In April, the OpenChain Telco Work Group completed work on version 1.1 of the OpenChain Telco SBOM Guide. This document helps to define what is a quality Software Bill of Materials in the context of supply chain management. It uses SPDX, the NTIA Requirements and the experience of the Telco industry to provide a clear, simple and easily adjustable approach. Today, with the release of the updated official validator, we are promoting the guide as generally available to the open source community.

Below you can:

• Learn more about the guide
• Get the guide in Chinese (Traditional), English, French and Japanese
• Get the validator
• Learn how to get involved in future development

What is this Guide?

The OpenChain Telco SBOM Guide aims to outline certain requirements related to how an entity creates, delivers, and consumes Software Bill of Materials (SBOM), so that entities that produce and/or consume SBOMs that conform to this guide can ensure repeatability and streamlining of tools and processes for generating and consuming SBOMs. 

Note: that this guide does not require a conforming entity to adopt OpenChain standards but doing so is greatly encouraged.

This guide is designed to work on a per SBOM level: an entity can use it as its sole way of delivering SBOMs but it is the individual SBOM that the guide refers to, not the entity that provides the SBOM. An SBOM using this guide can be called “OpenChain Telco SBOM Guide Compatible.”

Want more context? We delivered a presentation at FOSDEM:

Updates from Version 1.0 to Version 1.1 of the Guide:

The following updates were made in version 1.1:

• Both PackageChecksum and PackageVerificationCode are allowed as package hash.
• The package hash is RECOMMENDED instead of MANDATORY.
• ExternalRef is RECOMMENDED instead of MANDATORY.
• FilesAnalyzed is no longer MANDATORY.
• Examples are provided for the CISA SBOM Types.
• A RECOMMENDED syntax is given for CISA SBOM Types.
• sbomasm is a better example of SBOM merge tool.
• Add reference to new CISA document.

An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.

Get the Guide

• Chinese (Traditional) Version
• English Version
• French Version
• Japanese Version

Do you want to review the original 1.0 version of the guide? You can learn more and get it in multiple languages via the original Telco SBOM Guide version 1.0 launch announcement. You can also learn more about the version 1.0 validator in its original launch announcement.

Get the Validator

Our official validator for the Telco SBOM Quality Guide has been updated for version 1.1 and is available on the OpenChain Telco Work Group GitHub repo.

To install from PyPI, issue:
pip3 install openchain-telco-sbom-validator 
or 
pipx install openchain-telco-sbom-validator.

Coming Next:

Development of the next generation of the guide will occur via the Telco Work Group, and everyone is welcome to contribute.

The OpenChain Telco Work Group mailing list is here: 

• https://lists.openchainproject.org/g/telco

The OpenChain Telco Work GitHub (for drafting) is here: 

• https://github.com/OpenChain-Project/Telco-WG

Related News:

• The updated official Validator announcement
• External Validation Support announcement

Community Credits:

Huge credit to Marc-Etienne Vargenau for his steady hand in chairing the OpenChain Telco Work Group, and to Jimmy Ahlberg of Ericsson for kicking off that work group, and his continued work as the Chair of the OpenChain Project Governing Board. Special thanks to all of our wonderful community, especially the contributors inside the OpenChain Telco Work Group who made this happen.

Amazon is the latest company to join the OpenChain Project as a Platinum Member and to take a seat at the Governing Board and Steering Committee. This highlights their unwavering commitment to leadership in open source technology, process management and in building trusted supply chains.

“At Amazon, we believe in strengthening the open source ecosystem through collaboration and shared best practices,” said Nithya Ruff, Director of Amazon’s Open Source Program Office. “By joining the OpenChain Project, we’re committed to contributing our experience across cloud services and consumer devices to support and evolve industry standards. We look forward to working with the OpenChain community to make supply chain collaboration easier and more effective for the industry.”

