diff --git a/docs/SecureSoftwareGuidingPrinciples.md b/docs/SecureSoftwareGuidingPrinciples.md index a7eed949..1c8f7249 100644 --- a/docs/SecureSoftwareGuidingPrinciples.md +++ b/docs/SecureSoftwareGuidingPrinciples.md @@ -1,6 +1,6 @@ # Secure Software Development Guiding Principles version 1.0 -The Secure Software Development Guiding Principles (SSDGP) are a series of core tenants that producers and suppliers of software can pledge to align with and follow through out their development lifecycles. The principles describe a series of foundational practiFces that, if followed, can help provide better assurance and security for organizations leveraging them. The Guiding Principles are a companion piece to the OpenSSF End User Working Group's [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO), which focuses on individuals and organizations using (aka consuming) open source software) We welcome every organziation producing and supplying software that uses open source components to consider following and signing on endorsing these great practices. +The Secure Software Development Guiding Principles (SSDGP) are a series of core tenants that producers and suppliers of software can pledge to align with and follow through out their development lifecycles. The principles describe a series of foundational practices that, if followed, can help provide better assurance and security for organizations leveraging them. The Guiding Principles are a companion piece to the OpenSSF End User Working Group's [Open Source Consumption Manifesto](https://github.com/ossf/wg-endusers/tree/main/MANIFESTO), which focuses on individuals and organizations using (aka consuming) open source software) We welcome every organization producing and supplying software that uses open source components to consider following and signing on endorsing these great practices. **As developers of software, we are committed to enhancing the security and transparency of the software supply chain by pledging the following for all software we produce, both proprietary and open source, whether embedded in a device, released on a standalone basis, or designed to operate as a service, with the goal of creating software that is secure by default:** @@ -9,7 +9,7 @@ The Secure Software Development Guiding Principles (SSDGP) are a series of core 3. To learn the most common kinds of vulnerabilities and to take steps to make them unlikely or limit their impact. 4. To check for and address known and potential critical vulnerabilities prior to releasing software, then monitor for vulnerabilities subsequently through out the supported life of the product. 5. To harden and secure our software development infrastructure against compromise or infiltration against the same principles, practices, and expectations set for the software developed on and built from them. -6. To prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Development Guiding Principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicous software. +6. To prioritize the sourcing of software from suppliers and developers who also pledge to develop in conformance with the Secure Software Development Guiding Principles, and from projects that publicly report security health metrics and adopt controls to prevent tampering of software packages, and that actively address known/discovered malicious software. 7. To provide software supply chain understandability to consumers of our software consistent with evolving industry standards, practices, and tooling. 8. To manage responsible vulnerability disclosure programs that are inclusive of upstream dependencies and have publicly documented vulnerability reporting and remediation policies. 9. To publish security advisories consistent with evolving industry best practices.