[out of date] Open Source Governance for Enterprises

• 1: 1. What is ISO/IEC 5230
• 2: 2. Essential elements
• 3: 3. Team
• 4: 4. Policy
• 5: 5. Process
• 6: 6. Tool
• 7: 7. Training
• 8: 8. Conformance
• 9: Appendix
• 9.1: 1. Open Source Policy (Sample)
• 9.2: 2. Open Source Compliance Process (Sample)

1 - 1. What is ISO/IEC 5230

You can find everything about ISO/IEC 5230 on the OpenChain project website. : https://www.openchainproject.org/

2 - 2. Essential elements

Essential elements of an open source program

You need the following components to build an effective open source governance for your comapny.

Among the above elements, in order to establish an open source governance suitable for all items required by ISO/IEC 5230, a company must have the following five core elements.

1. Team
2. Policy
3. Process
4. Tool
5. Education

3 - 3. Team

Identify the roles and the corresponding responsibilities

In order to establish a company’s open source governance, it is necessary to appoint a person in charge of it. It may be called an open source program manager, an open source compliance officer, etc., and this person in charge is responsible for the overall open source compliance of the company.

A person with the following competencies is suitable for this role.

• Understanding and development experience in the open source ecosystem
• Broad understanding of the company’s business
• Passion and communication skills to spread the effective use of open source to members of the company

An open source program manager should be guaranteed to be able to perform the role as full-time as possible.

Global ICT companies are working hard to hire such excellent open source program managers, and you can check various job postings at the following site. : https://github.com/todogroup/job-descriptions

To establish open source governance, you need to define the needs of each role and determine what responsibilities should be assigned. For small businesses, it is possible for an open source program manager to perform all the roles alone. Depending on the size of the enterprise, an infrastructure person who operates open source tools may be required, and the role of a legal person may be required to provide professional legal advice.

In general, the following roles are required to establish a corporate open source governance system.

• Legal
• Infrastructure
• Development culture
• Security

If you do the above, you can prepare the following evidence required by ISO/IEC 5230.

Define competencies

Once you have defined each role and its responsibilities, you need to figure out what competencies the person performing that role should have. This is because, through this, it is necessary to evaluate whether the person in charge of each role has the capability to perform the role, and if there is not enough, the company must provide the necessary training to him.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Identify person or group

The open source program manager, in consultation with the relevant department, designates and documents the person in charge for each role. Of course, for this, it will be necessary to report the goals and directions for establishing an open source compliance system to the top decision makers such as the CEO to receive the necessary support.

Open source-related person and group in charge do not necessarily have to participate in open source work full-time. You can organize a virtual group in the form of an OSRB (Open Source Review Board) and perform the necessary roles.

SK Telecom has formed the OSRB to create open source policies and processes, and prepare countermeasures when issues arise.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

The table below is a sample representative that specifies the roles of open source-related organizations and people in charge, and the required competencies. You can refer to this and form an open source organization and document it.

This can also be found on this page. : appendix-1-list-of-persons-in-charge

If you organize in this way, you will now meet the following three requirements among the requirements of ISO/IEC 5230.

4 - 4. Policy

Document open source policy

A company should establish, document, and disseminate an open source policy composed of principles for a company to properly use open source in software development, service, and distribution.

Common open source policies include:

• Principles for creating and distributing software products and services using open source
• Principles for contributing to the external open source community
• Principles for releasing open source

The following pages provide sample open source policy documents that meet the requirements of ISO/IEC 5230. : “Appendix 1. Open Source Poicy (Sample)”

Each company can use this sample policy by modifying it according to the company’s business strategy and environment.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Define scope

An open source program does not necessarily apply to the entire organization. The scope can be specified differently depending on the characteristics of each organization and product within the company. Different open source programs can be applied to different organizations and products. Similarly, organizations that do not distribute software at all may be excluded from the scope of the open source program. A company can clearly define the scope and limits of the application of an open source program in consideration of the characteristics of the organization and product, and specify it in the open source policy.

As a company’s organization and its products and services change with the business environment, it may be necessary to determine or modify the scope of the program. A company should prepare a procedure to manage it as in the following example.

1. When starting a new project, the open source program manager determines whether the project falls within the scope of the program’s coverage.
2. If it is determined that the project is not included, a proposal to include the project in the scope of application is submitted to the OSRB.
3. If accepted by OSRB, the scope of the open source program will be modified accordingly.
4. Other than that, if the open source program manager determines that it is necessary to review the program scope, it may start the program scope review according to the same process.

The following examples can be included in the open source policy.

2. Scope
This policy applies to the following three parts:

1. Applies to [all products provided or distributed by the company externally]. 
   However, the open source only for internal use is not included in the scope of 
   this policy.
2. Applied when contributing to external open source projects.
3. Applied when releasing internal code as open source.

The scope can be changed according to the business environment of the company, 
and the procedure for this is as follows.

1. If the open source program manager determines that it is necessary to change 
   the scope of policy according to changes in the company's business environment, 
   such as a new business or reorganization, submit a proposal for this to the OSRB.
2. OSRB approves proposals for scope changes at the appropriate level.
3. OSRB modifies the open source policy to change the scope of the policy.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Respond to external inquiries

For products or services developed using open source, customers and open source copyright holders may raise open source related inquiries, requests and claims to companies. The main contents of external inquiries and requests are as follows.

• Ask if open source is used for certain products and services
• Request to provide source code under the GPL, LGPL license mentioned in the Written Offer
• A request for a description of the open source found in the product and disclosure of the source code, although not specified in the open source notice
• Request to provide missing files and build methods in the source code published under GPL, LGPL, etc.
• Request for copyright notice

You should designate a contact person to handle these external inquiries. This is usually done by an open source program manager.

In addition, even if an external open source developer wants to contact a company representative to discuss an issue related to a specific company’s open source compliance, they cannot find a way to contact them and eventually file a legal claim. In order to prevent this, you must always disclose publicly how to contact the company from outside to make inquiries and requests related to open source.

To disclose your contact information so that external open source related inquiries can be received, (1) publicly disclosed the email address of the company’s open source program manager, or (2) the Linux Foundation’s [Open Compliance Directory] (https://compliance.linuxfoundation. org/references/open-compliance-directory/).

