The Core Infrastructure Initiative (CII) Badge Program is a free program designed with the open source community with criteria that evolves to allow for compensating controls rather than a strict mechanical process.

The Best Practices Badge is an open source secure development maturity model. Projects having a CII badge will showcase the project's commitment to security. Open source project maintainers answer a short questionnaire to be awarded a "Best Practices Badge". The CII Best Practices Badge is inspired by the multitude of badges available to projects on Github. Examples of initial criteria include basic open source development practices (website, open source license, and user engagement), use of change control tools, attention to quality (automated test suite), and focus on security (secure project delivery method, use of dynamic and static analysis tools, as appropriate for the project). Consumers of the badge will be able to quickly assess which open source projects care about security conscious development. The goal of the first release of the criteria is to codify existing practices used by open source projects big and small. Future tiered badges may add advanced criteria for differentiation. This discussion is ongoing and you are invited to make your voice heard.

Review the criteria  and submit pull requests or file issues for areas where you would like to see refinement. You may provide feedback about the criteria on the cii-badges mailing list.

Get Your Badge!