Establish and document a cybersecurity policy for open-source software

Article 24(1) of Regulation (EU) 2024/2847 provides that open-source software stewards shall put in place and document a cybersecurity policy to foster the development of a secure product with digital elements, including the open-source software components they provide, and to handle vulnerabilities in an effective manner in accordance with Article 13(6) as it applies to them.

The cybersecurity policy shall address, at minimum:

• the secure development practices applied to the open-source software;
• the vulnerability handling process, including coordinated disclosure.

1. Written policy — must be documented (not merely an informal practice)
2. Secure development coverage — policy addresses how security is considered during development of the OSS component
3. Vulnerability handling — policy covers how vulnerabilities are received, triaged, addressed, and disclosed
4. Coordinated disclosure process — clear process for security researchers and users to report vulnerabilities (e.g. SECURITY.md, vulnerability disclosure policy)
5. Kept up to date — policy should evolve as the project and threat landscape change

• Published security policy document (e.g. SECURITY.md in source repository)
• Vulnerability disclosure policy or coordinated disclosure process document
• Secure development guidelines referenced or applied by the project
• Evidence that the policy is actively followed (e.g. closed CVEs via disclosure process)