It is also a good idea to disclose the representative email address of the company open source program office in the open source notice that accompanies the product and service.

These contents can be included in the open source policy as in the example below.

Respond to external inquiries

(1) Responsibility for responding to external inquiries
The open source program manager is responsible for responding 
to inquiries and requests for open source compliance from 
outside.<sub>(3.2.1.2)</sub>

* The open source program manager may assign all or part of 
  the handling of inquiries to appropriate personnel within the 
  company. If necessary, contact the legal team to deal with it.
* Anyone who receives an inquiry about open source compliance 
  from outside will notify the open source program manager so 
  that a prompt response can be made.

(2) Disclosure of contact information
The open source program manager publicly provides the contact 
information of the person in charge so that external inquiries 
and requests related to open source can be submitted to the 
company.<sub>(3.2.1.1)</sub>

* Include the email address of the person in charge in the open 
  source notice.
* Register your contact in the Linux Foundation's Open Compliance 
  Directory.

(3) External Inquiry Response Procedure
If you respond quickly and accurately to open source compliance 
inquiries from outside, you can significantly reduce the risk of 
going to a lawsuit. To this end, in order to respond to external 
open source compliance inquiries, you should follow the external 
inquiry response process defined in the company's open source 
compliance process.<sub>(3.2.1.2)</sub>

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Provide staff and funding

You must provide sufficient resources for open source programs to function properly. Staff for each role in the program should be appropriately assigned, and sufficient funding and working hours should be ensured. If there is a shortage, there should be a procedure to make up for it. The following example sentences can be added to the open source policy document.

4. Roles, Responsibilities and Competencies

The head of the organization responsible for each role designates 
a person in charge within the organization, and allocates appropriate 
time and budget for the person in charge to fulfill the role.
 * The person in charge of each role should raise an issue with 
   the open source program manager if appropriate support is not 
   provided while performing his/her role.
 * The open source program manager discusses problem solving with 
   the head of the organization. If not properly resolved, the open 
   source program manager may request the OSRB to resolve the issue.
 * OSRB shares the problem with the head of the higher level organization 
   and asks for a solution.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Identify Legal Expertise

You should provide a way for the person in charge of each role to seek legal advice when a legal review is needed to resolve an open source compliance issue.

The legal team within the company provides legal advice first, and if the issue is complex, you can seek advice from an external law firm with an open source lawyer. An example of an open source policy for this is as follows.

4. Roles, Responsibilities and Competencies

(2) Open Source Program Manager
* Provides a way to request legal advice on open source.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

For reference, the OpenChain project provides a list of global law firms that provide open source-related advice through partner programs. : https://www.openchainproject.org/partners

Assigns internal responsibilities

There should be a process for assigning internal responsibilities for open source compliance. This is the role of an open source program manager. The open source program manager must identify the issues and assign them appropriately to the person in charge of each role. To do this, you should include this in your open source policy document as follows:

4. Roles, Responsibilities and Competencies

(2) Open Source Program Manager

The open source program manager is responsible for the overall 
responsibility for the company's open source programs. 
To ensure open source compliance of products and services using 
open source, open source program manager is responsible for:

- Define the roles required for open source compliance, and 
  designate a responsible person and group in charge of each 
  role. Consult with OSRB if necessary.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Handle non-compliant cases

Businesses should document procedures for promptly reviewing and responding to non-compliance cases. Refer to the following examples and include them in your open source policy.

6. Use open source

(5) Compliance Issue Remediation Procedure

Should a non-compliance issue be raised, the Open Source Program Manager 
responds promptly by performing the following procedures.

1. Acknowledge receipt of the query and state a reasonable time for resolution;
2. Determine whether the query discloses a genuine issue or not 
   (and if not, respond to the querier accordingly);
3. If the issue is genuine, apply to prioritise, and determine the appropriate response.
4. Carry out response and, where necessary, improve open source compliance processes.
5. Document the above using Jira Tracker.

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

Open Source Contribution Policy

Global IT companies value not only the use of open source to make products and services, but also the strategic value that can be created by contributing to open source projects. However, if you contribute without a sufficient understanding and strategy for the open source project ecosystem and how the community operates, unexpected legal risks may arise and the company’s reputation may be damaged. Therefore, it is important for companies to create strategies and policies for participation and contribution to open source projects.

The following pages provide sample open source contribution policy documents. : 7. Open Source Contribution

If you do this, you can prepare the following evidence required by ISO/IEC 5230.

If you even establish an open source policy that includes the above, the following green items among the ISO/IEC 5230 requirements will be satisfied.

5 - 5. Process

A process is an actionable procedure that enables a company to comply with open source policies during software development/distribution. Simply put, the open source compliance process is an activity to comply with the obligations required by each license for the open source used while developing and distributing software, and it generates artifacts such as open source notices and source code to be disclosed.

If the open source compliance process is subdivided and schematized, it is shown in the figure below.

The image below is a sample open source compliance process that companies can commonly use.

You can refer to the next page for more details on this. : 2. Open Source Compliance Process (Sample)

This chapter describes the elements that an open source compliance process should include.

Identify and audit

In order to determine whether an open source can be used, it is necessary to first identify the license of the open source to be used and check the obligations required by the license. You should review and record whether you used open source, what the licenses are, and what obligations each license gives you. An example of the procedure for this is as follows.

1. The development team makes a preliminary assessment of the license based on the open source policy.
2. In case of any doubt, contact the open source program manager, and if necessary, the open source program manager refers the question to external legal experts.
3. The outcome of any determination, and associated rationale (whether internal or external) is recorded.

The Identification of Open Source, Auditing Source Code, Resolving Issues, Reviews, and Approval steps are an example of a documented process for reviewing and documenting the obligations, restrictions and rights imposed by each identified license.

If you prepare such a procedure, you can prepare the following evidence required by ISO/IEC 5230.

In the open source identification and audit phase, you use a code scan tool to inspect the source code. For details on this, refer to “6. Tool”.

Create Bill of Materials

The most basic of open source compliance activities is to determine open source included in the supplied software. It is necessary to establish a process for creating and managing a Bill of Materials (BOM) containing the information by identifying the open source included in the supplied software and identified license. This is because it is necessary to know which open source is included in each version of the supplied software so that when distributing the software, you can comply with the obligations required by the identified license of each open source.

