Summary
This proposal introduces a new metadata signal, Safety Relevance, to complement OpenSSF's existing ecosystem metrics such as Criticality Score and Scorecard.
Safety Relevance captures whether a software project participates in safety-critical or mission-critical functions where compromise, malfunction, or misuse could result in:
- Physical harm to people
- Environmental damage
- Critical infrastructure disruption
- Large-scale societal impact
The goal is not to replace existing metrics, but to provide an orthogonal dimension describing the real-world consequences associated with software systems.
Motivation
OpenSSF currently provides valuable signals around:
- Security best practices (Scorecard)
- Ecosystem importance (Criticality Score)
- Supply-chain transparency (SBOM initiatives)
However, these efforts do not capture whether software is used in systems whose failure could cause harm beyond cybersecurity consequences.
Examples include:
- Autonomous systems
- Medical devices
- Industrial control systems
- Energy and utility infrastructure
- AI systems with safety implications
A Safety Relevance signal would help organizations prioritize security and governance efforts based not only on technical risk, but also on real-world impact.
Initial Proposal
Introduce a Safety Relevance metadata classification:
- None
- Indirect
- Critical
- Unknown
Potential signals could include:
- Deployment in safety-critical environments
- Dependency centrality in critical infrastructure
- Potential harm surface
- Regulatory or industry classifications
- Declared usage context
Relationship to Existing OpenSSF Initiatives
Safety Relevance is intended to complement:
- Criticality Score: ecosystem importance
- Scorecard: security practices
- SBOM initiatives: component inventory and provenance
Safety Relevance provides an additional dimension describing operational and societal consequences.
Questions for TAC
- Should Safety Relevance be incubated as a new initiative or under an existing Working Group?
- Which Working Group is the natural home (Securing Critical Projects, AI/ML Security, or SBOM Everywhere)?
- Should this begin as metadata and later evolve into a scoring model?
- What governance and review process would be appropriate for project classifications?
Next Steps
If there is community interest, I can:
- Draft a formal specification
- Develop example use cases and taxonomy
- Engage with relevant Working Groups
- Present the proposal in a TAC or WG meeting
Summary
This proposal introduces a new metadata signal, Safety Relevance, to complement OpenSSF's existing ecosystem metrics such as Criticality Score and Scorecard.
Safety Relevance captures whether a software project participates in safety-critical or mission-critical functions where compromise, malfunction, or misuse could result in:
The goal is not to replace existing metrics, but to provide an orthogonal dimension describing the real-world consequences associated with software systems.
Motivation
OpenSSF currently provides valuable signals around:
However, these efforts do not capture whether software is used in systems whose failure could cause harm beyond cybersecurity consequences.
Examples include:
A Safety Relevance signal would help organizations prioritize security and governance efforts based not only on technical risk, but also on real-world impact.
Initial Proposal
Introduce a Safety Relevance metadata classification:
Potential signals could include:
Relationship to Existing OpenSSF Initiatives
Safety Relevance is intended to complement:
Safety Relevance provides an additional dimension describing operational and societal consequences.
Questions for TAC
Next Steps
If there is community interest, I can: