Best Practices Badge for Free/Libre and Open Source Software | OpenSSF Project Spotlight

David Wheeler, director of open‑source supply‑chain security at the OpenSSF, introduced the OpenSSF Best Practices Badge – a three‑tier (passing, silver, gold) certification that evaluates open‑source projects against a curated set of security‑focused criteria drawn from well‑run repositories. The badge is awarded through a web‑based self‑assessment tool that combines automated checks, public answer displays, and spot‑check overrides to mitigate typical self‑certification risks.

The badge’s criteria are designed to surface blind spots; projects often discover missing practices on first review and can remediate them to improve security posture. Unlike the fully automated OpenSSF Scorecard, which may produce false positives/negatives but scales to thousands of projects, the Best Practices Badge allows nuanced, project‑specific responses. It also complements the newer OpenSSF Baseline, which offers a smaller set of mandatory controls, and the badge roadmap includes integrating those baseline criteria.

As of November 2025, more than 9,000 projects have signed up on dubdubdub.bestpractices.dev, with nearly 2,000 earning at least a passing badge. High‑profile adopters include the Linux kernel, Kubernetes, Node.js, LibreOffice, cURL, Nextcloud and Blender, showcasing the badge’s growing credibility among critical infrastructure.

For maintainers, earning the badge signals a commitment to security, helps attract contributors and users, and provides a tangible metric for risk‑aware procurement. For enterprises, the badge offers a quick, trustworthy indicator when evaluating third‑party open‑source components, potentially reducing supply‑chain risk.