[open-regulatory-compliance] Open Source Software Stewards and CRA White

[Marta Rybczynska <marta.rybczynska@xxxxxxxxxxxxxxxxxxxxxx>]

Dear all,

The "Open Source Software Stewards and CRA" White paper has reached a stage when it is ready for a general review, with the publication expected at the end of this month (end of November 2025).

The goal of the document is to provide our understanding on the operations of Open Source Stewards and their obligations. It ISN'T the goal to provide rules on deciding if an organization is a Steward or not.

If you're interested in the subject, it is the ideal moment to spend some time reading the document in order to provide your feedback.

The unified text of the white paper is:

https://github.com/orcwg/orcwg/blob/main/cyber-resilience-sig/whitepapers/stewards-and-cra.md

There are already discussion ongoing on various topics:

Whitepaper: additional clarifications on the Security Policy - on the content of the Security Policy

Whitepaper: more discussion on CSIRTs - on the definition of the CSIRT for a given Steward

Whitepaper: spelling fixes - the place for fixes of typos et al

Whitepaper: clarify conflict resolution between reporters and developers - what to do when the Project and reporters do not agree

Whitepaper: clarify the Project-Steward relations - clarify all types of relations between Projects and Stewards we know, and how to apply the CRA rules in each case

Thank you everyone for the feedback so far and please keep it coming! We are heading towards a document with much interesting information for Stewards and Projects.

We will be now discussing improvements and incoming comments, with the final polishing after November 20th.

Kind regards,

Marta