All open source must be reviewed and approved prior to integration into the supplied software. It should be reviewed in advance whether it can meet license requirements as well as the function and quality of open source. For this, a review request → review → approval process is required.

Appendix 2. Open Source Compliance Process (Sample) explains all the processes for open source compliance. BOM is created and managed through the process from 1. Identification of Open Source to 6. Registration.

The tool for managing the open source BOM is described in detail in “6. Tool”.

In addition, all processes and results of such an open source compliance process should be documented. Rather than using e-mail, it is better to use an issue tracking system such as [Jira] (https://www.atlassian.com/software/jira) and [Bugzilla] (https://www.bugzilla.org/) to effectively document this process.

If you prepare such a procedure, you can prepare the following evidence required by ISO/IEC 5230.

Create Artifacts

As mentioned above, the most basic of open source compliance activities is to determine the open source included in the supplied software. This is to properly meet the open source license requirements, which are the core of open source compliance. In other words, a process for generating a set of compliance artifacts for open source included in the supplied software should be established.

Compliance artifacts are divided into two main categories.

1. Open Source Notice: A document to provide full open source license and copyright information

   

   • The method of automatically generating an open source notice corresponding to an open source BOM is further described in “6. Tool”.

2. Source code package to be disclosed: A package that collects source codes to be disclosed to fulfill open source license obligations that require source code disclosure such as GPL, LGPL, etc.

Compliance artifacts must be provided when distributing supplied software.

In “Appendix 2. Open Source Compliance Process (Sample)”, the compliance artifacts are created and distributed through 7. Notices to 9. Distribution.

When distributing supplied software, if it is difficult to enclose the source code package to be disclosed, it can be replaced by providing a written offer to provide the source code for at least 3 years. Typically, a written offer is provided through the product’s user manual, examples of which are as follows.

The software included in this product contains copyrighted software 
that is licensed under the GPL. A copy of that license is included 
in this document on page X. You may obtain the complete Corresponding 
Source code from us for a period of three years after our last shipment 
of this product, which will be no earlier than 2011-08- 01, by sending 
a money order or check for $5 to:

GPL Compliance Division
Our Company
Any Town, US 99999

Please write“source for product Y” in the memo line of your payment.
You may also find a copy of the source at http://www.example.com/sources/Y/.
This offer is valid to anyone in receipt of this information.

<SFLC Guide to GPL Compliance>

Therefore, a process must be established to store compliance artifacts for at least 3 years. To this end, a company needs to build an open source website, which is described in detail in “6. Tool”.

If you prepare such a procedure, you can prepare the following evidence required by ISO/IEC 5230.

Respond to third party inquiries

It is important for a company to respond to third party inquiries as quickly and accurately as possible in order to avoid legal litigation. For this, a company must have a process that can respond quickly and effectively to third party open source inquiries.

The figure below shows the process a company must have to respond to third party inquiries.

Details can be found in “Appendix 2. Open Source Compliance Process (Sample) 2. External Inquiry Response Process”.

If you prepare such a procedure, you can prepare the following evidence required by ISO/IEC 5230.

Open Source Contribution Process

If you have a policy to allow contributions to external open source projects, there should be a documented procedure to manage how in-house developers can contribute to external projects.

The Open Source Contribution Procedure released by SK telecom is a good example.

https://sktelecom.github.io/guide/contribute/process/

If you prepare such a procedure, you can prepare the following evidence required by ISO/IEC 5230.

If you build the process up to this point, you will comply with the ISO/IEC 5230 requirements as follows.

6 - 6. Tool

Source code scanning tool

You should use a source code scanning tool during the identification of open source and audit phase of the open source compliance process. Source code scanning tools range from freely available, open source-based tools to commercial tools, each with their own strengths and weaknesses, but none of them seem to provide complete functionality to solve all problems. Therefore, companies can choose the appropriate tool for the characteristics and requirements of the product.

Many companies use a combination of these automated source code scanning tools and manual reviews. Linux Foundation’s FOSSology project is an open source source code scanning tool that companies can use for free.

For instructions on how to install and use FOSSology, refer to Get Started.

Dependency analysis tool

In recent software development, build environments that support Package Manager such as Gradle and Maven are used. In such a build environment, even if there is no source code, the required dependency library at build time is received from the remote to compose the supplied software. At this time, the dependency library is included in the supplied software, but it is not detected by the source code scanning tool. Therefore, it is also important to utilize a tool for dependency analysis.

The OSS Review Toolkit provides a dependency analysis tool called Analyzer.

LG Electronics has released FOSSLight Dependency Scanner as an open source. FOSSLight Dependency Scanner supports various package managers such as Gradle, Maven, NPM, PIP, Pub, and Cocoapods.

Open Source BOM Management Tool

3.3.1.2 of the ISO/IEC 5230 standard requires that the open source BOM list included in the supplied software be documented and kept. The open source BOM can also be managed with a spreadsheet program such as Excel. However, if the number and version of supplied software exceed hundreds, it is not easy to manage them manually. Therefore, it is better to use an automated tool to manage it.

SW360, an open source project hosted by the Eclipse Foundation, provides a function to track the list of open source BOM included in the supplied software.

How to install and use SW360 is SW360 wiki

And FOSSLight, an open source released by LG Electronics mentioned above, also provides a function for open source BOM management.

LG Electronics developed FOSSLight on its own and has been managing the open source BOM for supplied software for all business divisions for the past several years, and in June 2021, it announced that it had been released as an open source for anyone to use.

For detailed installation and usage instructions, refer to the following English guide. : https://fosslight.org/fosslight-guide-en/

If you have the above tools, you can prepare the following evidence required by ISO/IEC 5230.

Create artifacts

It is better to use a tool that automatically generates an open source notice, which is an open source compliance product, rather than writing it manually.

You can automatically generate an open source notice by registering an open source BOM using the FOSSLight tool. The open source disclaimer generated by FOSSLight also includes a Written Offer to provide source code.

In addition, SK Telecom is planning to release the open source automatic notice generation tool used in-house.

Archive open source artifacts

It is recommended that companies create an open source website and register open source compliance artifacts to provide convenience so that external customers can download open source notices and source code packages to be disclosed at any time.

You can refer to SK Telecom’s open source website.

