🔓 Open Source Policy Skill

🎯 Purpose

This skill ensures all open source activities demonstrate security excellence through transparency as defined in the Hack23 Open Source Policy. It applies to all Hack23-owned repositories, external contributions, and third-party open source usage.

Core principle: Open source transparency creates competitive advantage through systematic security excellence and publicly verifiable governance.

📋 Rules

🎖️ Security Posture Evidence (Required Badges)

MUST display these security badges in README.md:

🏆 Security Assessment Badges

• OpenSSF Scorecard: Supply chain security assessment ≥7.0 score

• CII Best Practices: At least "Passing" level

• SLSA Level 3: Build provenance and integrity attestation

• Quality Gate: SonarCloud or equivalent showing "Passed" status

📊 License Compliance Badges

• FOSSA Status: License scanning and compliance verification

• REUSE Compliant: Clear licensing information for all files

• License Badge: Clear display of repository license

MUST NOT:

• Release repositories without security badges configured

• Display badges that show "failing" status without remediation plan

• Use placeholder badges with no actual integration

📜 Approved Open Source Licenses

✅ APPROVED for Hack23 projects:

🟢 Permissive Licenses (Preferred)

• Apache-2.0 ⭐ (Hack23 standard) - Patent grant, commercial-friendly

• MIT - Simple and permissive

• BSD-3-Clause - Minimal restrictions

• ISC - Functionally identical to MIT

🟡 Copyleft Licenses (Conditional)

• GPL-3.0 - Strong copyleft, requires CEO approval

• LGPL-3.0 - Library copyleft, requires CEO approval

• AGPL-3.0 - Network copyleft, internal use only with CEO approval

• MPL-2.0 - File-level copyleft, automatic approval

❌ PROHIBITED:

• Proprietary licenses without legal review

• CC-BY-NC (Non-Commercial)

• SSPL, BSL, PolyForm (source-available, not OSS)

• JSON License ("Good not Evil" clause)

• Unlicensed code

MUST:

• Use Apache-2.0 for all new Hack23 projects

• Include SPDX license identifier in all source files

• Verify license compatibility before adding dependencies

• Obtain CEO approval for copyleft licenses

🔍 Dependency Management

MUST:

• Generate SBOM (Software Bill of Materials) in CycloneDX or SPDX format

• Enable Dependabot or Renovate for automated updates

• Merge security updates within 7 days (Critical) or 30 days (High)

• Use package lock files (package-lock.json, Pipfile.lock, go.sum)

• Scan dependencies with FOSSA or equivalent

MUST NOT:

• Add dependencies without license verification

• Use dependencies with known critical vulnerabilities

• Ignore Dependabot alerts

🤝 Community Standards

MUST include in repository:

• CONTRIBUTING.md - Contribution guidelines, DCO/CLA requirements

• CODE_OF_CONDUCT.md - Contributor Covenant 2.1 or equivalent

• SECURITY.md - Vulnerability disclosure (security@hack23.com)

• LICENSE - Apache-2.0 with copyright notice

• README.md - Security badges, features, usage, contributing

🛡️ Security Scanning (CI/CD)

MUST configure:

• CodeQL - SAST on every PR

• Secret scanning - GitHub Advanced Security

• Dependabot - Dependency and security updates

• FOSSA - License compliance

• SonarCloud - Quality gate (A rating, 0 vulnerabilities)

MUST NOT:

• Bypass security scan failures without CEO approval

• Disable security features

• Commit secrets (immediate rotation required)

For complete examples and detailed requirements, see Hack23 Open Source Policy.

🔗 Related ISMS Policies

• Open Source Policy - Primary governance policy

• Secure Development Policy - Architecture documentation

• STYLE_GUIDE.md - Documentation standards and icons

🎯 Compliance Mapping

ISO 27001:2022

• A.5.13 (Labeling), A.8.9 (Configuration), A.8.25 (Secure SDLC)

NIST CSF 2.0

• ID.AM-2 (Software inventory), PR.DS-6 (Integrity checking), PR.IP-2 (SDLC)

CIS Controls v8.1

• Control 2 (Software inventory), Control 16 (Application security)