Open_Source_Policy.md
June 28, 2026 ยท View on GitHub
๐ Hack23 AB โ Open Source Policy
๐ก๏ธ Demonstrating Security Excellence Through Transparent Open Source
๐ฏ Evidence-Based Governance for Community-Aligned Innovation
๐ Document Owner: CEO | ๐ Version: 2.6 | ๐
Last Updated: 2026-06-28 (UTC)
๐ Review Cycle: Annual | โฐ Next Review: 2027-06-28
๐ฏ Purpose Statement
Hack23 AB demonstrates that open source transparency creates competitive advantage through systematic security excellence. Our open source policy serves as both operational framework and public demonstration of our cybersecurity consulting expertise.
This policy embodies our ๐ transparency principle - making security practices publicly verifiable while maintaining ๐ competitive advantage through innovative implementations and ๐ค customer trust via demonstrable open source governance.
๐ข Transparency Commitments
- ๐๏ธ Public Security Badges: OpenSSF Scorecard, CII Best Practices, FOSSA license compliance demonstrate continuous validation
- ๐๏ธ Architecture Documentation: Every repository maintains SECURITY_ARCHITECTURE.md per Secure Development Policy
- ๐ Compliance Evidence: Real-time security posture through automated badge generation and public metrics
- ๐ Supply Chain Transparency: SBOM generation, dependency tracking, and vulnerability disclosure
โ James Pether Sรถrling, CEO/Founder
๐ Purpose & Scope
This policy establishes comprehensive governance for creating, maintaining, and contributing to open source projects, ensuring ๐ operational excellence and ๐ก innovation enablement.
Scope:
- All Hack23-owned repositories and organizations
- Forks and derivatives under Hack23 control
- Contributions made by Hack23 personnel to external projects
- Third-party open source usage and compliance
Out of scope: Internal-only repositories not intended for public distribution
๐งญ Core Principles
- ๐ Transparency: Security posture and governance evidence publicly visible through badges and documentation
- ๐ Security-by-default: Preventive controls per Secure Development Policy with evidence-based validation
- โ Compliance-first: License compliance via FOSSA, REUSE, and automated scanning
- ๐ค Community respect: Follow upstream guidelines, maintain attribution, enforce code of conduct
- ๐ Evidence-based: All security claims backed by public badges, reports, and metrics
๐ค Roles & Responsibilities
CEO/Founder
- Policy owner and final arbiter on licensing decisions
- Exception approver for license conflicts or security issues
- Strategic open source direction and partnership decisions
Repository Maintainer
- Ensures policy compliance through badge integration
- Maintains security documentation per Secure Development Policy
- Manages vulnerability disclosure and remediation
Contributors
- Adheres to repository CONTRIBUTING.md and CODE_OF_CONDUCT.md
- Ensures license compatibility before introducing dependencies
- Reports security issues through proper channels
๐ Policy Requirements
๐๏ธ 1) Security Posture Evidence
All repositories MUST demonstrate security excellence through public badges and metrics:
๐ Required Security Badges
- OpenSSF Scorecard: Supply chain security assessment โฅ7.0 score
- CII Best Practices: Open source maturity at least "Passing" level
- SLSA Level 3: Build provenance and integrity attestation
- Quality Gate: SonarCloud or equivalent showing "Passed" status
๐ License Compliance Badges
- FOSSA Status: License scanning and compliance verification
- REUSE Compliant: Clear licensing information for all files
- License Badge: Clear display of repository license
๐ Reference Implementation
๐๏ธ Citizen Intelligence Agency:
๐ช๐บ European Parliament MCP Server:
๐ช๐บ EU Parliament Monitor:
๐ 2) Governance Artifacts
Every repository MUST maintain comprehensive governance documentation:
๐ Security Documentation Requirements
Per Secure Development Policy:
- SECURITY_ARCHITECTURE.md: Current security implementation with Mermaid diagrams
- FUTURE_SECURITY_ARCHITECTURE.md: Planned security improvements roadmap
- SECURITY.md: Coordinated vulnerability disclosure process
- WORKFLOWS.md: CI/CD pipeline documentation with security gates
๐ Implementation Evidence:
- ๐๏ธ CIA: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
- ๐ฎ Black Trigram: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
- ๐ CIA Compliance Manager: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
- ๐ช๐บ EP MCP Server: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
- ๐ช๐บ EU Parliament Monitor: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
- ๐ณ๏ธ Riksdagsmonitor: SECURITY_ARCHITECTURE.md โข FUTURE_SECURITY_ARCHITECTURE.md โข SECURITY.md โข WORKFLOWS.md
๐ License & Compliance Documentation
- LICENSE: OSI-approved license clearly stated
- NOTICE: Attribution for third-party components
- LICENSES/: Directory containing all dependency licenses (automated via FOSSA)
- .reuse/dep5: Machine-readable licensing information
- CRA-ASSESSMENT.md: EU Cyber Resilience Act compliance assessment
๐ Implementation Evidence:
- ๐๏ธ CIA: LICENSE โข CRA-ASSESSMENT.md โข NOTICE
- ๐ฎ Black Trigram: LICENSE โข CRA-ASSESSMENT.md
- ๐ CIA Compliance Manager: LICENSE โข CRA-ASSESSMENT.md
- ๐ช๐บ EP MCP Server: LICENSE โข CRA-ASSESSMENT.md
- ๐ช๐บ EU Parliament Monitor: LICENSE โข CRA-ASSESSMENT.md
- ๐ณ๏ธ Riksdagsmonitor: LICENSE โข CRA-ASSESSMENT.md
๐ค Community Documentation
- CODE_OF_CONDUCT.md: Community behavior standards
- CONTRIBUTING.md: Contribution guidelines and requirements
- README.md: Must include "Project Classification" section per Classification Framework
๐ Implementation Evidence:
- ๐๏ธ CIA: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
- ๐ฎ Black Trigram: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
- ๐ CIA Compliance Manager: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
- ๐ช๐บ EP MCP Server: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
- ๐ช๐บ EU Parliament Monitor: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
- ๐ณ๏ธ Riksdagsmonitor: CODE_OF_CONDUCT.md โข CONTRIBUTING.md โข README.md
๐ 3) Security Implementation Requirements
๐ก๏ธ Supply Chain Security
Aligned with Secure Development Policy:
- SBOM Generation: CycloneDX or SPDX format for all releases
- Dependency Scanning: Automated vulnerability detection via Dependabot/Renovate
- License Scanning: FOSSA integration for continuous compliance monitoring
- Artifact Signing: Sigstore/cosign for release integrity
๐ Implementation Evidence:
- ๐๏ธ CIA: Dependabot Config โข SBOM Workflow โข Release Signing
- ๐ฎ Black Trigram: Dependabot Config โข Security Workflow โข Release Signing
- ๐ CIA Compliance Manager: Dependabot Config โข Security Workflow โข Release Signing
- ๐ช๐บ EP MCP Server: Dependabot Config โข Release Signing
- ๐ช๐บ EU Parliament Monitor: Dependabot Config โข Dependency Review โข Release Signing
- ๐ณ๏ธ Riksdagsmonitor: Dependabot Config โข Dependency Review โข Release Signing
๐ Vulnerability Management
Per Vulnerability Management SLAs:
- Critical: Remediation within 24 hours
- High: Remediation within 7 days
- Medium: Remediation within 30 days
- Low: Remediation within 90 days
๐ Live Security Status:
- ๐๏ธ CIA: Security Overview โข Code Scanning โข Dependabot Alerts
- ๐ฎ Black Trigram: Security Overview โข Code Scanning โข Dependabot Alerts
- ๐ CIA Compliance Manager: Security Overview โข Code Scanning โข Dependabot Alerts
- ๐ช๐บ EP MCP Server: Security Overview โข Code Scanning โข Dependabot Alerts
- ๐ช๐บ EU Parliament Monitor: Security Overview โข Dependabot Alerts
- ๐ณ๏ธ Riksdagsmonitor: Security Overview โข Dependabot Alerts
๐ Security Testing Integration
As defined in Secure Development Policy:
- SAST: SonarCloud or equivalent on every commit
- SCA: Dependency vulnerability scanning
- Secret Scanning: GitHub secret scanning or equivalent
