ossf · jeffmendoza · Oct 14, 2025 · Oct 14, 2025 · Oct 14, 2025 · gkunz
@@ -0,0 +1,111 @@
+# 2025 Q4 Securing Critical Projects Working Group
+
+## Overview
+
+Most activity under Malicious Packages project. Criticality score continues to run.
+
+[2025-Q3 Update](2025-Q3-SCP-WG.md)
+
+## Identifying Critical Projects
+
+### Purpose
+
+Open Source Software has long suffered from a "tragedy of the commons"
+problem. Organizations large and small make use of OSS every day, but many
+projects are struggling for the time, resources and attention they need.
+
+This is a resource allocation problem - and we can help solve it together. We
+need ways to connect critical projects we all rely on with organizations that
+can provide them with support.
+
+[MVSR Link](https://github.com/ossf/wg-securing-critical-projects/blob/main/MVSR.md)
+
+### Current Status
+
+- Nothing currently active
+- Recurring discussions on new methodology enhancing the current set with metadata
+
+### Up Next
+
+- 
+
+## Criticality Score
+
+### Purpose
+
+1. Generate a criticality score for every open source project.
+
+1. Create a list of critical projects that the open source community depends
+   on.
+
+1. Use this data to proactively improve the security posture of these critical
+   projects.
+
+### Current Status
+
+- Run not working regularly, but get a successful run here and there
+- Looking to see how could be used in LFX insights
+
+### Up Next
+
+- Improve reliability
+
+## Package Analysis
+
+### Purpose
+
+The Package Analysis project analyses the capabilities of packages available on
+open source repositories. The project looks for behaviors that indicate
+malicious software:
+
+- What files do they access?
+- What addresses do they connect to?
+- What commands do they run?
+
+The project also tracks changes in how packages behave over time, to identify
+when previously safe software begins acting suspiciously.
+
+This effort is meant to improve the security of open source software by
+detecting malicious behavior, informing consumers selecting packages, and
+providing researchers with data about the ecosystem.
+
+### Current Status
+
+- No major updates
+
+## Malicious Packages
+
+### Purpose
+
+Malicious Packages is a collection of reports of malicious packages identified in
+Open Source package repositories, consumable via the Open Source Vulnerability
+(OSV) format.
+
+The aim of this project and repository is to be a comprehensive, high quality, open source database of reports of malicious packages published on open source package repositories.
+
+These public reports help protect the open source community, and provide a data source for the security community to improve their ability to find and detect new open source malware.
+
+### Current Status
+
+- Regular submissions and activity
+- Split from Package Analysis, now own project. Project docs updated
+- Working on basic site for viewing JSON stats
+- Adding support for malicious git repositories
+
+### Up Next
+
+- Promotion/outreach
+
+## OSTIF Managed Audit Program
+
+### Current Status
+
+- Multiple security audit results released
+- Published OpenSSF Security Scorecard Audit Results! https://openssf.org/blog/2025/10/10/openssf-scorecard-audit-is-complete/
+- Published "The Bridge to Improving Security: How OSTIF Helps Foundations" https://ostif.org/ostif-helps-foundations/
+- Published a supplemental Documentation Audit for PHP: https://ostif.org/php-documentation-audit-complete/
+- Published results for the GNU libmicrohttpd2 Audit: https://ostif.org/gnu-libmicrohttpd2-audit-complete/
+
+### Up Next
+
+-