestations for free and open-source software as a mechanism to facilitate the due diligence obligation of manufacturers when integrating open source components. While the white paper on due diligence will explore what this due diligence obligation is and examine the tension between the practical necessity for manufacturers to shift security left and their inability to compel open source projects to take on this additional responsibility, this paper will explore how security attestation can be used as a mechanism to resolve this tension and create incentives-alignment between manufacturers and open source projects.

Thanks to case studies of similar mechanisms, for example the [Ecosystem Sustainability Program (ESP)][] developed by the OpenJS Foundation, this paper will propose possible implementations of this mechanism that would allow open source projects and stewards to support manufacturers beyond their obligations and receive support (financial or otherwise) through the security attestation programs.

Note: This white paper might be combined with the paper on [due diligence][].