- DAST: OWASP ZAP for web applications
๐ Testing Evidence:
- ๐๏ธ CIA: SonarCloud Dashboard โข Test Results โข Coverage Report
- ๐ฎ Black Trigram: SonarCloud Dashboard โข Test Results โข E2E Tests
- ๐ CIA Compliance Manager: SonarCloud Dashboard โข Test Results โข E2E Tests
- ๐ช๐บ EP MCP Server: Test Coverage โข Unit Tests โข E2E Tests
- ๐ช๐บ EU Parliament Monitor: CI Workflows โข Code Scanning โข Dependabot Alerts
- ๐ณ๏ธ Riksdagsmonitor: CI Workflows โข Code Scanning โข Dependabot Alerts
๐ 4) License Compliance Framework
โ Approved Licenses (Pre-approved)
- Permissive: MIT, Apache 2.0, BSD (2/3-clause), ISC
- Weak Copyleft: LGPL 2.1/3.0, MPL 2.0, EPL 2.0
- Documentation: CC-BY-4.0, CC-BY-SA-4.0
โ ๏ธ Review Required Licenses
- Strong Copyleft: GPL 2.0/3.0, AGPL 3.0 (CEO approval required)
- Non-standard: Custom or modified licenses
- Commercial: Dual-licensed components
โ Prohibited Licenses
- Licenses with advertising clauses
- Licenses incompatible with our primary license
- Licenses with unclear terms or missing attribution
๐ License Compliance Validation
- Automated Scanning: FOSSA runs on every pull request
- Manual Review: Required for license conflicts or exceptions
- Compliance Reports: Monthly FOSSA reports reviewed by CEO
- Attribution Management: Automated NOTICE file generation
๐ FOSSA Integration Evidence:
- ๐๏ธ CIA:
โข License Report
- ๐ฎ Black Trigram:
โข License Report
- ๐ CIA Compliance Manager:
โข License Report
- ๐ช๐บ EP MCP Server:
- ๐ช๐บ EU Parliament Monitor:
- ๐ณ๏ธ Riksdagsmonitor:
๐ท๏ธ 5) Classification & Documentation
๐ Required Classification Elements
Each project README MUST declare:
- CIA Triad: Confidentiality, Integrity, Availability levels
- Business Impact: Financial, Operational, Reputational, Regulatory
- RTO/RPO: Recovery objectives aligned with classification
- Strategic Value: ROI and competitive positioning
๐ Classification Implementation:
- ๐๏ธ CIA: README Classification Section โข Links to canonical framework
- ๐ฎ Black Trigram: README Classification Section โข References framework definitions
- ๐ CIA Compliance Manager: README Classification Section โข Aligned with ISMS standards
- ๐ช๐บ EP MCP Server: README โข ISMS-compliant, GDPR-ready
- ๐ช๐บ EU Parliament Monitor: README โข SLSA Level 3 provenance
- ๐ณ๏ธ Riksdagsmonitor: README โข Quality checks and dependency review
๐ 6) Data Protection Requirements
Aligned with Data Classification Policy:
๐ซ Prohibited Data in Repositories
- Personal data (PII/GDPR regulated)
- Confidential business information
- Production credentials or API keys
- Customer data or analytics
โ Acceptable Data Practices
- Anonymized or synthetic test data only
- Example configurations with placeholder values
- Documentation with redacted sensitive information
- Public datasets with appropriate licensing
๐ค 7) Third-Party Contributions
๐ฅ Accepting External Contributions
- CLA/DCO: Developer Certificate of Origin required
- License Compatibility: Verify contribution license alignment
- Security Review: Code review per Change Management
- Attribution: Maintain CONTRIBUTORS file
๐ Contribution Evidence:
- ๐๏ธ CIA: Contributors List โข Pull Request History
- ๐ฎ Black Trigram: Contributors List โข Pull Request History
- ๐ CIA Compliance Manager: Contributors List โข Pull Request History
- ๐ช๐บ EP MCP Server: Contributors List โข Pull Request History
- ๐ช๐บ EU Parliament Monitor: Contributors List โข Pull Request History
- ๐ณ๏ธ Riksdagsmonitor: Contributors List โข Pull Request History
๐ก๏ธ Security Evidence Framework
๐ CRA Conformity Assessment Evidence
Demonstrating EU Cyber Resilience Act compliance readiness through systematic self-assessment:
๐ CRA Assessment Portfolio:
- ๐๏ธ CIA:
โข ๐ Full Assessment
- ๐ฎ Black Trigram:
โข ๐ Full Assessment
- ๐ CIA Compliance Manager:
โข ๐ Full Assessment
- ๐ช๐บ EP MCP Server:
โข ๐ Full Assessment
- ๐ช๐บ EU Parliament Monitor:
โข ๐ Full Assessment
- ๐ณ๏ธ Riksdagsmonitor:
โข ๐ Full Assessment
- Annex I ยง 1.1: Secure by Design architecture documentation
- Annex I ยง 2.2: Coordinated vulnerability disclosure via SECURITY.md
- Annex I ยง 2.3: SBOM generation for all releases
- Annex I ยง 2.4: Signed updates with SLSA attestations
- Annex I ยง 2.5: Comprehensive security monitoring and logging
๐๏ธ Security Architecture Excellence
๐ Architecture Documentation:
- ๐๏ธ CIA: Security Architecture โข Future Security โข Threat Model
- ๐ฎ Black Trigram: Security Architecture โข Future Security โข Threat Model
- ๐ CIA Compliance Manager: Security Architecture โข Future Security โข Threat Model
- ๐ช๐บ EP MCP Server: Security Architecture โข Future Security โข Threat Model
- ๐ช๐บ EU Parliament Monitor: Security Architecture โข Future Security โข Threat Model
- ๐ณ๏ธ Riksdagsmonitor: Security Architecture โข Future Security โข Threat Model
๐ฏ Threat Modeling Maturity Matrix:
๐ Evidence Dashboard
๐ Security Excellence Metrics:
| Evidence Category | CIA | Black Trigram | CIA Compliance Manager | EP MCP Server | EU Parliament Monitor | Riksdagsmonitor |
|---|---|---|---|---|---|---|
| ๐ก๏ธ Threat Models | THREAT_MODEL.md | THREAT_MODEL.md | THREAT_MODEL.md | THREAT_MODEL.md | THREAT_MODEL.md | THREAT_MODEL.md |
| ๐๏ธ Security Architecture | SECURITY_ARCHITECTURE.md | SECURITY_ARCHITECTURE.md | SECURITY_ARCHITECTURE.md | SECURITY_ARCHITECTURE.md | SECURITY_ARCHITECTURE.md | SECURITY_ARCHITECTURE.md |
| โ๏ธ CRA Assessment | CRA-ASSESSMENT.md | CRA-ASSESSMENT.md | CRA-ASSESSMENT.md | CRA-ASSESSMENT.md | CRA-ASSESSMENT.md | CRA-ASSESSMENT.md |
| ๐ Security Policy | SECURITY.md | SECURITY.md | SECURITY.md | SECURITY.md | SECURITY.md | SECURITY.md |
| ๐ท๏ธ License | LICENSE | LICENSE | LICENSE | LICENSE | LICENSE | LICENSE |
๐ Live Security Monitoring:
- ๐ GitHub Security: Organization-wide security posture via Security Overview
- ๐ฏ OpenSSF Tracking: Continuous scorecard monitoring across all repositories
- โ๏ธ FOSSA Compliance: Real-time license compliance status for all projects
- ๐ก๏ธ Vulnerability Management: Active security advisory and dependabot integration
๐ Compliance Monitoring & Metrics
๐ฏ Key Performance Indicators
Tracked via Security Metrics:
- OpenSSF Score: Target โฅ7.0 for all repositories
- License Compliance: 100% FOSSA approval rate
- Vulnerability Response: SLA compliance rate โฅ95%
- Documentation Coverage: 100% of repos with required artifacts
- CRA Readiness: Complete self-assessments for EU market products
- Threat Model Coverage: 100% of products with public threat analysis
๐ Live Compliance Dashboard:
- ๐๏ธ CIA: OpenSSF Scorecard โข CII Best Practices
- ๐ฎ Black Trigram: OpenSSF Scorecard โข CII Best Practices
- ๐ CIA Compliance Manager: OpenSSF Scorecard โข CII Best Practices
- ๐ช๐บ EP MCP Server: OpenSSF Scorecard
- ๐ช๐บ EU Parliament Monitor: OpenSSF Scorecard
- ๐ณ๏ธ Riksdagsmonitor: OpenSSF Scorecard
๐ Continuous Monitoring
- Weekly: Automated security scanning results review
- Monthly: License compliance report from FOSSA
- Quarterly: Policy compliance assessment
- Annually: Strategic open source review
๐ Monitoring Evidence:
- GitHub Organization Security: Security Overview โข Risk Dashboard
- Workflow Runs: CIA Actions โข Black Trigram Actions โข CIA Compliance Manager Actions โข EP MCP Server Actions โข EU Parliament Monitor Actions โข Riksdagsmonitor Actions
- Release History: CIA Releases โข Black Trigram Releases โข CIA Compliance Manager Releases โข EP MCP Server Releases โข EU Parliament Monitor Releases โข Riksdagsmonitor Releases
๐ Public Transparency Dashboard
Live metrics available at:
- Security Metrics Dashboard
- ISMS Transparency Plan
- Individual project documentation portals:
- ๐๏ธ CIA: Documentation Portal โข API Documentation
- ๐ฎ Black Trigram: Documentation Portal โข Game Portal
- ๐ CIA Compliance Manager: Documentation Portal โข Live Demo
- ๐ช๐บ EP MCP Server: Documentation Portal โข API Docs
- ๐ช๐บ EU Parliament Monitor: Live Platform โข Documentation Portal
- ๐ณ๏ธ Riksdagsmonitor: Live Platform
๐ Integration with SDLC
This policy integrates with our development lifecycle as defined in Secure Development Policy:
๐ Planning Phase
- License strategy selection based on business goals
- Security architecture documentation requirements
- Community engagement planning
๐ Planning Evidence:
- Architecture Docs: CIA Architecture โข Black Trigram Architecture โข CIA Compliance Manager Architecture โข EP MCP Server Architecture โข EU Parliament Monitor Architecture โข Riksdagsmonitor Architecture
- Future Planning: CIA Future Architecture โข Black Trigram Future โข CIA Compliance Manager Future โข EP MCP Server Future โข EU Parliament Monitor Future โข Riksdagsmonitor Future
๐ป Development Phase
- Continuous license scanning via FOSSA
- Security testing per SDLC requirements
- Documentation maintained alongside code
๐ Development Evidence:
- Test Plans: CIA Unit Tests โข Black Trigram Tests โข CIA Compliance Manager Tests
- E2E Testing: CIA E2E Plan โข Black Trigram E2E โข CIA Compliance Manager E2E
๐ Release Phase
- SBOM generation and publication
- Artifact signing and attestation
- Security badge verification
๐ Release Evidence:
- Attestations: CIA Attestations โข Black Trigram Attestations โข CIA Compliance Manager Attestations โข EP MCP Server Attestations โข EU Parliament Monitor Attestations โข Riksdagsmonitor Attestations
- Package Registries: Maven Central โข NPM Registry
๐ง Maintenance Phase
- Vulnerability monitoring and patching
- License compliance updates
- Community support and engagement
๐ Maintenance Evidence:
- Security Advisories: CIA Advisories โข Black Trigram Advisories โข CIA Compliance Manager Advisories โข EP MCP Server Advisories โข EU Parliament Monitor Advisories โข Riksdagsmonitor Advisories
- Issue Tracking: CIA Issues โข Black Trigram Issues โข CIA Compliance Manager Issues โข EP MCP Server Issues โข EU Parliament Monitor Issues โข Riksdagsmonitor Issues
๐จ Exception Management
๐ Exception Request Process
- Document business justification
- Identify compensating controls
- Define exception duration
- Submit to CEO for approval
โฑ๏ธ Exception Types
- Temporary: Maximum 90 days for specific issues
- Project-specific: Limited to single repository
- Strategic: Long-term exceptions with quarterly review
๐ Exception Tracking
- Documented in Risk Register
- Reviewed quarterly
- Reported in Security Metrics
๐ Related Documents
๐ Core Security Integration
- ๐ฏ Information Security Strategy โ AI-first operations, Pentagon framework, and strategic open source direction
- ๐ Information Security Policy โ Overall security governance with AI-First Operations Governance
- ๐ค AI Policy โ AI-assisted open source security scanning and governance
- ๐ ๏ธ Secure Development Policy โ Development lifecycle security
- ๐ Vulnerability Management โ Security testing and remediation
- ๐ Change Management โ Controlled modification procedures
๐ Compliance & Classification
- ๐ท๏ธ Classification Framework โ Impact and classification methodology
- ๐ท๏ธ Data Classification Policy โ Information handling requirements
- โ Compliance Checklist โ Regulatory requirement tracking
๐ค Third-Party Management
- ๐ค Third Party Management โ Supplier risk procedures
- ๐ Supplier Security Posture โ Third-party assessments
- ๐ค External Stakeholder Registry โ Professional communities and OSPO network engagement
๐ Monitoring & Reporting
- ๐ Security Metrics โ Performance measurement
- ๐ Risk Register โ Risk tracking and treatment
- ๐ ISMS Transparency Plan โ Public disclosure strategy
๐ Document Control:
โ
Approved by: James Pether Sรถrling, CEO
๐ค Distribution: Public
๐ท๏ธ Classification:
๐
Effective Date: 2026-06-28
โฐ Next Review: 2027-06-28
๐ฏ Framework Compliance: