Skip to content

ossf/tac

Repository files navigation

OpenSSF Technical Advisory Council (TAC)

The OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF.

Get Involved

Although the TAC is composed of a set of official members listed below, any community member is welcome to participate in the TAC discussions.

Official communications occur on the TAC mailing list. Manage your subscriptions to Open SSF mailing lists.

Informal discussions occur in the TAC channel of the OpenSSF Slack. To join, use the following invite link.

Use GitHub Issues to request and discuss agenda items.

If you need support in any part of the process, please email operations@openssf.org.

Meetings

The TAC meetings minutes are online and appear on the OpenSSF Community Calendar.

Meetings are also recorded and posted to the OpenSSF YouTube channel.

TAC Members

Name Position Email Organization Term
Arnaud J Le Hors Vice Chair lehors@us.ibm.com IBM January 2024 - December 2025
Bob Callaway bcallaway@google.com Google January 2024 - December 2024*
Dan Appelquist dan@torgo.com Samsung January 2024 - December 2024
Michael Lieberman mike@kusari.dev Kusari January 2024 - December 2024
Zach Steindler Chair steiza@github.com GitHub January 2024 - December 2024
Marcela Melara marcela.melara@intel.com Intel January 2024 - December 2025
Sarah Evans sarah.evans@dell.com Dell January 2024 - December 2024*
Jautau "Jay" White jaywhite@microsoft.com Microsoft January 2024 - December 2025

NOTE: * marked entries denote OpenSSF Governing Board appointed members, others are community elected. There is currently 1 vacant Governing Board appointed seat.

Charter

The TAC is chartered as part of the Open Source Security Foundation Charter.

Technical Initiatives

The governance of TIs is documented in the process section. This section provides you with all the information about the different types of initiatives and how they are managed, as well as how to propose a new initiative. It also covers the different levels of maturity a TI can be in, the requirements that must be met to move up to the next level, as well as the benefits that come with each level.

The following Technical Initiatives have been approved by the TAC. You may learn more about their status through their quarterly reports.

Working Groups (WGs)

Name Repository Notes Status
Vulnerability Disclosures https://github.com/ossf/wg-vulnerability-disclosures Meeting Notes Graduated
Security Tooling https://github.com/ossf/wg-security-tooling Meeting Notes Incubating
Security Best Practices https://github.com/ossf/wg-best-practices-os-developers Meeting Notes Graduated
Securing Critical Projects https://github.com/ossf/wg-securing-critical-projects Meeting Notes Incubating
Supply Chain Integrity https://github.com/ossf/wg-supply-chain-integrity Meeting Notes Incubating
Securing Software Repositories https://github.com/ossf/wg-securing-software-repos Meeting Notes Graduated
Diversity, Equity, & Inclusion https://github.com/ossf/wg-dei Meeting Notes Incubating
AI/ML Security https://github.com/ossf/ai-ml-security Meeting Notes Incubating

Projects

Name Repository/Home Page Notes Sponsoring Org Status
Best Practices Badge https://github.com/coreinfrastructure/best-practices-badge Mailing list Best Practices WG TBD
Bomctl https://github.com/bomctl/bomctl Meeting Notes Security Tooling WG Sandbox
Criticality Score https://github.com/ossf/criticality_score Meeting Notes Securing Critical Projects WG TBD
Fuzz Introspector https://github.com/ossf/fuzz-introspector Meeting Notes Security Tooling WG TBD
GUAC https://guac.sh Meeting Notes Supply Chain Integrity WG Incubating
gittuf https://github.com/gittuf/gittuf TBD Supply Chain Integrity WG Sandbox
OpenSSF Scorecard https://github.com/ossf/scorecard Meeting Notes Best Practices WG Incubating
OpenSSF Scorecard — Allstar https://github.com/ossf/allstar Meeting Notes Best Practices WG
OpenVEX https://github.com/openvex Meeting Notes Vulnerability Disclosures WG Sandbox
OSV Schema https://github.com/ossf/osv-schema Meeting Notes Vulnerability Disclosures WG TBD
Minder https://github.com/mindersec/minder New project for inclusion Security Tooling WG Sandbox
Model signing https://github.com/sigstore/model-transparency/blob/main/README.model_signing.md Meeting Notes AI/ML Security WG Sandbox
Package Analysis https://github.com/ossf/package-analysis Meeting Notes Securing Critical Projects WG TBD
Package Feeds https://github.com/ossf/package-feeds Meeting Notes Securing Critical Projects WG TBD
Protobom https://github.com/protobom/protobom Meeting Notes Security Tooling WG Sandbox
Repository Service for TUF https://github.com/repository-service-tuf/repository-service-tuf Meeting Notes Securing Software Repositories WG Incubating
S2C2F https://github.com/ossf/s2c2f Meeting Notes Supply Chain Integrity WG Incubating
SBOMit https://github.com/sbomit Meeting Notes Security Tooling WG Sandbox
Security Insights Spec https://github.com/ossf/security-insights-spec Meeting Notes Metrics & Metadata WG TBD
Security Metrics https://github.com/ossf/Project-Security-Metrics Meeting Notes Metrics & Metadata WG Archived
Sigstore https://github.com/sigstore Meeting Notes OpenSSF TAC Graduated
SLSA https://github.com/slsa-framework/slsa Meeting Notes Supply Chain Integrity WG TBD
SLSA Tooling https://github.com/ossf/wg-supply-chain-integrity/blob/main/slsa-tooling.md Meeting Notes Supply Chain Integrity WG TBD
Zarf https://github.com/defenseunicorns/zarf Meeting Notes Supply Chain Integrity WG Sandbox

OpenSSF affiliated projects

Name Repository Notes Status
Core Toolchain Infrastructure https://git.coretoolchain.dev/ TBD TBD
Alpha Omega https://github.com/ossf/alpha-omega TBD TBD

Special Interest Groups (SIGs)

SIGs can be created and managed without formal approval from the TAC. The following is for information purpose only.

Name Repository/Home Page Governing Org Notes Status
CVD Guides https://github.com/ossf/oss-vulnerability-guide Vulnerability Disclosures WG TBD TBD
OpenVEX https://github.com/ossf/OpenVEX Vulnerability Disclosures WG TBD TBD
Education https://github.com/ossf/education Best Practices WG TBD TBD
Memory Safety https://github.com/ossf/Memory-Safety Best Practices WG TBD TBD
C/C++ Compiler Options https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Compiler-Hardening-Guides Best Practices WG TBD TBD
Python Hardening https://github.com/ossf/wg-best-practices-os-developers/tree/main/docs/Secure-Coding-Guide-for-Python Best Practices WG TBD TBD
Security Baseline https://github.com/ossf/security-baseline Best Practices WG TBD TBD
SBOM Everywhere https://github.com/ossf/sbom-everywhere Security Tooling WG TBD TBD
OSS Fuzzing https://github.com/ossf/wg-security-tooling?tab=readme-ov-file#oss-fuzzing-sig Security Tooling WG TBD TBD

Overview Diagrams

Diagrams with an overview of the OpenSSF, including its projects and SIGs, are available in the presentation OpenSSF Introduction (including Diagrammers’ Society diagrams) as created and maintained by the OpenSSF Diagrammer's Society.

Antitrust Policy

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.