List view
- No due date•11/13 issues closed
# Q3 2024 / Milestone 6 ## Workstream 1: Build OpenJS Project Security Programs #### Activities B. Establish Minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level G. Develop a dashboard for tracking OpenJS Project Security Compliance using OpenSSF Best Practices Badge, Scorecard, or other data sources #### Deliverables Document: ONGOING OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers Document: ONGOING Security Compliance Guidelines for New and Existing OpenJS Projects Document: ONGOING Security Roadmaps for OpenJS Projects Document: ONGOING Analysis of current and needed resourcing to achieve Security Roadmap Dashboard: PROTOTYPE OpenJS Project adherence to Security Compliance guidelines and Project scores from OpenSSF BPB and/or Scorecard ## Workstream 2: Coordinated Vulnerability Disclosure and CVE Management #### Activities D. Support OpenJS Projects in implementing guidance and handling disclosures #### Deliverables Document: MAINTAIN Guidelines for CVD and CVEs for OpenJS Projects Document: MAINTAIN Reference of past CVEs and challenges for OpenJS Projects ## Workstream 3: SBOMs in JavaScript #### Activities A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s) C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance D. Roadmap plan or identify barriers to OpenJS Projects implementing SBOMs E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption #### Deliverables Document: DRAFT Prototype guidance for OpenJS projects to publish SBOMs with existing tools Document: DRAFT Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs Document: DRAFT OpenJS Project Way Forward and Barriers to SBOM Document: DRAFT Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem Document: DRAFT Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems ## Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript #### Activities A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance C-SCRM adoption #### Deliverables Document: WORKING DRAFT Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools Document: DRAFT Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems Document: DRAFT OpenJS Project Way Forward and Barriers to C-SCRM Document: DRAFT Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems Document: DRAFT Recommendations for policymakers and ideas for future work to help advance C-SCRM adoption in the Node.js and npm ecosystems
Overdue by 8 month(s)•Due by September 30, 2024•0/1 issues closed# Q4 2024 / Milestone 7 ## Workstream 1: Build OpenJS Project Security Programs #### Activities E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level G. Develop a dashboard for tracking OpenJS Project Security Compliance using OpenSSF Best Practices Badge, Scorecard, or other data sources #### Deliverables Document: MAINTAIN OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers Document: MAINTAIN Security Compliance Guidelines for New and Existing OpenJS Projects Document: MAINTAIN Security Roadmaps for OpenJS Projects Document: PUBLISH Analysis of current and needed resourcing to achieve Security Roadmap Dashboard: PUBLISH OpenJS Project adherence to Security Compliance guidelines and Project scores from OpenSSF BPB and/or Scorecard ## Workstream 2: Coordinated Vulnerability Disclosure and CVE Management #### Activities D. Support OpenJS Projects in implementing guidance and handling disclosures #### Deliverables Document: MAINTAIN Guidelines for CVD and CVEs for OpenJS Projects Document: MAINTAIN Reference of past CVEs and challenges for OpenJS Projects ## Workstream 3: SBOMs in JavaScript #### Activities A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s) C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance D. Roadmap plan or identify barriers to OpenJS Projects implementing SBOMs E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption #### Deliverables Document: PUBLISH Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs Document: MAINTAIN OpenJS Project Way Forward and Barriers to SBOM Document: PUBLISH Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem Document: PUBLISH Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems ## Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript #### Activities A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance C-SCRM adoption #### Deliverables Document: PUBLISH Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems Document: MAINTAIN OpenJS Project Way Forward and Barriers to C-SCRM Document: PUBLISH Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems Document: PUBLISH Recommendations for policymakers and ideas for future work to help advance C-SCRM adoption in the Node.js and npm ecosystems
Overdue by 5 month(s)•Due by December 31, 2024•0/6 issues closed# Q2 2024 / Milestone 5 ## Workstream 1: Build OpenJS Project Security Programs #### Activities B. Establish Minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs E. Measure current security posture and gaps for each Project against minimum guidelines and larger BPB and/or Scorecard criteria F. Identify and support short and long-term roadmap of security initiatives and potential resourcing needs for each Project to achieve their next highest BPB badge level #### Deliverables Document: ONGOING UPDATES OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers Document: PUBLISH Security Compliance Guidelines for New and Existing OpenJS Projects Document: ONGOING Security Roadmaps for OpenJS Projects Document: ONGOING Analysis of current and needed resourcing to achieve Security Roadmap ## Workstream 2: Coordinated Vulnerability Disclosure and CVE Management #### Activities C. Finalize CVD and CVE guidance for OpenJS Projects and ecosystem projects D. Support OpenJS Projects in implementing guidance and handling disclosures #### Deliverables Document: PUBLISH Guidelines for CVD and CVEs for OpenJS Projects ## Workstream 3: SBOMs in JavaScript #### Activities A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s) C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance E. Leverage lessons learned to gather pragmatic guidance, recommendations, and potential future policy, standards, or engineering needed to advance SBOM adoption #### Deliverables Document: IN PROGRESS Prototype guidance for OpenJS projects to publish SBOMs with existing tools Document: DRAFT Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs Document: IN PROGRESS OpenJS Project Way Forward and Barriers to SBOM Document: IN PROGRESS Pragmatic Current-State Guidance and Recommendations for SBOMs in the Node.js ecosystem Document: IN PROGRESS Recommendations and ideas for OpenSSF and policymakers for future work to help advance SBOM adoption in the Node.js and npm ecosystems ## Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript #### Activities A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance D. Roadmap plan or identify barriers to OpenJS Projects implementing C-SCRM practices #### Deliverables Document: ONGOING Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools Document: DRAFT Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems Document: IN PROGRESS OpenJS Project Way Forward and Barriers to C-SCRM Document: IN PROGRESS Pragmatic Current-State Guidance and Recommendations for C-SCRM in the Node.js and npm ecosystems
Overdue by 11 month(s)•Due by June 30, 2024•1/17 issues closed# Q1 2024 / Milestone 4 ## Workstream 1: Build OpenJS Project Security Programs #### Activities A. Perform outreach to identify existing security resources for each OpenJS Project B. Establish minimum Security Compliance guidelines for current and future OpenJS Projects using OpenSSF Best Practices Badge (BPB) and Scorecard criteria C. Develop JavaScript-specific developer guidance for OpenSSF Best Practices Programs D. Onboard OpenJS Projects to the OpenSSF BPB and/or Scorecard Programs #### Deliverables Document: ONGOING UPDATES OpenSSF BPB and/or Scorecard Guidance for JavaScript Developers Document: DRAFT Minimum Security Compliance Guidelines for New and Existing OpenJS Projects ## Workstream 2: Coordinated Vulnerability Disclosure and CVE Management #### Activities A. Engage OpenJS Projects to understand historical researcher disclosures and CVEs B. Understand current vulnerability disclosure processes and challenges for OpenJS Projects C. Develop CVD and CVE guidance for OpenJS Projects and ecosystem projects #### Deliverables Document: Reference of past CVEs and challenges for OpenJS Projects Document: WORKING DRAFT Guidelines for CVD and CVEs for OpenJS Projects ## Workstream 3: SBOMs in JavaScript #### Activities A. Engage with SBOM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance and processes for OpenJS Projects to generate SBOM(s) C. Engage SBOM community and OpenJS Projects to identify technical gaps in the accuracy and value of SBOMs generated using existing tools and prototype guidance #### Deliverables Document: IN PROGRESS Technical gaps and implementation barriers for the Node.js and npm ecosystems to generate accurate and valuable SBOMs ## Workstream 4: Cybersecurity Supply Chain Risk Management (C-SCRM) in JavaScript #### Activities A. Engage with C-SCRM community and resources to understand current state of tooling and processes broadly and in relation to the Node.js and npm ecosystems B. Develop prototype guidance for OpenJS Projects to adopt C-SCRM practices C. Engage C-SCRM community and OpenJS Projects to identify technical gaps when using existing tools and prototype guidance #### Deliverables Document: ONGOING UPDATES Prototype guidance for OpenJS projects to adopt C-SCRM with existing tools Document: IN PROGRESS Technical gaps and implementation barriers to C-SCRM in the Node.js and npm ecosystems
Overdue by 1 year(s)•Due by March 31, 2024•2/8 issues closedPlanning: Inventory and analysis audit to establish project Tiers. Identify top 10 Tier 1 projects to start.
Overdue by 2 year(s)•Due by June 30, 2023•4/4 issues closedImplementation: Direct support to maintainers on the menu of OpenSSF Best Practices Badge program
Overdue by 2 year(s)•Due by June 30, 2023•5/5 issues closed- Overdue by 1 year(s)•Due by December 31, 2023•9/9 issues closed