Skip to content
Open Factory Initiative

Security and Software Supply Chain Approach

Security is part of trustworthiness for factory intelligence. OFI treats secure development, dependency transparency, vulnerability response, and responsible release practices as core ecosystem responsibilities.

Security philosophy

Security is part of trustworthiness for factory intelligence. Secure development, dependency transparency, vulnerability response, and responsible release practices are core ecosystem responsibilities.

Vulnerability disclosure

The project should maintain a clear reporting path for suspected vulnerabilities and avoid public disclosure before maintainers can investigate and respond.

Dependency management

Dependencies should be tracked, reviewed, updated responsibly, and evaluated for license, security, and supply-chain risk.

SBOM direction

The project should move toward software bill of materials practices as release discipline matures.

Code review and branch protection

Changes should be reviewed for functionality, documentation, test coverage, security impact, and compatibility with the public roadmap.

Secret management expectations

Contributors should not commit secrets, credentials, production connection strings, or sensitive factory data.

Release integrity direction

Future releases should document versioning, changelogs, checks, and provenance expectations.

Threat modeling direction

Security planning should consider data flows, integrations, read-only boundaries, contributor risk, dependency risk, and manufacturing/OT context.

Manufacturing/OT security boundary awareness

Early work should prioritize simulated data, read-only patterns, and clear separation from process control and source-system writeback.

Current limitations

This page describes the intended security and supply-chain approach for an early-stage open-source project. It does not claim that every control is fully implemented.

Adopting organizations remain responsible for their own cybersecurity review, intended-use assessment, network architecture, quality approval, and site-specific validation before using any software in a manufacturing environment.

View repository security policy