Skip to content
Switch branches/tags


Failed to load latest commit information.
Latest commit message
Commit time

CHAOSS Risk Metrics Working Group (RISK WG)

standard-readme compliant

Read our Launch Plan

Risk is a new group, focused on metrics for issues pertaining to Risk in open source.

Economic value is expressed in different ways for different types of stakeholders. We will be exploring this space in the coming months.

Focus Area Goal
1. Business Risk Understand how active a community exists around/to support a given software package.
2. Code Quality Understand the quality of a given software package.
3. Licensing Understand the potential IP issues associated with a given software package’s use.
4. Security Understand security processes and procedures associated with the software’s development.
5. Transparency Understand how transparent a given software package is with respect to dependencies, licensing (?), security processes, etc.

Join our Mailing List

This CHAOSS working group is using the general CHAOSS mailing list.

Join our Weekly Calls

The Risk Working Group meets every other Monday from 11-12 Pacific Time. All are welcome. Our next meeting is April 20, at 9am CDT. We will also meet on April 27, at 9am CDT to get back in our cycle. April 13 was cancelled due to the holiday.

The videoconference URL is

You can also read our meeting notes.


Problem Statement

We have gotten requests from community members to establish industry-standard metrics for risk in open source. Lack of metrics makes it difficult for business decision makers to compare open-source methods to alternatives. Lack of metrics makes it difficult to allocate resources optimally across projects, slowing decision making and product innovation.


We believe that risk metrics can accelerate the adoption of open source methods within industry, providing more opportunities for developers to make a living wage in open source.


Between March 2019 and September 2019 we will execute a launch plan with limited goals:

Identify Stakeholders and Validate Interest

  • Identify market segments and stakeholders
  • Understand Who cares about Open Source Risk (and why)
  • Specify and prioritize Key Performance Indicators
  • Calculate potential aggregate risk

Grow hands-on community

  • CHAOSS Members: Consultants, researchers, grant writers
  • Project Stakeholders: Sponsors, maintainers, contributors, consumers

Build reusable assets

  • Repeatable methodology for discovering value
  • MVP Tooling with Development Roadmap

In the long term, we’d like to publish trusted industry-standard Risk Metrics. A kind of S&P for software development, an authoritative source for metrics significance and industry norms.

Work To Date

We're just getting started!



Core Contributors

The criteria for becoming a core contributor is to participate at least once per month over a period of 3 months. Participation could include providing feedback in the weekly D&I meetings, providing feedback on docs, or making other contributions on GitHub (commits / issues). People not participating over a 3 month period may be removed as core contributors.

If you'd like to be on our squad, an easy way to start is by going through the issue list and fixing some. 🎉

All Contributors

Ordered by first name

Are you eligible to be on this list? You are if you helped in any capacity, for example: Filed an issue. Created a Pull Request. Gave feedback on our work. The team will try to update this list monthly, but please open an issue or post on the mailing list if we've missed anyone.

If you find yourself missing, please create a pull request or reach out to a maintainer. We started to maintain this list after starting the working group and are likely missing some of you. If you find yourself listed here and want to be removed, please create a pull request or ask a maintainer.