In particular, this website was developed as an open source, and since the source code is open, you can easily build a website by referring to it.

If you build a tool environment like this, you can prepare the following evidence required by ISO/IEC 5230.

If you build the tool environment in this way, you will comply with the ISO/IEC 5230 requirements as follows.

7 - 7. Training

Training

No matter how good policies and processes are in place, they will be useless if no one in the company understands and follows them. In order for the open source policy and open source compliance process to work effectively in the company, it is important to educate employees.

You should provide practical methods, such as training and internal wikis, to ensure that all program participants are aware that there is an open source policy within the company and can take necessary actions. Program participants here mean all employees involved in the development, distribution, and contribution of software by a company, including software developers, distribution engineers, and quality engineers.

Many companies publish open source policy documents through their in-house wiki site, so that any employee can see what they need. In addition, training on open source policy is mandatory for new hires during training, and regular training is provided annually or every two years to program participants so that all program participants are aware of the existence of open source policies. . In other words, you should write these methods as the following example and include the open source policy document.

5. Training and Assessment
All program participants should take the open source mandatory 
training provided by [Learning Portal] every year. Through training, 
all participants should be familiar with open source policies and 
processes. Training history is stored in [Learning Portal].

If you build an educational environment like this, you can prepare the following evidence required by ISO/IEC 5230.

In addition, you should ensure that program participants are aware of the company’s open source policies, the relevant open source objectives, the contributions expected to ensure the effectiveness of the Program, and the implications of failing to follow the Program requirements. To this end, you should provide training and conduct assessments to ensure that program participants are properly aware. The assessment results are documented and stored.

To do this, you can include the example below in your company’s open source policy.

1. Purpose

(1) Purpose of the policy<sub>(3.1.3.1)</sub>

This policy provides the following principles for all organizations 
involved in software development, service, and distribution in OOO 
Company (hereinafter referred to as the "Company") to properly utilize 
open source software (hereinafter referred to as "Open Source"). 

1. Principles for open source license compliance
2. Principles for contribution to external open source projects
3. Principles for releasing open source

These principles provide a way for all members of the company to 
understand the value of open source, use it correctly, and contribute 
to the open source community.

(2) Impact of non-compliance
It is important that [COMPANY] adheres to this policy. Failure to do 
so may lead to:
- legal claims from the holders of copyright or other intellectual 
  property rights in code we use
- claims from our customers;
- the inadvertent release of [COMPANY] proprietary code;
- breach of regulatory obligations by [COMPANY] potentially leading to fines;
- loss of reputation;
- loss of revenue;
- breach of contract with suppliers and customers.
For this reason, we take breaches of this policy seriously, and any 
individual breaching the policy may find themselves subject to [COMPANY]'s 
disciplinary procedure.

(3) How to contribute to the effectiveness of the Program

All members of the company can contribute to the effectiveness of the 
program and improvement of the company's compliance level by understanding 
the rationale and content of this policy and faithfully performing the 

Assessment will be described in more detail later.

If you include the content of such education in your policy, you can prepare the following evidence required by ISO/IEC 5230.

Open source training also includes content on the open source contribution policy. Even if an open source contribution policy has been created, if program participants are not aware of its existence, there is a risk of harm to individuals and companies due to unexpected copyright infringement. You should provide open source training so that all program participants are aware of the existence of the open source contribution policy.

If you provide training on the contribution policy in this way, you can prepare the following evidences required by ISO/IEC 5230.

If you want to create a new educational material, it may not be easy for the person in charge who is starting the job for the first time. The OpenChain Project has released the reference training slides for anyone to refer to.

NCSOFT, a Korean game company, has published teaching plans (PPT) and lecture scripts on GitHub so that anyone can use in-house open source educational materials (Korean only).

In addition, Kakao, a representative platform company in Korea, has also released open source training materials for in-house developers so that anyone can refer to it (Korean only).

If you have not yet created training materials, it is also a good way to use open source training materials from these excellent open source management companies.

Assessment

Once you have designated a person in charge for each role, you should ensure that the person assigned is qualified to perform the role based on education, training and experience. Training should also be provided to program participants with insufficient competencies so that they can acquire sufficient competencies. And the company should assess each participant’s competencies and archive the results.

1. Provide training so that each participant has the necessary competencies.
2. Assess based on education content.
3. Keep the assessment results in the company’s training system or HR team.

If it is difficult to provide training because there are more than hundreds of participants in the program, it is also a good idea to use the company’s online training and assessment system.

You can include this in your company’s open source policy as follows.

4. Roles, Responsibilities and Competencies
In order to ensure the effectiveness of the policy, the roles and 
responsibilities and the competencies that the person in charge of 
each role should have are defined as follows.
The person/group in charge of each role and the required competency 
level are defined in [Appendix 1. Status of Person in Charge].

5. Training and Assessment
All members in charge of each role defined in Chapter 4 should take 
the advanced open source training course provided by [Learning Portal]. 
Training history and evaluation results are stored in [Learning Portal] 
for at least 3 years.

If you have this training and evaluation system, you can prepare the following evidence required by ISO/IEC 5230.

Open Source License Guide

To properly comply with open source licenses, you must know exactly what each open source license requires. However, since it is difficult for a software developer to figure it out on their own, it is recommended that an open source program manager identify requirements / conditions for common use cases for frequently used open source licenses and share them within the company.

The Open Source License Guide should include requirements specific to common open source licensing use cases to ensure that software developers use open source and comply with its license obligations properly.

For general guides on open source licenses and summary of license obligations, refer to the Open Source License Checklists provided by the OSADL.

The document Obligations by license in SK Telecom’s open source guide is also a good resource (Korean only).

https://sktelecom.github.io/guide/use/obligation/gpl-2.0/

If you provide this open source licensing guide, you can prepare the following evidence required by ISO/IEC 5230.

If you build an environment for providing training, assessment and guide in this way, you will comply with ISO/IEC 5230 requirements as follows.

8 - 8. Conformance

If you build an open source program (open source policy / process / tool / organization) that complies with all requirements except Article 6 of the ISO/IEC 5230 standard, you can write and publish a document specifying the following two.

1. A document affirming the program specified in requirement §3.1.4 satisfies all the requirements of this specification.
2. A document affirming the program meets all the requirements of this version of the specification (version 2.1), within the past 18 months of obtaining conformance validation

You may include the above document in the open source policy, or you may publish it through an externally public website.