“Amazon pioneered modern digital management of complex supply chains at massive scale,” says Shane Coughlan, OpenChain General Manager. “Their engagement with the OpenChain Project, and more broadly with all aspect of open source process management, underlines the vital role that open standards and open communities play in building a more trusted supply chain. We look forward to benefiting from their thought-leadership as OpenChain enters the next stage of its evolution.”

About the OpenChain Project

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Today we are delighted to share the news that ZF Group has implemented an ISO/IEC 5230 conformant program.

This significant achievement underscores their commitment to excellence, innovation, and adherence to the highest standards of compliance and best practices in their open-source initiatives. As noted by Sarah Moser of the ZF Group team, implementing the ISO/IEC 5230 standard represents a crucial step in fostering a culture of transparency, collaboration, and continuous improvement.

ZF Group’s conformance was via third-party certification in collaboration with TIMETOACT. The approach they took, their motivations and their practical solutions will be highlight in a forthcoming OpenChain webinar and case study.

Huge thanks to Sarah, the ZF OSPO team and also Simon Pletschacher at TIMETOACT for not only making this happen, but helping to communicate it widely to inspire others.

About ZF Group

ZF is a global technology company represented with 161 production locations in 30 countries. With some 161,600 employees worldwide, ZF reported sales of €41.4 billion in fiscal year 2024.

Founded in 1915, ZF has evolved from a supplier specializing in aviation technology to a global mobility technology company.

Group shareholders include the Zeppelin Foundation, administered by the City of Friedrichshafen, holding 93.8 percent of shares, and the Dr. Jürgen and Irmgard Ulderup Foundation, Lemförde, with 6.2 percent.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

QNAP Systems, Inc., a leading computing, networking, and storage solutions innovator based in Taipei, has announce and OpenChain ISO/IEC 5230 conformant program.

About QNAP

QNAP (Quality Network Appliance Provider) is devoted to providing comprehensive solutions in software development, hardware design and in-house manufacturing. Focusing on storage, networking and smart video innovations, QNAP now introduce a revolutionary Cloud NAS solution that joins our cutting-edge subscription-based software and diversified service channel ecosystem. QNAP envisions NAS as being more than simple storage and has created a cloud-based networking infrastructure for users to host and develop artificial intelligence analysis, edge computing and data integration on their QNAP solutions.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Elixir Project is pleased to share that the Elixir project now complies with OpenChain ISO/IEC 5230, the international standard for open source license compliance. This step aligns with broader efforts to meet industry standards for supply chain and cybersecurity best practices.

“Today’s announcement around Elixir’s conformance represents another significant example of community maturity,” says Shane Coughlan, OpenChain General Manager: “With projects – the final upstream – using ISO standards for compliance and security with increasing frequency, we are seeing a shift to longer-term improvements to trust in the supply chain.”

Why OpenChain Compliance Helps

By following OpenChain ISO/IEC 5230, we demonstrate clear processes around license compliance. This benefits commercial and community users alike, making Elixir easier to adopt and integrate with confidence.

Changes for Elixir Users

• All future Elixir releases will include a Source SBoM in CycloneDX 16 or later and SPDX 2.3 or later formats.
• Each release will be attested along with the Source SBoM.

These additions offer greater transparency into the components and licenses of each release, supporting more rigorous supply chain requirements.

Changes for Contributors

• Contributions remain under the Apache-2.0 License. Other licenses cannot be accepted.
• The project now enforces the Developer Certificate of Origin (DCO), ensuring clarity around contribution ownership.

Contributors will notice minimal procedural changes, as standard practices around
licensing remain in place. For more details, see the CONTRIBUTING guidelines

Commitment

These updates were made in collaboration with the Erlang Ecosystem Foundation, reflecting a shared commitment to robust compliance and secure development practices. Thank you to everyone who supported this milestone. We appreciate the community’s ongoing contributions and look forward to continuing the growth of Elixir under these established guidelines.

