The Mobilization Plan: Overall Goals and Activity Streams
A discussion between the private sector, US government experts, and OSS foundations at a January 2022 meeting at the White House1 discussed 3 overarching goals:
- Securing OSS Production: focus on preventing security defects and vulnerabilities in code and open source packages in the first place
- Improving Vulnerability Discovery & Remediation: improving the process for finding defects and fixing them
- Shorten Ecosystem Patching Response Time: Shorten the response time for distributing and implementing fixes.
We feel this is a useful frame to present a series of “activity streams” we propose to meet each of these three goals. A summary of the streams in each goal is given below. The plan for implementing each stream is then more fully described in the appendices at the end of this document.
The plan for each stream described in this document represents the collective effort of a small team of domain experts drawn from the OpenSSF community over the course of a few short weeks. As time goes on we expect these streams, and thus the overall plan, to evolve as we: perform further due diligence on the strategy for each stream; look for additional starting points or existing efforts we had not been aware of; identify individuals or organizations who may be able to perform some of the work on a voluntary basis; or other factors change as the plan becomes more widely known. We are also eager to engage the broader OSS community - individual developers, open source foundations, and organizations who make use of open source code of all sorts - in the further evolution of these plans. Finally, as sources of funding are identified for each stream, and the clock begins on a plan, short-term goals may be adjusted to fit the funding available. Please keep these humble beginnings and openness to change in mind while reviewing the plans.
To the degree that any of these plans call for the creation of new technical efforts at the OpenSSF, or create results for redistribution through the OpenSSF, then the technical governance processes used by the OpenSSF, in particular the oversight and management of the Technical Advisory Council, will help ensure that a consistent baseline level of quality and alignment with other OpenSSF efforts is achieved. Nothing in this document should be construed as a proposal to the TAC for a specific effort, or as a proposal to route around that governance. Alternatively, some of these streams may be more efficiently delivered by other existing or new organizations.