As shown in the image below, you can refer to the content that SK Telecom posted on the open source portal site. https://sktelecom.github.io/en/compliance/iso5230/

If you document that you meet all the requirements of ISO/IEC 5230 in this way, you can prepare the following evidence required by ISO/IEC 5230.

If you’ve made it this far, your company will finally meet all the requirements of ISO/IEC 5230.

9 - Appendix

9.1 - 1. Open Source Policy (Sample)

1. Purpose

(1) Purpose of the policy_(3.1.3.1)

This policy provides the following principles for all organizations involved in software development, service, and distribution in [COMPANY] (hereinafter referred to as the “Company”) to properly utilize open source software (hereinafter referred to as “Open Source”).

1. Principles for open source license compliance
2. Principles for contribution to external open source projects
3. Principles for releasing open source

These principles provide a way for all members of the company to understand the value of open source, use it correctly, and contribute to the open source community.

All members of the company can view the open source policy at the following link on the in-house wiki: [internal_link]_(3.1.1.1)

(2) Impact of non-compliance

It is important that [COMPANY] adheres to this policy. Failure to do so may lead to:

• legal claims from the holders of copyright or other intellectual property rights in code we use
• claims from our customers;
• the inadvertent release of [COMPANY] proprietary code;
• breach of regulatory obligations by [COMPANY] potentially leading to fines;
• loss of reputation;
• loss of revenue;
• breach of contract with suppliers and customers. For this reason, we take breaches of this policy seriously, and any individual breaching the policy may find themselves subject to [COMPANY]’s disciplinary procedure.

(3) How to contribute to the effectiveness of the Program

All members of the company can contribute to the effectiveness of the program and improvement of the company’s compliance level by understanding the rationale and content of this policy and faithfully performing the necessary activities.

2. Scope_(3.1.4.1)

This policy applies to the following three parts:

1. Applies to [all products provided or distributed by the company externally]. However, the open source only for internal use is not included in the scope of this policy.
2. Applied when contributing to external open source projects.
3. Applied when releasing internal code as open source.

The scope can be changed according to the business environment of the company, and the procedure for this is as follows.

1. If the open source program manager determines that it is necessary to change the scope of policy according to changes in the company’s business environment, such as a new business or reorganization, submit a proposal for this to the OSRB.
2. OSRB approves proposals for scope changes at the appropriate level.
3. OSRB modifies the open source policy to change the scope of the policy.

3. Terms

• “compliance artifacts” - a collection of artifacts that represent the output of a compliance program and accompany the supplied software. The collection may include (but is not limited to) one or more of the following: attribution notices, source code, build and install scripts, copy of licenses, copyright notices, modification notifications, written offers, open source component bill of materials, and SPDX documents.
• “open source” - software subject to one or more licenses that meet the Open Source Definition published by the Open Source Initiative (see opensource.org/osd) or the Free Software Definition published by the Free Software Foundation (see gnu.org/philosophy/free-sw.html) or similar license.
• “program” - the set of policies, processes and personnel that comprise an organization’s open source license compliance activities.
• “program participants” - any organization employee or contractor that defines, contributes to or has responsibility for preparing supplied software. Depending on the organization, that may include (but is not limited to) software developers, release engineers, quality engineers, product marketing and product management.
• “SPDX” - the format standard created by the Linux Foundation’s SPDX (Software Package Data Exchange) Working Group for exchanging bill of materials for a given software package, including associated license and copyright information (see spdx.org).
• “supplied software” - software that an organization distributes to third parties (e.g., other organizations or individuals).

4. Roles, Responsibilities and Competencies_(3.1.2.1)

In order to ensure the effectiveness of the policy, the roles and responsibilities and the competencies that the person in charge of each role should have are defined as follows.

The person/group in charge of each role and the required competency level are defined in [Appendix 1. Status of Person in Charge]._(3.1.2.2)

• The open source program manager periodically updates the list according to the company’s business situation._(3.2.2.1)
• The head of the organization responsible for each role designates a person in charge within the organization, and allocates appropriate time and budget for the person in charge to fulfill the role._(3.2.2.2)
  • The person in charge of each role should raise an issue with the open source program manager if appropriate support is not provided while performing his/her role.
  • The open source program manager discusses problem solving with the head of the organization. If not properly resolved, the open source program manager may request the OSRB to resolve the issue.
  • OSRB shares the problem with the head of the higher level organization and asks for a solution.

(1) OSRB

OSRB_{Open Source Review Board} is a consultative body composed of an open source program manager, legal team, patent team, development team, and infrastructure team for the company’s open source compliance.

• Create policies and processes for open source compliance, and define roles and responsibilities within the company to implement them.
• When an open source compliance issue occurs within the company, discuss solutions and prepare countermeasures.
• If necessary, report issues to the executive team to receive feedback on risk mitigation measures.

(2) Open Source Program Manager

The open source program manager is responsible for the overall responsibility for the company’s open source programs. To ensure open source compliance of products and services using open source, open source program manager is responsible for:_(3.2.2.4)

• Define the roles required for open source compliance, and designate a responsible person and group in charge of each role. Consult with OSRB if necessary.
• Supervise and assess open source compliance training.
• Serves as the chair of the OSRB and directs its activities.
• Respond to inquiries and requests related to open source use and compliance from outside.
• Review and approve requests for use of open source.
• Maintain open source BOM records.
• Provides a way to request legal advice on open source._(3.2.2.3)
• Maintain a repository for open source notices and source code disclosure.

(3) OSPO

OSPO_{Open Source Program Office} is responsible for supporting and nurturing the growth of open source activities inside and outside the company.

• Establish, improve and disseminate open source policies.
• Provides a guide for contributing code to external open source projects.
• Provides a guide for releasing an in-house project as an open source.
• Develop and operate an open source portal.
• Develop and select open source tools.
• Sponsor open source project events.
• Manage relationships with the open source community.

(4) Legal team

The legal team provides advice on legal risks and mitigation measures that may arise in the process of using open source, such as interpreting open source licenses and obligations.

• Advise on licensing and intellectual property issues, including conflicts due to incompatible open source licenses.
• When contributing to external open source projects, review necessary legal matters such as open source licenses and CLA_{Contributor License Agreement}.