Learn more about Elixir:

• https://elixir-lang.org

CSI Piemonte, an early adopter of OpenChain ISO/IEC 5230, has announced their fourth periodic recertification of the international standard for open source license compliance processes.

“CSI Piemonte has renewed its self-certification to ISO/IEC 5230:2020 for the fourth time, aware of its decades-long aptitude to implement, acquire, and publish open source software,” says Marco Alberto Panepinto, Open Source Subject Matter Expert at CSI Piemonte. “Italian law, in particular, requires public administrations to publish self-produced software on the national Developers Italia catalog, on which CSI Piemonte publishes the products implemented for local Piedmontese bodies, including mainly the Piedmont Region. Our processes are aimed at providing and promoting the creation and control of open source software, aimed at reuse by other public administrations, as our legislation provides. It is therefore since 2020 that we have adhered to the standard and we are proud to continue pursuing the goal of making our software open.”

“In recent months we have highlighted recertification activity around our standards to underline the concept of sustainable approaches to software management,” says Shane Coughlan, OpenChain General Manager. “Continuity in supply chain management is key to ensure that issues are minimized and productivity is maximized. We are delighted to collaborate with CSI Piemonte on yet another reminder of this important point, and the suitability of OpenChain standards for such long-term management.”

About CSI Piemonte

CSI Piemonte has promoted technological innovation and digital transformation for public administrations since 1977. OpenChain is delighted to welcome them to our community of conformance.

Learn More About CSI

• https://www.csipiemonte.it/web/en

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Collabora has recently completed its regular 18 month renewal of ISO/IEC 5230 conformance via self-certification, and is highlighting this activity for the benefit of the wider community. This underlines an important principle of standard adoption and use: sustainability through periodically checking processes to ensure their integrity.

“Our renewed ISO/IEC 5230 certification demonstrates Collabora’s unwavering commitment to maintaining the highest standards of compliance to open-source licenses,” says Olivier Potin, Chief Operating Officer at Collabora. “Through OpenChain, we ensure our customers have complete visibility into their software supply chain while guaranteeing compliance with open source licensing requirements. This certification reinforces our position as a trusted partner in delivering open source solutions.”

“The principle of ensuring continued conformance to a standard is a key part of genuine sustainability,” says Shane Coughlan, OpenChain General Manager. “We appreciate Collabora’s decision to publicly highlight their example in double-checking process integrity, and helping to inspire similar long-term approaches in the supply chain.

About Collabora:

Collabora is a global consultancy specializing in delivering the benefits of Open Source software to the commercial world. Whether it’s the Linux kernel, graphics, multimedia or machine learning, Collabora’s expertise spans across all key areas of Open Source software development. By harnessing the potential of community-driven projects, and re-using existing components, Collabora helps its clients focus on creating product differentiation, enabling them to develop the best solutions. From tailoring the latest Open Source technologies to your projects, to integrating Open Source methodologies into your organization, Collabora can help you navigate the ever-evolving world of Open Source. Learn more at collabora.com.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

S-core, Self-Certified for OpenChain ISO/IEC 5230 International Standard

S-core has officially obtained the OpenChain ISO/IEC 5230 certification, a globally recognised standard for open source compliance. This certification acknowledges the reliability and transparency of S-Core’s open source management system on an international scale.

OpenChain ISO/IEC 5230 is an open source compliance management standard created by The Linux Foundation’s OpenChain Project and published by the International Organization for Standardization (ISO). It provides guidelines to help companies effectively manage open source and mitigate legal risks.

Open Source Specialist S-core’s Journey

S-core is a company that specializes in open source services, leveraging its extensive experience in open source-based infrastructure development.

This company offers full-care service for open source use, from open source adoption, migration, technical support, to governance consulting in order to help customers establish management systems for safe and strategic use of open source.

It has recently strengthened its capability of open source compliance to deliver more reliable and secure services to customers by aligning its open source management system with OpenChain ISO/IEC 5230.

