This Project's purpose is to explore the topic of, and eventually publish guidance regarding, voluntary security attestations for open source projects per Article 25 of the Cyber Resilience Act.
These attestations can help support the maintenance and security of open source projects in exchange for lowering the compliance burdens of manufacturers which use those projects in commercial products on the European market.
Our current goal is to create a mature proposal by Q2 of 2026.
For more details, see:
**Security attestation of free and open-source software**
In order to facilitate the due diligence obligation set out in Article 13(5),
in particular as regards manufacturers that integrate free and open-source
software components in their products with digital elements, the Commission is
empowered to adopt delegated acts in accordance with Article 61 to supplement
this Regulation by establishing voluntary security attestation programmes
allowing the developers or users of products with digital elements qualifying
as free and open-source software as well as other third parties to assess the
conformity of such products with all or certain essential cybersecurity
requirements or other obligations laid down in this Regulation.
- Project Lead: Æva Black
- Meeting Times: Every Other Tuesday @ 1530 CET / 1430 UTC
- Mailing List: we're using the ORC mailing list for now
- Matrix Room: https://matrix.to/#/#oss-attestations:fosdem.org
Participation in the CRA Attestation Project is not limited to Eclipse Foundation members. Anyone is welcome to join the bi-weekly meetings, post on the mailing list, or chat with us in the Matrix room.
All maintainers of open source projects which are, could be, or are contemplating acting as Stewards are encouraged to participate.
Discussions and proposals, both during meetings and on the mailing list, should center projects that have a potential commercial use, and should reflect the broad range of legal entities that support open source projects.
We would like to thank everyone who has contributed to this project -- whether via git contributions, conversations on Matrix or Slack, or during meetings or at events.
Contributors:
- Æva Black
- Juan Rico
- Mathias Schindler
- Dirk-Willem van Gulik
- Greg Wallace
- Salve J. Nilsen
- Elizabeth Mattijsen
- Alistair Woodman
- Anne Dickison
- Tobias Frech
- Timo Perälä
- Tobie Langel
- Seth Larson
- Olle E. Johansson
- Jonatan Männchen
- Roman Zhukov
- Mikael Barbero
- Adrian OSullivan
- Georg Kunz
- Jordan Maris
- Simon Phipps
- Sebastian Tiemann
- Ruth Suehle
- Mark Thomas
- Daniel Thompson-Yvetot
If you have contributed to this document and aren't properly acknowledged or if you want to edit or remove your name, please let us know by opening an issue and we will fix this right away.