OpenSSF argues that Cyber Resilience Act due diligence should use voluntary machine-readable open source security signals while keeping liability with downstream manufacturers, and says companies should support upstream tooling, documentation, funding, and engineering rather than demanding maintainer assurances.
Aligning on Machine-Readable Signals as the Foundation for Due Diligence
OpenSSF argues that Cyber Resilience Act due diligence should use voluntary machine-readable open source security signals while keeping liability with downstream manufacturers, and says companies should support upstream tooling, documentation, funding, and engineering rather than demanding maintainer assurances.
Source: OpenSSF