Home

Awesome

OpenSSF Technical Advisory Council (TAC)

The OpenSSF Technical Advisory Council is responsible for oversight of the various Technical Initiatives (TI) of the OpenSSF.

Get Involved

Although the TAC is composed of a set of official members listed below, any community member is welcome to participate in the TAC discussions.

Official communications occur on the TAC mailing list. Manage your subscriptions to Open SSF mailing lists.

Informal discussions occur in the TAC channel of the OpenSSF Slack. To join, use the following invite link.

Use GitHub Issues to request and discuss agenda items.

If you need support in any part of the process, please email operations@openssf.org.

Meetings

The TAC meetings minutes are online and appear on the OpenSSF Community Calendar.

Meetings are also recorded and posted to the OpenSSF YouTube channel.

TAC Members

NamePositionEmailOrganizationTerm
Arnaud J Le HorsVice Chairlehors@us.ibm.comIBMJanuary 2024 - December 2025
Bob Callawaybcallaway@google.comGoogleJanuary 2024 - December 2024*
Dan Appelquistdan@torgo.comSamsungJanuary 2024 - December 2024
Michael Liebermanmike@kusari.devKusariJanuary 2024 - December 2024
Zach SteindlerChairsteiza@github.comGitHubJanuary 2024 - December 2024
Marcela Melaramarcela.melara@intel.comIntelJanuary 2024 - December 2025
Sarah Evanssarah.evans@dell.comDellJanuary 2024 - December 2024*
Jautau "Jay" Whitejaywhite@microsoft.comMicrosoftJanuary 2024 - December 2025

NOTE: * marked entries denote OpenSSF Governing Board appointed members, others are community elected. There is currently 1 vacant Governing Board appointed seat.

Charter

The TAC is chartered as part of the Open Source Security Foundation Charter.

Technical Initiatives

The governance of TIs is documented in the process section. This section provides you with all the information about the different types of initiatives and how they are managed, as well as how to propose a new initiative. It also covers the different levels of maturity a TI can be in, the requirements that must be met to move up to the next level, as well as the benefits that come with each level.

The following Technical Initiatives have been approved by the TAC. You may learn more about their status through their quarterly reports.

Working Groups (WGs)

NameRepositoryNotesStatus
Vulnerability Disclosureshttps://github.com/ossf/wg-vulnerability-disclosuresMeeting NotesGraduated
Security Toolinghttps://github.com/ossf/wg-security-toolingMeeting NotesIncubating
Security Best Practiceshttps://github.com/ossf/wg-best-practices-os-developersMeeting NotesGraduated
Metrics & Metadatahttps://github.com/ossf/wg-metrics-and-metadataMeeting NotesIncubating
Securing Critical Projectshttps://github.com/ossf/wg-securing-critical-projectsMeeting NotesIncubating
Supply Chain Integrityhttps://github.com/ossf/wg-supply-chain-integrityMeeting NotesIncubating
Securing Software Repositorieshttps://github.com/ossf/wg-securing-software-reposMeeting NotesGraduated
End Usershttps://github.com/ossf/wg-endusersMeeting NotesIncubating
Diversity, Equity, & Inclusionhttps://github.com/ossf/wg-deiMeeting NotesIncubating
AI/ML Securityhttps://github.com/ossf/ai-ml-securityMeeting NotesIncubating

Projects

NameRepository/Home PageNotesSponsoring OrgStatus
Best Practices Badgehttps://github.com/coreinfrastructure/best-practices-badgeMailing listBest Practices WGTBD
Bomctlhttps://github.com/bomctl/bomctlMeeting NotesSecurity Tooling WGSandbox
Criticality Scorehttps://github.com/ossf/criticality_scoreMeeting NotesSecuring Critical Projects WGTBD
Fuzz Introspectorhttps://github.com/ossf/fuzz-introspectorMeeting NotesSecurity Tooling WGTBD
GUAChttps://guac.shMeeting NotesSupply Chain Integrity WGIncubating
gittufhttps://github.com/gittuf/gittufTBDSupply Chain Integrity WGSandbox
OpenSSF Scorecardhttps://github.com/ossf/scorecardMeeting NotesBest Practices WGIncubating
OpenSSF Scorecard — Allstarhttps://github.com/ossf/allstarMeeting NotesBest Practices WG
OpenVEXhttps://github.com/openvexMeeting NotesVulnerability Disclosures WGSandbox
OSV Schemahttps://github.com/ossf/osv-schemaMeeting NotesVulnerability Disclosures WGTBD
Minderhttps://github.com/mindersec/minderNew project for inclusionSecurity Tooling WGSandbox
Model signingTBD (to be created)Meeting NotesAI/ML Security WGSandbox
Package Analysishttps://github.com/ossf/package-analysisMeeting NotesSecuring Critical Projects WGTBD
Package Feedshttps://github.com/ossf/package-feedsMeeting NotesSecuring Critical Projects WGTBD
Protobomhttp://github.com/bom-squad/protobomMeeting NotesSecurity Tooling WGSandbox
Repository Service for TUFhttps://github.com/repository-service-tuf/repository-service-tufMeeting NotesSecuring Software Repositories WGIncubating
S2C2Fhttps://github.com/ossf/s2c2fMeeting NotesSupply Chain Integrity WGIncubating
SBOMithttps://github.com/sbomitMeeting NotesSecurity Tooling WGSandbox
Security Insights Spechttps://github.com/ossf/security-insights-specMeeting NotesMetrics & Metadata WGTBD
Security Metricshttps://github.com/ossf/Project-Security-MetricsMeeting NotesMetrics & Metadata WGArchived
Sigstorehttps://github.com/sigstoreMeeting NotesOpenSSF TACGraduated
SLSAhttps://github.com/slsa-framework/slsaMeeting NotesSupply Chain Integrity WGTBD
SLSA Toolinghttps://github.com/ossf/wg-supply-chain-integrity/blob/main/slsa-tooling.mdMeeting NotesSupply Chain Integrity WGTBD
Zarfhttps://github.com/defenseunicorns/zarfMeeting NotesSupply Chain Integrity WGSandbox

OpenSSF affiliated projects

NameRepositoryNotesStatus
Core Toolchain Infrastructurehttps://git.coretoolchain.dev/TBDTBD
Alpha Omegahttps://github.com/ossf/alpha-omegaTBDTBD

Special Interest Groups (SIGs) - To Be Completed

SIGs can be created and managed without formal approval from the TAC. The following is for information purpose only.

NameRepository/Home PageNotesGoverning OrgStatus

Overview Diagrams

Diagrams with an overview of the OpenSSF, including its projects and SIGs, are available in the presentation OpenSSF Introduction (including Diagrammers’ Society diagrams) as created and maintained by the OpenSSF Diagrammer's Society.

Antitrust Policy

Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws.

Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.