Skip to content

# Proposal: Safety Relevance Metadata for OpenSSF #624

Description

@devashridatta-dotcom

Summary

This proposal introduces a new metadata signal, Safety Relevance, to complement OpenSSF's existing ecosystem metrics such as Criticality Score and Scorecard.

Safety Relevance captures whether a software project participates in safety-critical or mission-critical functions where compromise, malfunction, or misuse could result in:

  • Physical harm to people
  • Environmental damage
  • Critical infrastructure disruption
  • Large-scale societal impact

The goal is not to replace existing metrics, but to provide an orthogonal dimension describing the real-world consequences associated with software systems.

Motivation

OpenSSF currently provides valuable signals around:

  • Security best practices (Scorecard)
  • Ecosystem importance (Criticality Score)
  • Supply-chain transparency (SBOM initiatives)

However, these efforts do not capture whether software is used in systems whose failure could cause harm beyond cybersecurity consequences.

Examples include:

  • Autonomous systems
  • Medical devices
  • Industrial control systems
  • Energy and utility infrastructure
  • AI systems with safety implications

A Safety Relevance signal would help organizations prioritize security and governance efforts based not only on technical risk, but also on real-world impact.

Initial Proposal

Introduce a Safety Relevance metadata classification:

  • None
  • Indirect
  • Critical
  • Unknown

Potential signals could include:

  • Deployment in safety-critical environments
  • Dependency centrality in critical infrastructure
  • Potential harm surface
  • Regulatory or industry classifications
  • Declared usage context

Relationship to Existing OpenSSF Initiatives

Safety Relevance is intended to complement:

  • Criticality Score: ecosystem importance
  • Scorecard: security practices
  • SBOM initiatives: component inventory and provenance

Safety Relevance provides an additional dimension describing operational and societal consequences.

Questions for TAC

  1. Should Safety Relevance be incubated as a new initiative or under an existing Working Group?
  2. Which Working Group is the natural home (Securing Critical Projects, AI/ML Security, or SBOM Everywhere)?
  3. Should this begin as metadata and later evolve into a scoring model?
  4. What governance and review process would be appropriate for project classifications?

Next Steps

If there is community interest, I can:

  • Draft a formal specification
  • Develop example use cases and taxonomy
  • Engage with relevant Working Groups
  • Present the proposal in a TAC or WG meeting

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions