Open_Source_Policy.md

June 28, 2026 ยท View on GitHub

Hack23 Logo

๐Ÿ”“ Hack23 AB โ€” Open Source Policy

๐Ÿ›ก๏ธ Demonstrating Security Excellence Through Transparent Open Source
๐ŸŽฏ Evidence-Based Governance for Community-Aligned Innovation

Owner Version Effective Date Review Cycle

๐Ÿ“‹ Document Owner: CEO | ๐Ÿ“„ Version: 2.6 | ๐Ÿ“… Last Updated: 2026-06-28 (UTC)
๐Ÿ”„ Review Cycle: Annual | โฐ Next Review: 2027-06-28


๐ŸŽฏ Purpose Statement

Hack23 AB demonstrates that open source transparency creates competitive advantage through systematic security excellence. Our open source policy serves as both operational framework and public demonstration of our cybersecurity consulting expertise.

This policy embodies our ๐ŸŒŸ transparency principle - making security practices publicly verifiable while maintaining ๐Ÿ† competitive advantage through innovative implementations and ๐Ÿค customer trust via demonstrable open source governance.

๐Ÿ“ข Transparency Commitments

  • ๐ŸŽ–๏ธ Public Security Badges: OpenSSF Scorecard, CII Best Practices, FOSSA license compliance demonstrate continuous validation
  • ๐Ÿ—๏ธ Architecture Documentation: Every repository maintains SECURITY_ARCHITECTURE.md per Secure Development Policy
  • ๐Ÿ“Š Compliance Evidence: Real-time security posture through automated badge generation and public metrics
  • ๐Ÿ” Supply Chain Transparency: SBOM generation, dependency tracking, and vulnerability disclosure

โ€” James Pether Sรถrling, CEO/Founder


๐Ÿ” Purpose & Scope

This policy establishes comprehensive governance for creating, maintaining, and contributing to open source projects, ensuring ๐Ÿ”„ operational excellence and ๐Ÿ’ก innovation enablement.

Scope:

  • All Hack23-owned repositories and organizations
  • Forks and derivatives under Hack23 control
  • Contributions made by Hack23 personnel to external projects
  • Third-party open source usage and compliance

Out of scope: Internal-only repositories not intended for public distribution


๐Ÿงญ Core Principles

  1. ๐ŸŒŸ Transparency: Security posture and governance evidence publicly visible through badges and documentation
  2. ๐Ÿ” Security-by-default: Preventive controls per Secure Development Policy with evidence-based validation
  3. โœ… Compliance-first: License compliance via FOSSA, REUSE, and automated scanning
  4. ๐Ÿค Community respect: Follow upstream guidelines, maintain attribution, enforce code of conduct
  5. ๐Ÿ“Š Evidence-based: All security claims backed by public badges, reports, and metrics

๐Ÿ‘ค Roles & Responsibilities

CEO/Founder

  • Policy owner and final arbiter on licensing decisions
  • Exception approver for license conflicts or security issues
  • Strategic open source direction and partnership decisions

Repository Maintainer

  • Ensures policy compliance through badge integration
  • Maintains security documentation per Secure Development Policy
  • Manages vulnerability disclosure and remediation

Contributors

  • Adheres to repository CONTRIBUTING.md and CODE_OF_CONDUCT.md
  • Ensures license compatibility before introducing dependencies
  • Reports security issues through proper channels

๐Ÿ“œ Policy Requirements

๐ŸŽ–๏ธ 1) Security Posture Evidence

All repositories MUST demonstrate security excellence through public badges and metrics:

๐Ÿ† Required Security Badges

  • OpenSSF Scorecard: Supply chain security assessment โ‰ฅ7.0 score
  • CII Best Practices: Open source maturity at least "Passing" level
  • SLSA Level 3: Build provenance and integrity attestation
  • Quality Gate: SonarCloud or equivalent showing "Passed" status

๐Ÿ“Š License Compliance Badges

  • FOSSA Status: License scanning and compliance verification
  • REUSE Compliant: Clear licensing information for all files
  • License Badge: Clear display of repository license

๐Ÿ“Š Reference Implementation

๐Ÿ›๏ธ Citizen Intelligence Agency: OpenSSF Scorecard CII Best Practices SLSA 3 Quality Gate Status FOSSA Status Threat Model STRIDE Analysis Attack Trees

