Maybe this should link to <a href="https://openssf.org" rel="nofollow">https://openssf.org</a> or the press release (<a href="https://openssf.org/press-release/2020/08/03/technology-and-enterprise-leaders-combine-efforts-to-improve-open-source-security/" rel="nofollow">https://openssf.org/press-release/2020/08/03/technology-and-...</a>) rather than to the GitHub project?<p>Highlights from the FAQ:<p>> OpenSSF is focused on improving the security of open source software (OSS) by building a broader community with targeted initiatives and best practices. It will start with a focus on metrics, tooling, best practices, developer identity validation and vulnerability disclosures best practices.<p>> OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives<p>> The founding members are GitHub, Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation and Red Hat, among others.
It is really interesting that major open source initiatives are now being ran by corporations. I feel this will be open source in the sense that it is being developed in the open, but not in the sense that they will foster an environment of community contribution.<p>For example, the working group for vulnerability disclosure includes a lot of corporate players, and from what I can tell, not a single security researcher. Only one side of the disclosure process is represented in that working group.<p>Realizing how allergic major companies are to GPL code really creates some skepticism when they speak about embracing open source.
Such a shame these initiatives don't build on existing standards working groups but go away and reinvent a wheel instead.<p>Take a look for instance at ETSI TC Cyber, or ETSI NFV Sec.<p>Even more available in specific domains, such as intelligent transport systems (ISG WG5)<p>Let's have one more standard promoting another agenda and set of priorities.<p>Open standards should also promote consolidated standards.