Internally, a dedicated team continuously reviews licenses, assesses risks and operates in-house training programmes to ensure developers use open source correctly. Additionally, S-core has implemented a structured system using open source management tools to proactively identify and mitigate potential risks throughout the development process.

Sunghan Suh, Head of the Open Source Business Division at S-core, stated, “Open source has already become fundamental components in software development and operation across all industries.” He added, “With the acquisition of the OpenChain certification, we will take the lead in the development of the open source ecosystem to enable companies and developers to use open source more safely and efficiently by sharing our extensive expertise accumulated from adoption, development, operation, management to technical support.”

S-core’s Future Efforts

S-core plans to obtain ISO/IEC 18974 certification to further enhance open source security management, reinforcing its ability to address open source vulnerabilities. Looking ahead, the company aims to commit to the growth and development of the open source ecosystem with continued innovation and progress.

Registration is required for this free event /
kostenlose Veranstaltung, aber Registrierung ist erforderlich

OpenChain and The FOSS-LÄND Community Invite You To An Information Exchange

Want to get better at Open Source?

Open Source offers significant advantages for businesses, but effectively managing it with your developers, vendors, or within your software supply chain can be challenging. Whether you are new to the topic or a seasoned expert in open source management, we invite you to join us from April 7 to 9 in Stuttgart for a share and learn event. During this event, you will have the opportunity to:

• Hear from industry peers as they share their open source processes and best practices.
• Experience demonstrations from tool creators showcasing automated compliance solutions.
• Participate in technical sessions focused on overcoming common challenges in the field.
• Discover available support options from both the community and government resources.

OpenChain und The FOSS-LÄND Community laden zum Open Source Austausch ein

Wollen Sie die Open Source Reife Ihrer Organisation verbessern?

Open Source bietet allerhand Vorteile, aber ein effektives Open Source Management im Spannungsfeld zwischen Entwicklern, Zulieferern oder generell in der Software Lieferkette kann eine Herausforderung sein. Ob Sie nun neu in dem Thema sind oder schon langjährige Erfahrung haben, wir laden Sie vom 7. bis 9.April nach Stuttgart ein, um uns gegenseitig dazu auszutauschen und dazuzulernen. In unserem Event werden sich folgende Gelegenheiten bieten:

• Einblick in Open Source Prozesse anderer Organisationen und deren Erfahrungsberichte
• Überblick über frei verfügbare Open Source Automatisierungs-Tools zum korrekten Umgang mit Open Source inkl. Demonstrationen durch deren Entwickler
• Ausblick auf mögliche Lösungsräume zu geläufigen Open Source Management Herausforderungen durch Teilnahme an technischen Austausch-Runden
• Durchblick zu den vielfältigen Unterstützungs-Angeboten, die sich durch die Open Source Community im Allgemeinen und durch „The FOSS-LÄND“ für Baden-Württemberg im Besonderen ergeben.

Schedule and Locations / Ablauf und Veranstaltungsorte

Day 1 – 7th April 2025

13:00-19:00: Afternoon Meeting @ Venue 1

FORUM Haus der Architektinnen und Architekten (HdA)
(See “Venue and Travel” below for details)

19:00-21:00: Informal Socializing Event

Location: Venue 3
Restaurant AMADEUS
Charlottenplatz 17
70173 Stuttgart

Day 2 – 8th April 2025

08:00-16:45: Full-Day Meeting @ Venue 1

FORUM Haus der Architektinnen und Architekten (HdA)
(See “Venue and Travel” below for details)

Day 3 – 9th April 2025

08:00-16:45: Full-Day Meeting @ Venue 2

Bosch Digital | Lb079 (Halle 8)
(See “Venue and Travel” below for details)

Program / Programm

If you are having display issues with the program below, you can also find it on GitHub here.