๐ŸŽฎ Black Trigram: OpenSSF Scorecard CII Best Practices SLSA 3 Quality Gate Status FOSSA Status Security Rating License Threat Model Gaming Security Cultural Heritage

๐Ÿ“Š CIA Compliance Manager: OpenSSF Scorecard CII Best Practices SLSA 3 Quality Gate Status FOSSA Status Security Rating License Threat Model Risk Assessment Mitigations

๐Ÿ‡ช๐Ÿ‡บ European Parliament MCP Server: OpenSSF Scorecard CII Best Practices SLSA 3 License Security Architecture Threat Model CRA Self Assessment Complete Documentation

๐Ÿ‡ช๐Ÿ‡บ EU Parliament Monitor: OpenSSF Scorecard CII Best Practices SLSA 3 License Security Architecture Threat Model CRA Self Assessment Complete Documentation

๐Ÿ—ณ๏ธ Riksdagsmonitor: OpenSSF Scorecard CII Best Practices SLSA 3 License Security Architecture Threat Model CRA Self Assessment Complete Documentation


๐Ÿ“‹ 2) Governance Artifacts

Every repository MUST maintain comprehensive governance documentation:

๐Ÿ” Security Documentation Requirements

Per Secure Development Policy:

  • SECURITY_ARCHITECTURE.md: Current security implementation with Mermaid diagrams
  • FUTURE_SECURITY_ARCHITECTURE.md: Planned security improvements roadmap
  • SECURITY.md: Coordinated vulnerability disclosure process
  • WORKFLOWS.md: CI/CD pipeline documentation with security gates

๐Ÿ“Š Implementation Evidence:

๐Ÿ“œ License & Compliance Documentation

  • LICENSE: OSI-approved license clearly stated
  • NOTICE: Attribution for third-party components
  • LICENSES/: Directory containing all dependency licenses (automated via FOSSA)
  • .reuse/dep5: Machine-readable licensing information
  • CRA-ASSESSMENT.md: EU Cyber Resilience Act compliance assessment

๐Ÿ“Š Implementation Evidence:

๐Ÿค Community Documentation

  • CODE_OF_CONDUCT.md: Community behavior standards
  • CONTRIBUTING.md: Contribution guidelines and requirements
  • README.md: Must include "Project Classification" section per Classification Framework

๐Ÿ“Š Implementation Evidence:


๐Ÿ”’ 3) Security Implementation Requirements

๐Ÿ›ก๏ธ Supply Chain Security

Aligned with Secure Development Policy:

  • SBOM Generation: CycloneDX or SPDX format for all releases
  • Dependency Scanning: Automated vulnerability detection via Dependabot/Renovate
  • License Scanning: FOSSA integration for continuous compliance monitoring
  • Artifact Signing: Sigstore/cosign for release integrity

๐Ÿ“Š Implementation Evidence:

๐Ÿ” Vulnerability Management

Per Vulnerability Management SLAs:

  • Critical: Remediation within 24 hours
  • High: Remediation within 7 days
  • Medium: Remediation within 30 days
  • Low: Remediation within 90 days

๐Ÿ“Š Live Security Status:

๐Ÿ“Š Security Testing Integration

As defined in Secure Development Policy:

  • SAST: SonarCloud or equivalent on every commit
  • SCA: Dependency vulnerability scanning
  • Secret Scanning: GitHub secret scanning or equivalent
  • DAST: OWASP ZAP for web applications

๐Ÿ“Š Testing Evidence:


๐Ÿ“Š 4) License Compliance Framework

โœ… Approved Licenses (Pre-approved)

  • Permissive: MIT, Apache 2.0, BSD (2/3-clause), ISC
  • Weak Copyleft: LGPL 2.1/3.0, MPL 2.0, EPL 2.0
  • Documentation: CC-BY-4.0, CC-BY-SA-4.0

โš ๏ธ Review Required Licenses

  • Strong Copyleft: GPL 2.0/3.0, AGPL 3.0 (CEO approval required)
  • Non-standard: Custom or modified licenses
  • Commercial: Dual-licensed components

โŒ Prohibited Licenses

  • Licenses with advertising clauses
  • Licenses incompatible with our primary license
  • Licenses with unclear terms or missing attribution

๐Ÿ” License Compliance Validation

  • Automated Scanning: FOSSA runs on every pull request
  • Manual Review: Required for license conflicts or exceptions
  • Compliance Reports: Monthly FOSSA reports reviewed by CEO
  • Attribution Management: Automated NOTICE file generation

๐Ÿ“Š FOSSA Integration Evidence:

  • ๐Ÿ›๏ธ CIA: FOSSA Status โ€ข License Report
  • ๐ŸŽฎ Black Trigram: FOSSA Status โ€ข License Report
  • ๐Ÿ“Š CIA Compliance Manager: FOSSA Status โ€ข License Report
  • ๐Ÿ‡ช๐Ÿ‡บ EP MCP Server: License
  • ๐Ÿ‡ช๐Ÿ‡บ EU Parliament Monitor: License
  • ๐Ÿ—ณ๏ธ Riksdagsmonitor: License

๐Ÿท๏ธ 5) Classification & Documentation

Per Classification Framework:

๐Ÿ“‹ Required Classification Elements

Each project README MUST declare:

  • CIA Triad: Confidentiality, Integrity, Availability levels
  • Business Impact: Financial, Operational, Reputational, Regulatory
  • RTO/RPO: Recovery objectives aligned with classification
  • Strategic Value: ROI and competitive positioning

๐Ÿ“Š Classification Implementation:

  • ๐Ÿ›๏ธ CIA: README Classification Section โ€ข Links to canonical framework
  • ๐ŸŽฎ Black Trigram: README Classification Section โ€ข References framework definitions
  • ๐Ÿ“Š CIA Compliance Manager: README Classification Section โ€ข Aligned with ISMS standards
  • ๐Ÿ‡ช๐Ÿ‡บ EP MCP Server: README โ€ข ISMS-compliant, GDPR-ready
  • ๐Ÿ‡ช๐Ÿ‡บ EU Parliament Monitor: README โ€ข SLSA Level 3 provenance
  • ๐Ÿ—ณ๏ธ Riksdagsmonitor: README โ€ข Quality checks and dependency review

๐Ÿ” 6) Data Protection Requirements

Aligned with Data Classification Policy:

๐Ÿšซ Prohibited Data in Repositories

  • Personal data (PII/GDPR regulated)
  • Confidential business information
  • Production credentials or API keys
  • Customer data or analytics

โœ… Acceptable Data Practices

  • Anonymized or synthetic test data only
  • Example configurations with placeholder values
  • Documentation with redacted sensitive information
  • Public datasets with appropriate licensing

๐Ÿค 7) Third-Party Contributions

๐Ÿ“ฅ Accepting External Contributions

  • CLA/DCO: Developer Certificate of Origin required
  • License Compatibility: Verify contribution license alignment
  • Security Review: Code review per Change Management
  • Attribution: Maintain CONTRIBUTORS file

๐Ÿ“Š Contribution Evidence:


๐Ÿ›ก๏ธ Security Evidence Framework

๐Ÿ“Š CRA Conformity Assessment Evidence

Demonstrating EU Cyber Resilience Act compliance readiness through systematic self-assessment:

๐Ÿ“Š CRA Assessment Portfolio:

๐Ÿ—๏ธ Security Architecture Excellence

๐Ÿ“Š Architecture Documentation:

๐ŸŽฏ Threat Modeling Maturity Matrix:

ProjectSTRIDE CoverageAttack TreesRisk QuantificationControl MappingPublic Documentation
๐Ÿ›๏ธ CIACompleteDocumentedQuantifiedMappedPublic
๐ŸŽฎ Black TrigramCompleteDocumentedQuantifiedMappedPublic
๐Ÿ“Š CIA ComplianceCompleteDocumentedQuantifiedMappedPublic
๐Ÿ‡ช๐Ÿ‡บ EP MCP ServerCompleteDocumentedQuantifiedMappedPublic
๐Ÿ‡ช๐Ÿ‡บ EU Parliament MonitorCompleteDocumentedQuantifiedMappedPublic
๐Ÿ—ณ๏ธ RiksdagsmonitorCompleteDocumentedQuantifiedMappedPublic

๐Ÿ“Š Evidence Dashboard

๐Ÿ† Security Excellence Metrics:

Evidence CategoryCIABlack TrigramCIA Compliance ManagerEP MCP ServerEU Parliament MonitorRiksdagsmonitor
๐Ÿ›ก๏ธ Threat ModelsTHREAT_MODEL.mdTHREAT_MODEL.mdTHREAT_MODEL.mdTHREAT_MODEL.mdTHREAT_MODEL.mdTHREAT_MODEL.md
๐Ÿ—๏ธ Security ArchitectureSECURITY_ARCHITECTURE.mdSECURITY_ARCHITECTURE.mdSECURITY_ARCHITECTURE.mdSECURITY_ARCHITECTURE.mdSECURITY_ARCHITECTURE.mdSECURITY_ARCHITECTURE.md
โš–๏ธ CRA AssessmentCRA-ASSESSMENT.mdCRA-ASSESSMENT.mdCRA-ASSESSMENT.mdCRA-ASSESSMENT.mdCRA-ASSESSMENT.mdCRA-ASSESSMENT.md
๐Ÿ” Security PolicySECURITY.mdSECURITY.mdSECURITY.mdSECURITY.mdSECURITY.mdSECURITY.md
๐Ÿท๏ธ LicenseLICENSELICENSELICENSELICENSELICENSELICENSE

๐Ÿ” Live Security Monitoring:

  • ๐Ÿ“Š GitHub Security: Organization-wide security posture via Security Overview
  • ๐ŸŽฏ OpenSSF Tracking: Continuous scorecard monitoring across all repositories
  • โš–๏ธ FOSSA Compliance: Real-time license compliance status for all projects
  • ๐Ÿ›ก๏ธ Vulnerability Management: Active security advisory and dependabot integration

๐Ÿ“Š Compliance Monitoring & Metrics

๐ŸŽฏ Key Performance Indicators

Tracked via Security Metrics:

  • OpenSSF Score: Target โ‰ฅ7.0 for all repositories
  • License Compliance: 100% FOSSA approval rate
  • Vulnerability Response: SLA compliance rate โ‰ฅ95%
  • Documentation Coverage: 100% of repos with required artifacts
  • CRA Readiness: Complete self-assessments for EU market products
  • Threat Model Coverage: 100% of products with public threat analysis

๐Ÿ“Š Live Compliance Dashboard:

๐Ÿ“ˆ Continuous Monitoring

  • Weekly: Automated security scanning results review
  • Monthly: License compliance report from FOSSA
  • Quarterly: Policy compliance assessment
  • Annually: Strategic open source review

๐Ÿ“Š Monitoring Evidence:

๐Ÿ“Š Public Transparency Dashboard

Live metrics available at:


๐Ÿ”„ Integration with SDLC

This policy integrates with our development lifecycle as defined in Secure Development Policy:

๐Ÿ“‹ Planning Phase

  • License strategy selection based on business goals
  • Security architecture documentation requirements
  • Community engagement planning

๐Ÿ“Š Planning Evidence:

๐Ÿ’ป Development Phase

  • Continuous license scanning via FOSSA
  • Security testing per SDLC requirements
  • Documentation maintained alongside code

๐Ÿ“Š Development Evidence:

๐Ÿš€ Release Phase

  • SBOM generation and publication
  • Artifact signing and attestation
  • Security badge verification

๐Ÿ“Š Release Evidence:

๐Ÿ”ง Maintenance Phase

  • Vulnerability monitoring and patching
  • License compliance updates
  • Community support and engagement

๐Ÿ“Š Maintenance Evidence:


๐Ÿšจ Exception Management

๐Ÿ“‹ Exception Request Process

  1. Document business justification
  2. Identify compensating controls
  3. Define exception duration
  4. Submit to CEO for approval

โฑ๏ธ Exception Types

  • Temporary: Maximum 90 days for specific issues
  • Project-specific: Limited to single repository
  • Strategic: Long-term exceptions with quarterly review

๐Ÿ“Š Exception Tracking


๐Ÿ” Core Security Integration

๐Ÿ“Š Compliance & Classification

๐Ÿค Third-Party Management

๐Ÿ“ˆ Monitoring & Reporting


๐Ÿ“‹ Document Control:
โœ… Approved by: James Pether Sรถrling, CEO
๐Ÿ“ค Distribution: Public
๐Ÿท๏ธ Classification: Confidentiality: Public
๐Ÿ“… Effective Date: 2026-06-28
โฐ Next Review: 2027-06-28
๐ŸŽฏ Framework Compliance: ISO 27001 NIST CSF 2.0 CIS Controls