Inventory of resources relevant to the horizontal CRA standards, Open Source Steward obligations, and voluntary attestation program
The goal of this document is to collect resources that are relevant to the CRA obligations of open-source software stewards and manufacturers when it comes to the development and usage of open source.
Please add all relevant resources as a table row under the relevant section or subsection.
Note
Additional resources are currently collected in this spreadsheet and will be folded into this document shortly.
- Horizontal Type A Standards (due Aug. 2026)
- Horizontal Type B Standards (due Sept. 2027)
- Open Source Steward Cybersecurity policy
- Due diligence requirements of manufacturers
- Voluntary security attestation programmes
- Other
Designing, developing and producing products with digital elements in such a way that they ensure an appropriate level of cybersecurity based on the risks
CRA ref: Annex I, Part I, point (1)
Standards request ref: 1
Impact on steward: Partial obligation ("foster development of secure product", Article. 24(1))
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
| OpenStack Secure Development Guidelines | OpenStack Community | CC-BY-3.0 | informal | 2015-02-18 – present | |
| OWASP Software Assurance Maturity Model (SAMM) | OWASP | CC-BY-SA-4.0 | Maturity Model | 2009 – present | SAMM is a maturity model that helps organizations implement a Secure Development Lifecycle. |
| OWASP DevSecOps Maturity Model (DSOMM) | OWASP | GPL-3 | Maturity Model | 2017 – present | DSOMM is a maturity model aimed at implementing DevSecOps best practices. |
| OWASP Cheat Sheet Series | OWASP | CC BY-SA 4.0 | Informal Guidelines | 2014 – present | OWASP Cheat Sheets are a collection of pragmatic secruity guidelines and best practices for a wide range of technologies. |
| NIST Secure Software Development Framework (NIST SP 800-218) | National Institute of Standards and Technology (NIST) | No License Required | Guidelines | 2022-02 - present | SSDF is a set of community-derived and regulatory-aligned practices for the creation and usage of software |
CRA ref: Annex I, Part II
Standards request ref: 15
Impact on steward: obligation
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
| OpenStack Vulnerability Management Process | OpenStack Community | CC-BY-3.0 | informal | 2011-10-25 – present | Subsequently adapted by many other communities and early inspiration for standards like those compiled by CII/OpenSSF |
| PHP Security Policies and Process | PHP Project | none but CC-BY-4.0 proposed | informal | 2024-02-06 – present | Just initial info about managing security.txt file but it should contain more info in the future |
| PHP Vulnerability Disclosure Policy | PHP Project | none but CC-BY-4.0 proposed | informal | 2023-12-04 – present | Security issues classification and their handling |
| RFC 9116 | IETF | IETF Trust Legal Provisions (TLP) | RFC | 2022-04 | A File Format to Aid in Security Vulnerability Disclosure |
| PHP release process | PHP project | PHP 3.01 | informal | 2007-11-22 - present | It includes some info about releasing of security fixes |
| ASF Classification of vulnerabilties | ASF | ASLv2 | practice | 25 Apr, 2023 | Captures lessons learned and best practices around vulnerability classification; Improves upon similar scales used by Microsoft, OpenSSL, Red Hat various Apache projects] |
| Generic ASF vulnerability reporting process | ASF | ASLv2 | policy | current | Generic process for reporting a vulnerability (i.e. not project specific) |
| Generic ASF handling process for vulnerabilities | ASF | ASLv2 | policy | current | Generic process for developers to follow when handling a vulnerability report (i.e. not project/risk specific) |
| Guide to coordinated vulnerability disclosure for open source software projects | OpenSSF | CC-BY-4.0 | Guidance, templates, and advise for how open source projects and security researchers can better coordinate vulnerability disclosures together | 2022 - present | |
| Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure | Forum of Incident Response and Security Teams (FIRST) | none | Guidelines for handling coordiantion of complex (multiparty) vulnerabilities | Spring 2020 | |
| The CERT® Guide to Coordinated Vulnerability Disclosure | CERT-CC/Software Engineering Institure (SEI) at Carnegie Mellon University | None - approved for public release and unlimited distribution | Guide |
Making products with digital elements available on the market without known exploitable vulnerabilities
CRA ref: Annex I, Part I, point (2)(a)
Standards request ref: 2
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Making products with digital elements available on the market with a secure by default configuration
CRA ref: Annex I, Part I, point (2)(b)
Standards request ref: 3
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Ensuring that vulnerabilities in products with digital elements can be addressed through security updates
CRA ref: Annex I, Part I, point (2)(c)
Standards request ref: 4
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Ensuring protection of products with digital elements from unauthorised access and reporting on possible unauthorised access
CRA ref: Annex I, Part I, point (2)(d)
Standards request ref: 5
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Protecting the confidentiality of data stored, transmitted or otherwise processed by a product with digital elements
CRA ref: Annex I, Part I, point (2)(e)
Standards request ref: 6
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Protecting the integrity of data, commands, programs by a product with digital elements, and its configuration against any manipulation or modification not authorised by the user, as well as reporting on corruptions
CRA ref: Annex I, Part I, point (2)(f)
Standards request ref: 7
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Processing only personal or other data that are adequate, relevant and limited to what is necessary in relation to the intended purpose of the product with digital elements (‘minimisation of data’)
CRA ref: Annex I, Part I, point (2)(g)
Standards request ref: 8
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
CRA ref: Annex I, Part I, point (2)(h)
Standards request ref: 9
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Minimising the negative impact of a product with digital elements or its connected devices on the availability of services provided by other devices or networks
CRA ref: Annex I, Part I, point (2)(i)
Standards request ref: 10
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
CRA ref: Annex I, Part I, point (2)(j)
Standards request ref: 11
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Designing, developing and producing products with digital elements that reduce the impact of an incident using appropriate exploitation mitigation mechanisms and techniques
CRA ref: Annex I, Part I, point (2)(k)
Standards request ref: 12
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Providing security related information by recording and/or monitoring relevant internal activity of products with digital elements with an opt-out mechanism for the user
CRA ref: Annex I, Part I, point (2)(l)
Standards request ref: 13
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
Securely and easily removing or transferring all data and settings of a product with digital elements.
CRA ref: Annex I, Part I, point (2)(m)
Standards request ref: 14
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
CRA ref: Article 24(1)
Standards request ref: N/A
Impact on steward: obligation
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
| OpenSSF Outbound Vulnerability Disclosure Policy Template | OpenSSF | Apache-2.0 | Policy Template | 2024- present | |
| OpenSSF Security Policy Templates | OpenSSF | Apache-2.0 | Policy Template | 2022- present |
CRA ref: Article 13(5)
Standards request ref: N/A
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
CRA ref: Article 25
Standards request ref: N/A
Impact on steward: attestations
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|
| FreeBSD SSDF Attestation | FreeBSD Foundation | Confidential | attestation | 2024-11-03 | |
| Secure Software Development Framework (SSDF) | NIST | Public Domain (attribution appreciated) | recommendations | 2022-02-03 |
CRA ref: TBD
Standards request ref: N/A
Impact on steward: TBD
Please add relevant resources below that don't fit well in the other categories. Please explain why they're important in the notes.
| Name & URL | Publisher | License | Type | Date | Notes |
|---|---|---|---|---|---|