Day 1

Day 2

Day 3

Please provide and discuss the topics for the Unconference / Hackathon on the Tooling Group mailing list: https://groups.io/g/oss-based-compliance-tooling

Venue and Travel

Venue 1 – Forum Haus der Architekten

FORUM Haus der Architektinnen und Architekten (HdA)
Danneckerstraße 54
70182 Stuttgart, Germany
https://www.akbw.de/kontakt/anfahrt

Distance to the airport: 12 kilometers / Public Transport 35-45 Minutes

Venue 2 – Bosch Digital | Lb079 (Halle 8)

Bosch Digital | Lb079 (Halle 8) 
Groenerstraße 5/1, 71636 
Ludwigsburg, Germany

Please use the standard entrance.

Distance to the airport: 40 kilometers / Public Transport 1 Hour 10 Minutes

Venue 3 – Restaurant AMADEUS Altes Waisenhaus

Restaurant AMADEUS
Charlottenplatz 17
70173 Stuttgart
https://www.amadeus-stuttgart.de/anfahrt/

Example Lodging Options in Stuttgart

We do not have contracted rooms at these properties and cannot guarantee rates or availability.

Hotel Motel One Stuttgart-Mitte

Close to the Stuttgart Main Station
Distance to venue 1: 2 kilometers / 26 Minutes Walk / Public Transport 16 Minutes 5 Stopps
Distance to venue 2: 16 kilometers / Public Transport 35 Minutes via S-Bahn
Lautenschlagerstraße 14, 70173 Stuttgart
+49 711 300209-0

Hotel Unger Stuttgart

Close to the Stuttgart Main Station
Distance to venue 1: 2,1 kilometers / 28 Minutes Walk / Public Transport 16 Minutes 5 Stopps
Distance to venue 2: 16 kilometers / Public Transport 35 Minutes via S-Bahn
Kronenstr. 17, 70173 Stuttgart
+49 711 20990

Connections to Essen for the FSFE Legal Workshop

For participants attending the FSFE Legal Workshop in Essen from the 9th of April, we will end Day 2 of our event at 16:45 on the 8th of April. This will allow for easy train connections to Essen. Here is a link to the train connections from Venue 1 to Essen via Stuttgart Main Station.

Q&A

• Who is the target audience of this event?​
  • Software developers, security professionals and OSPO representatives​
• What the event location?​
  • Day 1& 2 – Haus der Architekten in Stuttgart, Day 3 – Urban Harbor Ludwigsburg​
• What is the content about?
  • We will have presentations from community representatives and workshops all around Software Management in the Software Supply Chain. The event meant to be interactive and the concrete program will be developed and updated incrementally on this page until the event. The topic backlog is https://github.com/Open-Source-Compliance/Sharing-creates-value/blob/openchain_and_friends_2025_topic_backlog/Events/OpenChainAndFriends/Topic_backlog.md. Contributions are welcome.
• Can I already express my interest to join the event?​
  • Yes, the registration page is here: Register here / Hier registrieren
• Do I need to purchase a ticket?​
  • No, this is a free event but you are required to register for a ticket​
• Is this a Linux Foundation event?​
  • This is a community event co-hosted by the Linux Foundation’s OpenChain Project, and it will adhere to the Linux Foundation’s policies and code of conduct​
• Is the event language english?​ / Ist die Veranstaltungssprache englisch?
  • Yes, as we will have international participants, we plan to have english as event language, but for specific sessions we can also discuss to provide it in german (e.g. for people new to the topic) / Ja, wir haben internationale Teilnehmer, daher planen wir mit Englisch als Veranstaltungssprache. Aber wir können uns auch vorstellen bei entsprechendem Bedarf spezifische Themen (z.B. Themen für regionale Teilnehmer, die im Thema neu sind) auch in Deutsch / Schwäbisch 😉 zu machen.
• Target group is also SME / KMU – is this acc. to KMU 2003/361 with < 250 employees?
  • Concerning the event we would welcome also bigger companies but want to explicitly support the small and medium businesses with the content. Only the concrete The FOSS-LÄND offerings (e.g. vouchers/Beratungsgutschein etc.) are explicitly for SME / KMU in the region, see details in german only: https://www.transformationswissen-bw.de/beratung/beratungsgutschein
• CRA and NIS2 would be expected as topics & Will the new Software Product Liability Act be a topic?
  • We are currently collecting proposals from all sides (see question about content above with link to the topic backlog). The general questions about What and Why will be addressed in the opening presentation. You can also join the mailing list to pre-discuss the contents for the workshops/round-tables: https://groups.io/g/oss-based-compliance-tooling
• Is this event limited to the automotive supply chain only?
  • Via OpenChain we are open to more interested parties along other supply chains but want to explicitly support the small and medium businesses in the automotive supply chain (The FOSS-LÄND target group) in the region with the content. If there is bigger interest we can think about a follow-up in an extended setup., please feedback on the mailing-list https://groups.io/g/oss-based-compliance-tooling
• Is the Process Stream focussed on Software Development Processes?
  • While the process stream was originally meant for OSPO and Open Source Management Processes in the supply chain, the Software Development Process perspective may become relevant for the mapping of blueprints around tooling and the automated handling of non-functional requirements.
• Will there also be a “Community Stream” e.g. how to collaborate in communities, how to get your OSS project big?
  • There will be two sections in the target groups: A) new to the topic/management and B) advanced/experts => for the second section such a “Community Stream” could be covered e.g. by TODO Group and Good Governance Initiative contributions. Contributions are welcome, see “content question” above with the link to the topic-backlog.

