From 35034df1cae5f8d35c37373ac3553e34da1e096f Mon Sep 17 00:00:00 2001 From: Chris Swan <478926+cpswan@users.noreply.github.com> Date: Wed, 21 Aug 2024 14:26:59 +0100 Subject: [PATCH] docs: Clarify OpenSSF Best Practices vs Scorecard SECURITY.md has a recently added section titled OpenSSF Scorecard that actually documents OpenSSF Best Practices. Scorecard [0] is a different OpenSSF project, that incorporates Best Practices, but is distinct in its objectives and how it achieves them. This change clarifies the terminology, and also removes any implication that Gold Best Practices is an award rather than a self certification programme. As curl was a leader in implementing Best Practices some folk may be more familiar with the earlier Core Infrastructure Initiative (CII) naming, so a reference to that has been added. [0] https://scorecard.dev/ Signed-off-by: Chris Swan <478926+cpswan@users.noreply.github.com> Ref: #14319 Closes #14635 --- SECURITY.md | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index fca756dabfa9..64e0d2feabba 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -15,13 +15,15 @@ libcurl, report it on [HackerOne](https://hackerone.com/curl). We treat security issues with confidentiality until controlled and disclosed responsibly. -## OpenSSF Scorecard - -curl has earned Gold status on the OpenSSF Best Practices, reflecting its adherence to -rigorous security and best practice standards. This achievement highlights curl's -comprehensive documentation, secure development processes, effective change control -mechanisms, and strong maintenance routines. Meeting these criteria demonstrates curl's -commitment to security and reliability, ensuring the project's sustainability and -trustworthiness. This recognition by OpenSSF underscores curl's role as a leader in -open-source software practices. More information can be found on -their [OpenSSF page](https://www.bestpractices.dev/projects/63). +## OpenSSF Best Practices + +curl has achieved Gold status on the Open Source Security Foundation (OpenSSF) +[Best Practices](https://bestpractices.dev/) (formerly Core Infrastructure +Initiative Best Practices), reflecting its adherence to rigorous +security and best practice standards. This achievement highlights curl's +comprehensive documentation, secure development processes, effective change +control mechanisms, and strong maintenance routines. Meeting these criteria +demonstrates curl's commitment to security and reliability, ensuring the +project's sustainability and trustworthiness. This underscores curl's role as +a leader in open-source software practices. More information can be found on +[curl's OpenSSF Best Practices project page](https://www.bestpractices.dev/projects/63).