This project identifies best practices for Free/Libre and Open Source Software (FLOSS) and implements a badging system for those best practices. The "BadgeApp" badging system is a simple web application that lets projects self-certify that they meet the criteria and show a badge. The real goal of this project is to encourage projects to apply best practices, and to help users determine which FLOSS projects do so. We believe that FLOSS projects that implement best practices are more likely to produce better software, including more secure software.
See the Core Infrastructure Initiative (CII) Best Practices badge website if you want to try to actually get a badge.
This is the development site for the criteria and badge application software that runs the website. Feedback is very welcome via the GitHub site as issues or pull (merge) requests. There is also a mailing list for general discussion.
- Badging Criteria
- Information on how to contribute (including how to report vulnerabilities)
- Other draft criteria (for higher-level badges)
- Background on Badging
- ChangeLog
- Current implementation - notes about the BadgeApp implementation
- security - notes about BadgeApp security
- testing - notes about BadgeApp automated tests
This is a summary of the criteria, with requirements in bold (for details, see the full list of criteria):
- Have a stable website, which says:
- Explicitly specify a FLOSS license
- Support HTTPS on the project sites
- Document how to install and run (securely), and any API
- Have a distributed **public version control system,
- including changes between releases**:
- Allow bug reports to be submitted,
archived and
tracked:
- Acknowledge/respond to bugs & enhancement requests, rather than ignoring them
- Have a secure, documented process for reporting vulnerabilities
- Respond within 14 days, and fix vulnerabilities, within 60 days if they're public
- Have a build that works, using standard open-source tools
- Have an automated test suite that covers most of the code/functionality, and officially require new tests for new code
- Automate running the tests on all changes, and apply dynamic checks:
- Have a developer who understands secure software and common vulnerability errors
- If cryptography is used:
- Use public protocols/algorithm
- Don't re-implement standard functionality
- Use open-source cryptography
- Use key lengths that will stay secure
- Don't use known-broken or known-weak algorithms
- Use algorithms with forward secrecy
- Store any passwords with iterated, salted, hashes using a key-stretching algorithm
- Use cryptographic random number sources
All material is released under the MIT license. All material that is not executable, including all text when not executed, is also released under the Creative Commons Attribution 3.0 International (CC BY 3.0) license or later. In SPDX terms, everything here is licensed under MIT; if it's not executable, including the text when extracted from code, it's "(MIT OR CC-BY-3.0+)".