Communities collaborating

Community	Homepage
AboutCode	https://www.aboutcode.org
AGL Automotive Grade Linux – OSPO Expert Group	https://lf-automotivelinux.atlassian.net/wiki/spaces/OSPO
DoubleOpen	https://www.doubleopen.org
Eclipse Apoapsis	https://eclipse-apoapsis.github.io/ort-server/
Eclipse SDV	https://sdv.eclipse.org/
Flutter DACH Community	https://www.meetup.com/de-DE/flutter-dach/
The FOSS-LÄND	https://www.e-mobilbw.de/automotive-software
Fossology	https://www.fossology.org/
InformatikForum Stuttgart	https://www.informatik-forum.org/
JAVA User Group Stuttgart	https://www.jugs.org/
LF Energy	https://lfenergy.org/
OpenChain	https://openchainproject.org/
OpenChain Open Source Tooling Group	https://oss-compliance-tooling.org/
OpenSSF	https://openssf.org/
OSADL	https://osadl.org/
Open Source Business Alliance OSBA	https://osb-alliance.de/
OSSelot	https://www.osselot.org/
OSS Review Toolkit	https://oss-review-toolkit.org/ort/
OWASP	https://owasp.org/
ScanOSS	https://github.com/scanoss
Software Heritage	https://www.softwareheritage.org/
Software Transparency Foundation	https://www.softwaretransparency.org/
TODO Group	https://todogroup.org/
Yocto Project	https://www.yoctoproject.org/

Netcore Cloud is the latest company to announce adoption of OpenChain ISO/IEC 18974, the international standard for open source security assurance.

“We are pleased to see a diversity of companies adopting ISO/IEC 18974,” says Shane Coughlan, OpenChain General Manager. “Our goal was always to create and support improved trust across the supply chain regardless of industry, and Netcore Cloud is an example of this in action. We look forward to next steps together in helping even more of the supply chain understand the need for and benefit of process standards for managing open source technology.”

About Netcore Cloud

Netcore Cloud is a global MarTech product company that helps B2C brands create amazing digital experiences with a range of products that help in acquisition, engagement, and retention. The first and leading AI/ML-powered marketing automation and customer engagement platform, Netcore Cloud was established in 1997 by Rajesh Jain, an internet pioneer. Today Netcore Cloud is revolutionizing the way marketing & product teams engage with the consumers.

Learn more at: https://netcorecloud.com/about-us/

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.