Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
    • Getting started
    • Introduction video
      Welcome to Accure Project Management System
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • Upgrade to Enterprise edition
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?
      Create a new account

Side Menu

  • Overview
  • Documents
  • Impulse DW
    Impulse DW
  • Inset BI
    Inset BI
  • Momentum User Guide
    Momentum User Guide
  • Wiki
    Wiki

Content

You are here:
  1. Documents

Open Source Software Usage Policy

    Documentation - March 12, 2023

    Accure Policy for Incorporating Open Source Software in Our Products 

    Version: 3.1.9 [July 18, 2022] 

    ​​ 

    Our Open Source Software Policy mission is to incorporate open source software into our products in a manner that maximizes the benefits of open source technology, while also ensuring legal compliance, protecting our intellectual property, and maintaining high standards for quality and security. We aim to foster innovation and collaboration within the open source community, while also providing value to our customers and stakeholders. Through the adoption of open source software, we strive to build sustainable and effective solutions that address real-world challenges faced by individuals and organizations worldwide. 

    Introduction 

    We recognize the importance of open source software (OSS) in modern software development. We believe that OSS can provide benefits such as cost savings, reduced time-to-market, and increased flexibility. However, the use of OSS also carries some risks and responsibilities, including license compliance, security, and intellectual property issues. This policy provides guidelines for the incorporation of OSS in our products, ensuring that: 

    we comply with the applicable licenses  

    protect our intellectual property, and  

    maintain the quality and security of our products. 

    Open Source Software Group (OSSG) 

    Accure’s OSSG works within the CTO office and serves as the authority to evaluate, test, license review, and approve the use of OSS within the company.  

    Scope 

    This policy applies to all software development projects that involve the incorporation of OSS. The policy covers the following aspects: 

    License Compliance 

    Any open source component licensed under the following commonly used licenses can be freely used without additional disclosure or approval: 

    • Mozilla Public License, 1.0, 1.1 and 2.0 variants 
    • MIT License 
    • Berkeley Software Distribution (BSD), 3-clause, 2-clause and 0-clause variants 
    • Apache License, 1.0, 1.1 and 2.0 variants 
    • Common Development and Distribution License (CDDL) 
    • PostgreSQL License 
    • Python Software Foundation License 
    • Public Domain 
    • Artistic License 
    • zlib/libpng License 
    • PHP License 
    • ICU License 
    • Eclipse Public License 

    OSS components and libraries with the following licenses can be used for internal use. For any external use, approval from the OSSG must be obtained. 

    • GNU Public License (GPL), v2 and v3 
    • Lesser GNU Public License (LGPL) 

    OSS components and libraries with the following licenses MUST not be used in any of Accure products: 

    • Affero General Public License (AGPL) 
    • Server Side Public License (SSPL) 
    • Confluent Community License 
    • Redis Source Available License 
    • Any license bearing a Commons Clause addendum 
    • Intellectual Property 

    We take reasonable measures to ensure that the incorporation of OSS into our products does not infringe any third-party intellectual property rights. We perform due diligence checks, such as patent searches and code audits, to identify any potential intellectual property issues. We also ensure that our products comply with any attribution or copyright notice requirements of the OSS licenses. 

    Attribution 

    We give proper attribution to the original authors of the OSS used in our products. This attribution is recorded in the product documentation, readme files, and release notes. 

    Security and Vulnerability 

    We use OSS that has a good security track record and a robust security community. We ensure that the software is free from any known security vulnerabilities, and timely patches are available when needed. All OSS must meet all requirements of OWASP (Open Worldwide Application Security Project). 

    We are committed to ensuring the security of our products by scanning all OSS used in our products for potential security vulnerabilities. Therefore, we scan OSS used in our products in accordance with the following guidelines: 

    Scanning: Conduct regular scans of all OSS used in our products to identify any potential security vulnerabilities. We use third party scanning tools to ensure our products are free from any vulnerability. We also conduct periodic scans of all open source software we use in our product. At the very minimum, we ensure that the OSS is free from the following types of vulnerabilities: 

    • Broken Access Control 
    • Cryptographic Failures 
    • SQL Injection 
    • Command Injection 
    • Insecure Design 
    • Security Misconfiguration 
    • Vulnerable and Outdated Components 
    • Identification and Authentication Failures 
    • Software and Data Integrity Failures 
    • Security Logging and Monitoring Failures 
    • Server-Side Request Forgery 

    Risk Assessment: Assess the potential risk of any identified vulnerabilities and prioritize them based on the level of risk they pose. 

    Mitigation: Develop a mitigation plan for any identified vulnerabilities that pose a significant risk to our products or customers. This may include patching or upgrading the vulnerable OSS, implementing compensating controls, or disabling the affected functionality. 

    Monitoring: Implement monitoring mechanisms to detect any new vulnerabilities in OSS used in our products and promptly address them. At the very minimum, we will monitor the following: 

    MITRE CVE Alerts: https://cve.mitre.org/compatible/vulnerability_alerting.html  

    Cybersecurity & Infrastructure Security Agency: https://www.cisa.gov/news-events/cybersecurity-advisories  

    Documentation: Maintain a record of all OSS scanned, any identified vulnerabilities, and the mitigation plan for each vulnerability. 

    Version Update 

    Upgrading the OSS is crucial to ensure that our products are up-to-date and maintain their functionality and security. We upgrade OSS used in our products in accordance with the following guidelines: 

    Evaluation: Evaluate the need for upgrading OSS based on factors such as security, functionality, compatibility, and vendor support. 

    Risk Assessment: Assess the potential risks of upgrading OSS, including any potential impact on existing functionality and compatibility with other components. 

    Planning: Develop a detailed plan for upgrading OSS, including a timeline, resources required, and any necessary testing or validation. 

    Implementation: Implement the upgrade plan, including testing and validation, and ensure that any potential risks are mitigated. 

    Monitoring: Implement monitoring mechanisms to detect any issues arising from the upgrade and promptly address them. 

    Documentation: Maintain a record of all OSS upgrades, including the reasons for the upgrade, the upgrade plan, any testing or validation, and any issues or risks identified. 

    OSS Changes and Customization 

    It is sometimes necessary to make certain modifications, optimization or customization in the OSS code. We will make any changes to OSS software according to the following guidelines: 

    Evaluation: Evaluate the need for making changes in OSS based on factors such as functionality, compatibility, and vendor support. 

    Legal Compliance: Ensure that any changes made in OSS comply with the relevant open source license agreements. 

    Documentation: Maintain documentation of all changes made in OSS, including the reason for the change, the modified code, and any testing or validation performed. 

    Contribution: Contribute back to the OSS community whenever possible by sharing any modifications made to the OSS. 

    Updates: Document the procedure of updating the OSS version and how the changes will be merged with the updates. 

    Training to Dev Teams 

    Providing training to the development team on OSS policy is essential to ensure compliance with relevant open source licenses and guidelines. This policy document is made available to all employees of Accure, contractors, partners and customers. This policy document is also available on our internal project management system, and bitbucket. OSSG team is responsible for employee training and support. 

    Conclusion 

    The inclusion of open source software in our products can provide significant benefits but requires careful management to ensure compliance with legal requirements and protection of our intellectual property rights. This policy provides guidelines and best practices to help us effectively manage the use of open source software in our products.

    Loading...