(5) IT infrastructure team

The IT infrastructure team operates and automates open source analysis tools to build a system so that license analysis is performed automatically for supplied software.

• Operate an open source license analysis tool.
• Automate license analysis by integrating with DevOps.
• Establish systems and processes so that license analysis is performed for supplied software.
• Obtain and maintain an open source BOM for supplied software.

(6) Security Officer

The security officer operates an open source security vulnerability analysis tool to build a system so that security vulnerability analysis is performed smoothly for supplied software.

• Operate an open source security vulnerability analysis tool.
• Automate open source security vulnerability analysis by integrating with DevSecOps.
• Establish systems and processes so that open source security vulnerability analysis is performed for supplied software.

(7) Development Culture

The development culture manager supports developers to actively utilize open source and participate in the open source community to learn a good development culture.

• Encourage developers to participate in the open source community.
• Create a culture where activities in open source projects can be recognized as achievements.
• Create a development culture that can be perceived as an attractive company to open source developers.

(8) Quality Responsible

The organization responsible for quality, such as QA, checks whether the open source license obligations have been properly performed when distributing software.

• Check whether open source compliance activities are performed in accordance with the development process.
• Check that the artifacts are generated as required by the open source license.
• When distributing software, make sure that the open source notice and the source code to be released are provided together.
• If an issue is found, notify the software development/deployment team and guide them to fix the issue immediately.

5. Training and Assessment

All program participants should take the open source mandatory training provided by [Learning Portal] every year. Through training, all participants should be familiar with open source policies and processes. Training history is stored in [Learning Portal]._(3.1.1.2)

All members in charge of each role defined in Chapter 4 should take the advanced open source training course provided by [Learning Portal]. Training history and assessment results are stored in [Learning Portal] for at least 3 years._(3.1.2.3)

6. Use open source

If you use open source to develop and distribute products and services, you should comply with the obligations required by each open source license. The activities that companies perform for this purpose are called open source compliance.

For proper open source compliance activities, software development/distribution organizations should comply with the following:_(3.3.1.1)

• All processes of the open source compliance process are recorded and preserved in Jira Issue Tracker.

(1) Identify open source and review license obligations.

When using open source to develop products / services, first identify what an open source license is, and review and investigate the obligations that the license requires.

The company’s [Open Source License Guide] provides a guide for frequently used open source licenses, and explains the obligations for each type of distribution as follows for each license._(3.3.2.1)

• Distributed in binary form;
• Distributed in source form;
• Integrated with other open source such that it triggers additional licensing obligations;
• Contains modified open source;
• Contains open source or other software under an incompatible license interacting with other components within the supplied software; and/or
• Contains open source with attribution requirements.

Software development/distribution teams can refer to this guide when reviewing their open source license obligations. If you need to review an open source license not mentioned in this guide, contact your open source program manager.

(2) Design software considering open source licenses.

Identify open source dependencies and design your software architecture so that your code is not subject to open source licenses. .

The company’s [Open Source Licensing Guide] describes the source code disclosure scope for each open source license and design methods to prevent disclosure of own code.

(3) Create an open source compliance artifact.

The most basic of open source compliance activities is to identify open sources included in supplied software. This is to properly meet the open source license requirements, which are the core of open source compliance. That is, a set of compliance artifacts for open source included in the supplied software should be generated._(3.4.1.1)

Open source compliance artifacts are divided into two main categories.

1. Open source notice: A document to provide full open source license and copyright notice
2. Source code package to be disclosed: A package that collects source code to be disclosed to fulfill open source license obligations that require source code disclosure such as GPL, LGPL, etc.

To collect, distribute and store these compliance artifacts, the following should be complied with._(3.4.1.2)

• Open source notices or source code packages to be disclosed are collected according to the conditions required by each license. For example, a license requires the accompanying full text of the license, but not just a link.
• Collected artifacts are stored in a separate storage.
• When providing source code to be made public by a written agreement, provide a download link so that the external general public can access the repository of the collected artifacts.

Follow the company’s open source compliance process to create and provide open source compliance artifacts as above.

(4) Create open source Bill of Materials (BOM)

Create and manage the Bill of Materials (BOM) included in the supplied software._(3.3.1.2)

Follow the company’s open source compliance process to create and preserve open source BOMs using open source tools.

(5) Compliance Issue Remediation Procedure

Should a non-compliance issue be raised, the Open Source Program Manager responds promptly by performing the following procedures._(3.2.2.5)

1. Acknowledge receipt of the query and state a reasonable time for resolution;
2. Determine whether the query discloses a genuine issue or not (and if not, respond to the querier accordingly);
3. If the issue is genuine, apply to prioritise, and determine the appropriate response.
4. Carry out response and, where necessary, improve open source compliance processes.
5. Document the above using Jira Tracker.

7. Open Source Contributions

The company encourages participation and contribution to external open source projects to create business value in open source. However, in this process, you should be careful about unintentional exposure of the company’s intellectual property or infringement of the rights of third parties. Therefore, members of the company should comply with the following when contributing to external open source projects._(3.5.1.1)

(1) Request a review and get approval.

An open source contribution is to grant an open source project the right of an author to modify/use/distribute a work from a copyright point of view. In some cases, you may need to transfer your copyright to an open source project. In general, however, the copyright of a work created during employment is owned by the employer. In other words, works created by company members are owned by the company. Contributing to open source works created while you were employed may raise unnecessary copyright infringement issues.

Therefore, if there is an open source project that you would like to contribute to, follow the review request and approval procedures before making the initial contribution according to the open source contribution process.

However, in the case of a small contribution as follows, since the risk of copyright infringement is not large, you can contribute at your own discretion without the review process.

• Small code snippets of 10 lines or less
• Inquiries and answers on Stack Overflow
• Activities on GitHub: Issue creation, Pull Request Review / Approve, etc.

(2) Contribute only code that you have the right to contribute

Only contribute code for which you have the right to contribute. In other words, contribute your own code, not third-party code.

(3) Be careful not to expose the company’s intellectual property

Do not contribute code or documents that may expose the company’s intellectual property such as sensitive information or patents.

• If the code you want to contribute includes [Company]’s patent, you should check whether you can contribute to the project under the open source license. If there is any ambiguity, contact OSPO.

