I've been tasked with creating a policy that governs the adoption, use, and contribution to open-source projects, libraries, and software. I started with NIST and CSF to find their recommendations but haven't found much more than "the organization devises an open-source policy".
I've identified some concerns. Firstly, what are your suggestions? Did I miss something? Secondly, do you have a template or actual policy you can share that will serve as a jumping off point?
License (which open-source licenses shall we permit).
Sanctioning process - establish a process by which open-source projects, code, libraries, or software is reviewed and "sanctioned for use". The result shall be a curated repository of projects or packages, or perhaps a list?
Favor popular projects.
Observe the patch frequency.
Observe response to vulnerabilities.
Mandatory SCA for projects using third party (open source) libraries,
Create a process by which a security lead is informed of vulnerabilities in a sanctioned project.
Manual code review (this may not be practical.
Create a policy addressing contribution to open-source projects. Consider the protection of the company's IP.