Octocat fueling a rocket going to Open Source Community

What is an Open Source Program Office (OSPO)?

An open source program office (OSPO) is the competency center for an organization's open source strategy and operations.

Web browser displaying "Building Welcoming Communities" heading with 5 joyful people

An OSPO’s responsibilities

An OSPO sets policy on using and creating open source, provides organizational training and education on open source activities, and supports sustainable usage of and contribution to open source software.
Check out the complete definition

96% of organizations reported that their OSPOs or OSS initiatives have driven significant improvements in software development best practices.
TODO group logo
TODO GroupOpen Source Program Office (OSPO) Survey, 2023

Why are OSPOs beneficial?

Accelerate quickly

The majority of enterprises rely on open source software in their business to build products faster. Imagine if every web developer had to create the server that their website ran on. How much longer would it take to build websites? The 2022 State of the Octoverse report found that 90% of businesses today rely on open source software. It’s everywhere, even if we don’t always realize it. 

Build securely

That ubiquity comes with a responsibility for keeping it secure. Synopsys recently found that almost half of open source codebases contained high-severity vulnerabilities. OSPOs give companies an opportunity not only to use open source software safely but also to be good stewards of it. 

Contribute strategically

That is why companies need to be more thoughtfully involved in open source. For a deeper understanding, check out “Five reasons why organizations should invest in open source.”

Top OSPOs

Mercedes-Benz logo

Bridging to Open Source, Attracting Talent

GitHub is the enabler that opens the door for the open-source world. And we hope this connection to the open source world will also help us attract new talent.

Learn More >

Adobe logo

Working closely with many organizations

We work closely with a lot of organizations. Instead of taking two weeks to contribute to external projects, we’ve cut the legal and technical process down to half a day.

Learn More >

SAP logo

Embracing Open Source DevOps

The shift to open source and technologies like Ansible, Jenkins, and more has helped define a new way of working for SAP. Their new DevOps model values efficiency over infrastructure maintenance and best-in-breed integrations over custom tooling.

Learn More >

GitHub’s latest news on OSPOs

Metrics for issues, pull requests and discussions

Track and monitor important metrics related to issues, pull requests, and discussions, such as time to first response, time to close, and more!

Learn more

A checklist and guide to get your repository collaboration-ready

Whether you’ve been coding for a day or a decade, your colleagues are there to help strengthen your work. But they can only help if you’ve given them the tools to do so.

Learn more

Do you know if all your repositories have up-to-date dependencies?

Consider deploying the GitHub Action: Evergreen so that you know each of your repositories are leveraging active dependency management with Dependabot.

Learn more

Get involved

Learn, share and grow with the OSPO Community

TODO logo

TODO

TODO is a community of practitioners from Open Source Program Offices and similar Open Source initiatives

Learn More >

OSPO++ logo

OSPO++

OSPO++ is a network and a community of collaborative open source program offices in universities, governments, and civic institutions.

Learn More >

FINOS logo

Finos

Finos is a Community Creating Open Source Solutions for Financial Services

Learn More >

Frequently asked questions

Why build an OSPO?

Compliance 

Modern organizations understand their increasing reliance on open source but have critical questions about risk and governance. OSPOs can raise and address questions such as:

  • What open source software do we use, and are we in compliance with its license requirements?

  • What open source software are we producing or contributing to?

  • Are all our open source dependencies patched from known vulnerabilities and up to date?

  • What open source projects could we use to accelerate our software development?

Contributions

Relying on open source can also mean participating in the community by contributing changes to the projects you depend on. These changes could be bug fixes, security patches, documentation updates, or new features. OSPOs help guide organizations and employees on best practices for contributing changes, particularly when the project requires an individual or corporate Contributor License Agreement.

Collaboration

OSPOs work to guide organizations through questions like these, connecting people, communities, and departments like legal, engineering, and security along the way. If these questions are important to your organization, consider building an OSPO.

How can an OSPO scale compliance across your organization?

OSPOs can help reduce legal risk by setting OSS policy, educating developers, and automating compliance. Developers can benefit from guidance on what project licenses are acceptable for specific use cases so that the business strategy is aligned with engineering decisions about when and how to use open source.

Can OSPOs accelerate development collaboration?

OSPOs play a key role in development collaboration. Promoting the use of open source within the organization generates development collaboration with employees and open source communities. OSPOs can also drive development collaboration by coordinating innersource programs where common needs across multiple teams are identified and solutions are developed and shared internally.  

How do innersource and open source program offices relate?

One part of what OSPOs do is to create a paved path for making company projects publicly available as open source. This aims to share openly with the world what may be beneficial to others. However, not all projects an organization develops are appropriate to share with the whole world, so innersource becomes an extension of the open source program that helps development collaboration grow but stays limited to the organization's staff. Both models accelerate development collaboration, although with different scopes. For example, establishing asynchronous development workflows are beneficial for both open source and innersource because it allows for collaboration that is not restricted by geography, timezone, or location. There is much more to say about innersource, available on the innersource resource page.

Are OSPOs just about consuming open source safely, or can they help bring new open source projects to life?

Open source compliance is just one part of what OSPOs do. It’s often the first thing an OSPO does, but it doesn’t stop there. OSPOs participate in the life of a new open source project by offering guidance, templates, and knowledge about what has served other open source projects well. Developers starting an open source project have excellent skill sets in creating the code and writing documentation, but supplementing those skills with community building, marketing, and at-scale maintainership can be pivotal in an open source project reaching its goals.

Where is the best place in the organization for an OSPO?

There is no one right answer, as it depends on each organization. Though, we’ve seen several  different patterns. Common reporting structures include the OSPO within a research and development engineering department, directly under a Chief Technology Officer, or in the legal department. Alternatively, some organizations have opted for a virtual team model, where representatives from different departments make up a virtual OSPO. Regardless of organizational reporting structure, a successful OSPO must partner with a diverse set of departments within their organization. A deeper dive into this topic can be found in the Linux Foundation’s research on OSPOs.

Get started with your own OSPO

At GitHub, we take open source seriously. Not only does our OSPO manage GitHub's open source efforts, we've open sourced the OSPO itself. github-ospo is a collection of tools, processes, and best practices that our OSPO team uses to help us manage our open source initiatives. We are excited to release this project and share it with the broader community to help other organizations navigate the world of open source.

Check it out