(4) Be careful about signing the CLA.

Some open source projects require all contributors to sign a CLA_{Contributor License Agreement}. This is an agreement to seek consent from contributors to reduce copyright disputes that may arise when a project manages the works of multiple contributors. Typically, a company-led project requires a CLA to be signed.

The CLA varies from project to project, but primarily includes agreement to the following:

• I (or my company) have the right to contribute to the project the contribution I intend to contribute. (i.e. I am the author of this contribution.)
• I (or my company) grant the project the right to modify, distribute, and manage my contributions to the project.
• I (or my company) will not revoke the authority granted to me.
• I (or my company) grant the project the right to change the license according to future needs of the project.

In addition, in rare cases, some CLAs also require consent to the following terms and conditions:

• I (or my company) transfer my copyright to the project or project management organization at the same time as I contribute my contribution.

[Company] does not allow contributions to open source projects that require transfer of copyright to protect the company’s intellectual property. Therefore, if the open source project you want to contribute to requires the CLA to be signed, be sure to ask OSPO for a review before signing.

(5) Add company copyright notice

The intellectual property of the work you create during your employment is basically owned by the company. Therefore, you should add your company’s copyright notice when contributing code to external open source projects.

When contributing more than one file, add the copyright and license notices at the top of the files, like this:

Copyright (c) {$year} {$Company}
SPDX-License-Identifier: {$SPDX_license_name}

Here, $SPDX_license_name is written according to the license of the corresponding open source project.

However, if your contribution is only to modify existing code for the purpose of fixing a bug, you do not need to add a copyright notice for that code modification.

(6) Use your company email

When contributing to an open source project, use your company email, not your personal email. This will (1) give you a sense of responsibility to communicate with the community on behalf of the company, and (2) improve the awareness of the company that actively contributes to the open source community.

8. Open Source Release

[Company] respects the value of collaboration with the open source community and encourages the release of internal software as an open source project. However, there are several rules that should be followed to protect the company’s intellectual property and prevent unintentional copyright infringement.

(1) Get approval

From a copyright point of view, releasing as open source means that the author grants the right to modify/use/distribute the work by anyone through an open source license. In general, the copyright of a work created during employment is owned by the employer. In other words, the work you create is owned by the company. The act of arbitrarily releasing a work as open source may cause unnecessary copyright infringement issues.

Therefore, if you want to release the software as open source, follow the review request and approval procedure according to the company’s open source release policy.

Do not hesitate to contact OSPO if anything in your open source process appears to be undesirable.

(2) Release only the code you have the right to publish.

One of the worst things that can happen to an open source project is that the project contains legally problematic code. Code that the company does not have the right to release, or code that infringes IP, such as another company’s patent, can cause legal problems. Therefore, while preparing the code to be released, check the source of all code and delete problematic code.‌

(3) Be careful about the exposure of the company’s intellectual property.

Do not release code or documents that may expose sensitive information or patents to the company’s intellectual property.

If the code you want to release contains [Company] patent, see if you can release it under the open source license. If there are any ambiguities, please contact OSPO.

(4) Publish useful code

To be a successful project, it should also be useful to others. If a similar project already exists, join the existing project rather than create a new one.

An open source that intends to release should be able to expect: (1) provide differentiated value to the open source community; (2) to solve problems that the community has not been able to solve; (3) We receive positive attention by releasing our technology.

• If the code we haven’t used in our products or services, don’t even release it as open source.
• Do not publish code that addresses a problem that has already been addressed by the open source community. If this is the case, contribute to an existing open source project.

(5) Prepare the resource

Prepare in advance the resources that will be put into the open source project, including developers.

• In the beginning, the number of developers similar to that of a general in-house project is required.
• Get developers who can quickly review external contributions.
• The role of the legal team and marketing team is also required.
• Secure a budget for the infrastructure required to maintain and manage the project. This includes tools for hosting projects like Github.

If you can’t create an environment with enough resources to support it, don’t release it as open source.

(6) Use your company email

For open source release activities, do not use personal emails, but use company emails. This will (1) give you a sense of responsibility to communicate with the community on behalf of the company, and (2) improve the awareness of the company that actively contributes to the open source community.

9. Respond to external inquiries

(1) Responsibility for responding to external inquiries

The open source program manager is responsible for responding to inquiries and requests for open source compliance from outside._(3.2.1.2)

• The open source program manager may assign all or part of the handling of inquiries to appropriate personnel within the company. If necessary, contact the legal team to deal with it.
• Anyone who receives an inquiry about open source compliance from outside will notify the open source program manager so that a prompt response can be made.

(2) Disclosure of contact information

The open source program manager publicly provides the contact information of the person in charge so that external inquiries and requests related to open source can be submitted to the company._(3.2.1.1)

• Include the email address of the person in charge in the open source notice.
• Register your contact in the Linux Foundation’s Open Compliance Directory.

(3) External Inquiry Response Procedure

If you respond quickly and accurately to open source compliance inquiries from outside, you can significantly reduce the risk of going to a lawsuit. To this end, in order to respond to external open source compliance inquiries, you should follow the external inquiry response process defined in the company’s open source compliance process._(3.2.1.2)

10. OpenChain

[COMPANY] supports the Linux Foundation’s OpenChain project. This policy has been carefully designed to be compliant with the OpenChain Specification v2.1, ISO/IEC 5230:2020.

• [COMPANY] affirms that as of [insert date] it is in compliance with the OpenChain Specification v 2.1, ISO/IEC 5230:2020._(3.6.1.1)
• [COMPANY] affirms that within the past 18 months of obtaining conformance validation, the program meets all the requirements of the OpenChain Specification v2.1, ISO/IEC 5230:2020._(3.6.2.1)
• [COMPANY]’s affirmation of conformance will be reviewed and renewed if appropriate at intervals of at least [12|18 months].

Appendix 1. List of persons in charge

9.2 - 2. Open Source Compliance Process (Sample)

OOO Corporation (hereinafter referred to as the “Company”) actively uses open source software (hereinafter referred to as “Open Source”) while developing products and services including the software. When a company distributes its software, it should perform activities to comply with the obligations imposed by the open source license, which is called open source compliance.

