If your project does not yet have a stewarding organization, The Linux Foundation (incl. OpenSSF) and The Linux Foundation Europe, are happy to accommodate it. While the CRA has arranged a lighter regime for open source projects that are not commercialized directly, the communities and their developers are responsible for ensuring the essential security practices. Aligning with the efforts driven by OpenSSF, or wider-speaking, by The Linux Foundation, the projects can benefit from guidance, support, technical clarity, and governance needed to navigate the CRA complexities without compromising independence. We will try to absorb the legal complexity for your projects, letting you focus on innovation, coding, marketing and partnerships. The Linux Foundation and OpenSSF, bring together in their works security researchers, regulators, open source maintainers, manufacturers creating the bridge between all these categories, a key enabler for establishing a trustworthy and complete approach for navigating CRA compliance.

Having Linux Foundation and OpenSSF as steward guarantees a level of Credibility and Trust, access to Legal and Administrative Infrastructure, a centralized support for CRA obligations, Regulatory Fending and Risk Reduction and the support of a strong and helpful community together with its relevant projects.

Linux Foundation and OpenSSF are committed to help structure the project governance and provide the necessary guidance for every role but also to ensure that a project does not accidentally move from one category to another. OpenSSF is keen to fulfill the stewards obligations highlighted in the CRA and cited above, reducing the burden on individual developers and communities.

Bringing your project under LF stewardship will increase its attractivity for users, its partner confidence and its market traction by adhering to the Linux Foundation principles like transparency, lifecycle security practices and resilience. You will benefit from all our community’s efforts for navigating this complex and fast-evolving regulatory framework but also from all our tools, training, guidelines and best practices created to ensure a fast, responsible and secure development.

The Linux Foundation is committed to improving the security and quality of projects underneath our umbrella. We are encouraging our members to maintain a publicly documented security process, to demonstrate due diligence in adopting software components and we are working with our members on a responsible way of reporting the actively-exploited vulnerabilities. Our above-referenced tools are helping the open source projects automate and document their security practices.

OpenSSF and The Linux Foundation are also stepping up our involvement by actively addressing additional CRA objectives:

  • Secure-by-design principles: OpenSSF supports secure-by-design approaches through the publication of practical guidelines, recommendations, and best practices that projects can adopt throughout their lifecycle.
  • Global cooperation and ecosystem building: OpenSSF establishes and nurtures global cooperation among diverse stakeholders fostering an environment where collaboration, information sharing, and synergies are essential.
  • CRA monitoring and alignment: OpenSSF tracks the implementation of the CRA, related guidelines, and emerging regulatory trends to create awareness and help projects and communities remain aligned over time.
  • Awareness raising and training (Article 10): OpenSSF raises awareness and delivers tailored training programs adapted to the needs of its membership, strengthening understanding and skills required to operate in a cyber-resilient digital environment, in line with Article 10 of the CRA.

OpenSSF and The Linux Foundation have understood that a key challenge for manufacturers using OSS is that their products often rely on components developed under multiple stewardships. This means the manufacturer must navigate different governance models, security policies, and vulnerability management processes for each component. Collaboration between multiple OSS stewards becomes crucial to help manufacturers effectively manage these complexities and ensure the security and compliance of their products.
In this direction, OpenSSF and The Linux Foundation are determined to collaborate with other stewards by:

  • Adopting/creating standardized security and governance frameworks
    • Establishing common practices: this thing can include defining common vulnerability disclosure processes, security hardening guidelines, shared tools and frameworks and incident response protocols. One example in this direction is OpenSSF’s Scorecard
    • Create a Common “Bill of Materials” or create the necessary tools which can translate Bills of Materials from one format to another. We are keen to collaborate for the standardization of SBOMs’ format and content, making it easier for manufacturers to aggregate and manage information from various sources.
    • Develop Shared Compliance and Auditing Tools: We want to enhance our portfolio and collaborate on further tools and platforms that help manufacturers verify compliance with the EU CRA. This would streamline the auditing process and reduce the burden on manufacturers who would otherwise have to use different tools for each component.
  • Coordinated Vulnerability Management
    • Harmonize Vulnerability Disclosure: We could establish a shared, coordinated vulnerability disclosure process. This means that when a vulnerability is found in a component, all relevant stewards are notified simultaneously and can work together to create patches and communicate with downstream users (the manufacturers).
    • Cross-Project Security Teams: together with other stewards, we could create cross-project security teams to address vulnerabilities that span multiple open source projects. This is particularly important for vulnerabilities in core libraries that are widely used across the software ecosystem. These teams can pool resources and expertise to develop and deploy fixes more efficiently.
  • Joint Workshops and Forums
    • We have organized joint workshops, conferences, and forums that bring together developers, manufacturers, and policymakers. These events can facilitate direct communication, build trust, and allow stakeholders to work on shared solutions to common challenges.
  • We promote interoperability
    • Collaboration on technical standards and APIs can ensure that components from different stewardships work together seamlessly. This reduces the integration burden on manufacturers and allows them to build more robust and scalable products.

OpenSSF plays a key role in helping open source projects prepare for and align with EU CRA especially around security posture, vulnerability management and responsible stewardship. The Linux Foundation and OpenSSF are here to ensure that their stewardship will be one of the foundational pillars for your project’s cyber resilience.