Skip to main content

Open Source Artifacts

This section of the OSBOK describes common artifacts either consumed or produced when managing open source software within the enterprise. Artifacts may be machine- or process- generated (such as an SBOM) or the result of human effort (such as an Open Source Strategy).

The Artifacts

Open Source Policy

An open source policy is a set of guidelines that outlines how an organization will consume, contribute to, and create open source software. It defines the rules that govern the use, distribution, and licensing of open source software within the organization. It establishes processes for evaluating open source software, managing the risks associated with its use, and ensuring compliance with legal and ethical requirements.

Common Vulnerabilities and Exposures (CVEs)

CVEs (Common Vulnerabilities and Exposures) are standardized identifiers for publicly known cybersecurity vulnerabilities which can be leveraged in exploits. The MITRE Corporation manages the CVE program, which receives funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).

Data Loss Prevention Software

This article looks at Data Loss Prevention (DLP) software commonly used in financial organisations and how these impact open source consumption and contribution. It is not a complete reference for the subject of DLP generally, but should act as a starting point for understanding the issues involved.

Intellectual Property

This article discusses the main types of intellectual property and their application to open source within financial services.

Software Bill of Materials (SBOM)

An SBOM, or Software Bill of Materials, is a list of all the components, libraries, and dependencies used in a software project, along with their associated version numbers and license information. There are two different SBOM formats:

Reference FOSS Policy

This is content originally from the FINOS Reference FOSS Policy Project which has not been updated recently. Feel free to suggest edits.

Software Licenses

This article provides some basic framing around the purpose of licenses within open source.


This article explains the concept of the Contributor License Agreement (CLA) and Developer Certificate of Origin (DCO) and the practical implications of these for organisations consuming and contributing to open source.