ossf · david-a-wheeler · May 11, 2026 · May 12, 2026
@@ -0,0 +1,102 @@
+## Project incubation application
+
+### Project has met all Sandbox requirements
+
+  * The project was an existing project (CII Best Practices Badge) that pre-existed OpenSSF and was transferred to OpenSSF upon its formation. It has since operated as an OpenSSF project under the Best Practices Working Group, effectively meeting and exceeding Sandbox-level operational requirements.
+
+### List of project maintainers
+
+*The project must have a minimum of three maintainers with a minimum of two different organizational affiliations.*
+
+For our purposes, maintainers are those who are a member of the Best Practices Badge TSC (see [docs/TSC.md](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/TSC.md)) or have commit rights to the repository.
+
+  * David A. Wheeler, The Linux Foundation, @david-a-wheeler (TSC)
+  * Christopher "CRob" Robinson, The Linux Foundation, @SecurityCRob (TSC)
+  * Tony Hansen, AT&T, @TonyLHansen (TSC)
+  * Toine Siebelink, Ericsson, @toine-at-est (TSC)
+  * Andrew Fader, Yagni Corporation, @andrewfader
+  * Jason Dossett, Institute for Defense Analyses, @jdossett
+
+### Mission of the project
+
+*The project must be aligned with the OpenSSF mission and either be a novel approach for existing areas, address an unfulfilled need, or be code needed to deliver OpenSSF WG work. It is preferred that extensions of existing OpenSSF projects collaborate with the existing project rather than seek a new project.*
+
+  * The mission of the project is to identify best practices for Free/Libre and Open Source Software (FLOSS) and implement a badging system for those best practices. This encourages projects to apply best practices and helps users determine which FLOSS projects do so, thereby improving the overall security and quality of the open source ecosystem.
+
+### Alignment with the OpenSSF MVSSR
+
+*The mission of the Project must be aligned with the [Mission, Vision, Values, Strategy, and Roadmap (MVVSR)](https://openssf.org/about/) of the OpenSSF. Please indicate to which of the three strategies and four pillars of the OpenSSF the Project contributes to.*
+
+Strategies: *i) Catalyst for Change*, *ii) Educate and Empower the Modern Developer*, *iii) Ecosystem Leader*
+
+  * **Catalyst for Change**: The project encourages the adoption of security best practices across thousands of projects, driving systemic improvement in the OSS supply chain.
+  * **Educate and Empower the Modern Developer**: It provides clear, actionable criteria and guidance on how to secure FLOSS projects, empowering developers to improve their project's security posture.
+  * **Ecosystem Leader**: By establishing a widely recognized standard for the metal criteria security levels, and by providing an easy mechanism for confirming and displaying project status against criteria, the project leads the ecosystem in defining what a secure OSS project looks like.
+
+Pillars: *i) Programs & Projects, ii) Education, iii) Public Policy, iv) Community & Events*
+
+  * **Programs & Projects**: The project is a core OpenSSF initiative that provides direct value to the community through its badging platform. This is the primary pillar this project supports.
+  * **Education**: It teaches developers about security vulnerabilities and defensive coding through its detailed criteria and rationales.
+
+### Project adoption
+
+*The project should be able to show adoption by multiple parties and the adoption's value to the open source community and/or end users (may include adoption of beta/early versions).*
+
+  * [Over 10,000 projects participate in the OpenSSF Best Practices Badge](https://www.bestpractices.dev/en/project_stats). These include many high-profile projects such as the Linux kernel, Node.js, Kubernetes, and Curl. It serves as a standard way for projects to demonstrate their commitment to security best practices. Over 20% of projects pursuing the badge reach the "passing" level as of 2026-05-12, showing it is a meaningful and rigorous standard.
+
+### Governance
+
+*Project must have met publicly at least 5 times in the last quarter since becoming Sandbox.*
+
+  * The project is part of the OpenSSF Best Practices Working Group (WG). Its public meetings are part of the WG and primarily follows its meeting schedule. It has consistently reported to and been part of this working group since this working group began.
+  * **Link to public meeting notes (or ideally recordings)**: Meeting notes are available through the [OpenSSF Best Practices WG repository](https://github.com/ossf/wg-best-practices-os-developers).
+  * Project-specific governance is provided by the Best Practices Badge Technical Steering Committee (TSC). This group does not normally meet synchronously (that's handled in the WG), but instead works asynchronously via email.
+
+*Projects must have documented, initial project governance*
+
+  * Governance is documented in [docs/governance.md](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/governance.md) and the [Technical Charter](https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/Best-Practices-Badge-Technical-Charter-Final-2024-04-30.pdf).
+
+*Project must have defined Contributor Guide*
+
+  * The contributor guide is available in [CONTRIBUTING.md](https://github.com/coreinfrastructure/best-practices-badge/blob/main/CONTRIBUTING.md).
+
+*Project has attained an OpenSSF Best Practice Badge at "passing" level*
+
+  * The project has attained its own "passing" badge: [https://bestpractices.coreinfrastructure.org/projects/1](https://bestpractices.coreinfrastructure.org/projects/1). In fact, this project has earned a gold badge and baseline-3.
+
+*Project is integrated into the OpenSSF Scorecard*
+
+  * The project is integrated into OpenSSF Scorecard: [https://scorecard.dev/viewer/?uri=github.com/coreinfrastructure/best-practices-badge](https://scorecard.dev/viewer/?uri=github.com/coreinfrastructure/best-practices-badge).
+
+### IP policy and licensing due diligence
+
+*When contributing an existing Project to the OpenSSF, the contribution must undergo license and IP due diligence by the Linux Foundation (LF). This step is only needed for the initial donation and only applicable here, if the project intends to join the OpenSSF Incubation stage.*
+
+  * The project is an LF project and always has been. It was originally created within the Core Infrastructure Initiative (CII) and thus its license and IP due diligence have always been under the purview of the Linux Foundation. This did not change in its transition from CII to OpenSSF.
+
+### Security Baseline
+
+*The project meets all applicable Security Baseline requirements:*
+
+ * [x] [Security Baseline - Once Sandbox](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---once-sandbox)
+ * [x] [Security Baseline - To Become Incubating](https://github.com/ossf/tac/blob/main/process/security_baseline.md#security-baseline---to-become-incubating)
+
+### Project References
+
+*The project should provide a list of existing resources with links to the repository, website, a roadmap, contributing guide, demos and walkthroughs, and any other material to showcase the existing breadth, maturity, and direction of the project.*
+
+| Reference           | URL |
+|---------------------|-----|
+| Repo                  | https://github.com/coreinfrastructure/best-practices-badge |
+| Meeting Agenda        | https://github.com/ossf/wg-best-practices-os-developers |
+| OSSF Calendar Entry   | https://openssf.org/calendar/ |
+| Website               | https://www.bestpractices.dev |
+| Contributing guide    | https://github.com/coreinfrastructure/best-practices-badge/blob/main/CONTRIBUTING.md |
+| Security.md           | https://github.com/coreinfrastructure/best-practices-badge/blob/main/SECURITY.md |
+| Roadmap               | https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/roadmap.md |
+| Demos                 | https://www.bestpractices.dev |
+| Best Practices Badge  | https://bestpractices.coreinfrastructure.org/projects/1 |
+| Scorecard integration | https://scorecard.dev/viewer/?uri=github.com/coreinfrastructure/best-practices-badge |
+| API Documentation     | https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/api.md |
+| Admin Guide           | https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/admin.md |
+| Background & Research | https://github.com/coreinfrastructure/best-practices-badge/blob/main/docs/background.md |