1. Process for software development/distribution

This open source compliance process defines the procedures a [company] should follow to comply with its open source license obligations for each stage of development for developing and distributing software products and services. All employees involved in developing/distributing software products should follow these 10 steps of the Open Source Compliance Process.

1. Identification of Open Source

The development team should adhere to the following during the software design phase.

• Identify predictable open source usage and check licenses while designing software.
• Check the obligations for each open source license. You can check the obligations for each license in the company’s Open Source Licensing Guide.
• Design software considering the source code disclosure scope of each open source license.

Open source program managers should write a guide on the obligations, restrictions, and rights of frequently used open source licenses, and make them available for reference to the development team.

The development team should display the copyright and license in the source code according to the company’s policy. The copyright and license notation rules in the company’s source code can be found on the following page. : (insert_link)

When a development team needs to use a new open source, first identify the license. Check your license obligations, restrictions, and rights according to your company’s Open Source Licensing Guide. If the license is not described in the company’s open source license guide, ask the open source program manager whether it can be introduced or not. Create a Jira Ticket and inquire.

Open source program managers guide the software development team by analyzing their open source license obligations.

• If in doubt, seek advice from the Legal Department to provide clear guidance.
• Add newly analyzed open source licenses to the guide.

2. Auditing Source Code

The development team requests open source audit by providing the source code according to the guidance of the infrastructure team.

The development team uses the open source analysis tool provided by the infrastructure team to audit the open source and generate the open source BOM.

The open source program manager reviews whether the obligations of the open source license can be complied with and whether there is an open source license conflict, and if there is an issue, ask the development team to resolve it. Create issues with Jira Tickets and assign them to the development team.

3. Resolving Issues

The development team should resolve any issues found during the source code inspection phase. Take action, such as removing the open source that has become an issue, or replacing it with an open source under a different license.

When the development team resolves all issues found, Resolve the Jira Ticket issue and request a review.

4. Reviews

Open source program managers review that all issues have been properly addressed. If necessary, re-audit the source code using an open source analysis tool.

5. Approval

The open source program manager should finally approve or reject whether the open source compliance process has been properly performed. In case of rejection, explain the reason and suggest to the development team how to fix it.

6. Registration

The open source program manager confirms the BOM for tracking the list of open source usage by version of the software.

The person in charge of infrastructure registers the confirmed BOM in the system. Include in the BOM a list of the open sources included with the supplied software and information such as:

• Product (or service) name and version of the supplied software
• Open Source List
  • Open source name / version
  • Open source license

7. Notices

Open Source Program Managers create Open Source Notices to comply with notice obligations. Include the following in the Open Source Notice.

• Open source contact information for external inquiries related to open source
• Notice by open source
  • Copyright notice
  • Open source license name
  • A copy of the open source license
  • Written Offer to receive a copy of the source code (if applicable)

The open source program manager creates an Open Source Notice and delivers it to the development team. In this case, if it is necessary to disclose the source code, guide the development team on how to collect the source code to be disclosed.

The development team should enclose the Open Source Notice when distributing the product. In the case of a product with a screen, take measures so that the user can check it through the menu. (Example: Apps > Menu > Settings > Copyright Information > Open Source License)

If the development team uses open source under a license that requires source code disclosure, such as GPL or LGPL, check the source code disclosure scope for this and collect the source code to be disclosed.

• The source code collected to comply with license obligations such as GPL and LGPL should match the source code that creates the binaries loaded in the product. In other words, when the compiled source code is built, it should be the same as the binary loaded on the product.

8. Pre-Distribution Verifications

The development team should submit the following artifacts demonstrating that the open source compliance activities were properly conducted.

1. Final Open Source Notice included in the product
2. Materials confirming that the product includes Open Source Notice (eg, screen capture image showing Open Source Notice)
3. (if applicable) source code to be disclosed (compressed and submitted in one file)

The open source program manager should review the data submitted by the development team and check for any abnormalities.

9. Distribution

Open source program managers should submit compliance artifacts submitted by the development team to the infrastructure team.

The infrastructure team registers the compliance artifacts on the company’s open source distribution site.

10. Final Verifications

The open source program manager should comprehensively check whether the compliance product is registered on the company’s open source portal without any abnormality or whether it is downloaded from outside the company.

2. External Inquiry Response Process

If you respond quickly and accurately to open source compliance inquiries from outside, you can greatly reduce the risk of going to a lawsuit. Therefore, you should follow the following process to respond to external open source compliance inquiries.

1. Acknowledge

The open source program manager immediately informs the requester that the inquiry has been received. In this case, inform the requester of the expected date of action. Since it’s important to know exactly what the requester’s intent is, ask for further clarification if the inquiry is unclear.

The main contents of inquiries and requests that require response are as follows.

• Inquiries about whether open source has been used for certain products and services
• Request to provide source code under the GPL, LGPL license mentioned in the Written Offer
• Request for clarification of open source found in the product and disclosure of source code even though it is not specified in the Open Source Notice
• Request to provide missing files and build methods in the source code published due to GPL, LGPL, etc.
• Request for copyright notice

The open source program manager creates a Jira Issue for the received request and records all responses in detail.

2. Inform

The open source program manager informs the requester that it is faithfully performing open source compliance and is investigating the requester’s inquiry. Notify the requestor whenever possible internal investigation progress is updated.

3. Investigate

The open source program manager conducts an internal investigation of the request. Check the BOM and documented review history to ensure that the compliance process has been properly implemented for the version of the product in question. Seek advice from the Legal Department if necessary.

If a specific development team needs confirmation, the open source program manager should ask the development team to investigate. The development team requested to be investigated immediately identifies any issues with the compliance artifacts and reports the findings to the open source program manager.

4. Report

The open source program manager should complete the internal investigation within the due date for action and inform the requester of the results.

• If the requester’s complaint was a misunderstanding rather than a compliance issue, notify the requester without further action and terminate the procedure.
• If any compliance issues are discovered, inform the requester of the exact method and timing to fulfill the obligations of the applicable open source license.

5. Rectify

If an internal investigation reveals an actual compliance issue, the development team should take all necessary steps to resolve the compliance issue.

6. Report

After resolving the issue, notify the requester immediately and provide the best way to confirm that the issue has been resolved.

7. Improve

If there are compliance issues, conduct an OSRB meeting to review the case, find out how the issue arose, and improve the process so that the issue does not recur.