Security policy for open source software stewards

Status: 💡

Abstract

Article 24(1) of the CRA states that _"open-source software stewards shall put in place and document in a verifiable manner a cybersecurity policy to foster the development of a secure product with digital elements as well as an effective handling of vulnerabilities by the developers of that product."_ This specification will help open source software stewards meet their obligations by specifying minimum requirements that stewards must implement to meet them and provide a structure or format to document their cybersecurity policy, possibly in a machine-readable way. This specification will leverage existing resources and best practies as identified in our inventory and will interact closely with the Vulnerability management specification and the Specification on principles for cyber resilience for open source development described above. This specification will help open source softare stewards meet the obligations of their light-touch regulatory regime. [Article 24(1)]: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:L_202402847#art_24 [inventory]: https://github.com/orcwg/cra-hub/blob/main/inventory.md [vulnerability management]: ./vulnerability-management.md [cyber resilience principles]: ./cyber-resilience-principles.md