Skip to content

Update faq.md - What is in scope for the Open Source Project Security Baseline, and what is out of scope ? #333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Update faq.md - What is in scope for the Open Source Project Security Baseline, and what is out of scope ? #333

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
41d7f48
Update faq.md
victorjunlu Jun 2, 2025
2ea78d9
Update faq.md
victorjunlu Jun 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions docs/faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,12 @@ Since the Baseline is designed for the developers of a project, not the consumer
OSPS Baseline compliance is a point-in-time status.
We encourage projects using the OSPS Baseline to say something like “As of April 31, 2025, this project complies with OSPS Baseline version 2025-02-30 level 2.”

## What is in scope for the Open Source Project Security Baseline, and what is out of scope?

This baseline seeks to address security hygiene elements — those which lock down the ways of working, delivering the product, and equipping its users to adopt it safely. To use an analogy, it’s like home builders who lock up tools, secure the construction site, and control who enters, but also ensure the finished house is handed over with clear instructions for safe use. It’s not about changing the blueprint—it’s about protecting the build process and delivering a home that’s ready to live in securely.

By contrast, secure design and development are out of scope for this activity. Continuing the analogy, those activities would be the responsibility of the architects and builders who create the blueprint and decide how the house is constructed to prevent break-ins—with reinforced doors, secure locks, strategic layouts/no backdoor, or built-in security systems. It’s about designing security into the structure itself, not just safeguarding the build and handoff.
Comment on lines +78 to +80
Copy link
Contributor

@eddie-knight eddie-knight Jun 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This baseline seeks to address security hygiene elements — those which lock down the ways of working, delivering the product, and equipping its users to adopt it safely. To use an analogy, it’s like home builders who lock up tools, secure the construction site, and control who enters, but also ensure the finished house is handed over with clear instructions for safe use. It’s not about changing the blueprint—it’s about protecting the build process and delivering a home that’s ready to live in securely.
By contrast, secure design and development are out of scope for this activity. Continuing the analogy, those activities would be the responsibility of the architects and builders who create the blueprint and decide how the house is constructed to prevent break-ins—with reinforced doors, secure locks, strategic layouts/no backdoor, or built-in security systems. It’s about designing security into the structure itself, not just safeguarding the build and handoff.
This baseline seeks to address security hygiene elements — those which lock down the ways of working, delivering the product, and equipping its users to adopt it safely.
To use an analogy, it’s like home builders who lock up tools, secure the construction site, and control who enters, but also ensure the finished house is handed over with clear instructions for safe use.
We're not checking the quality of your blueprint... just making sure that you have one on record with the city.
Design and development are part of the [assessment](https://github.com/ossf/security-assessments) activity, which is comparable to evaluating the blueprint of a home before it is constructed.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I like the term "lock down" here (even if we're talking about controls, I prefer to think of it as "defending against yourself on your worst days"). How about:

The baseline seeks to address security hygiene practices — much like workspace and product safety requirements in other domains. Using a construction analogy, baseline is similar to the jobsite rules and processes (hard hats, fencing, etc) a builder uses to prevent injuries to workers as they are building a house, and also covers the documentation standards used to provide operation and maintenance instructions for the final owner.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think some combination of Eddie's and Evan's suggestions are the right answer here. Let's see if I can come up with a good blend. :-)


## How can I get involved in the OSPS Baseline project?
The OSPS Baseline project welcomes contributions in the [GitHub repository](https://github.com/ossf/security-baseline/pull/24/files).
For discussion, join us in [#sig-security-baseline](https://openssf.slack.com/archives/C07DC6TT2QY) in the OpenSSF Slack instance.
Loading