Open Source Contribution Policy Template

This Open Source Contribution Policy (the “Policy”) is adopted by [Company Name] as of [Effective Date].

1. Purpose

1.1 Goal. This Policy defines the rules and approval process for contributing to open source projects while protecting company confidential information and intellectual property.
1.2 Scope. This Policy applies to employees, contractors, and others who contribute to open source projects on behalf of [Company Name] or using company resources.

2. Definitions

2.1 Contribution. Any code, documentation, patch, pull request, issue report, design asset, or other submission made to an external open source project.
2.2 Company Resources. Company devices, accounts, email, networks, time (during work hours), or any work product created for the Company.
2.3 Confidential Information. Non-public information about the Company, including source code, product plans, customer information, security details, and internal processes.
2.4 Open Source Project. A project released under an open source license and hosted publicly (e.g., GitHub, GitLab).

3. General Rules

3.1 No Confidential Information. Contributors must not disclose Company Confidential Information or proprietary code.
3.2 Use Approved Accounts. Contributions on behalf of the Company must use: ☐ Company-managed accounts ☐ Personal accounts with disclosure: [Rules].
3.3 Export Controls (Optional). Contributors must follow export control and sanctions rules applicable to sharing software internationally, if applicable to the Company.
3.4 Security Considerations. Do not publish vulnerabilities or security-sensitive details outside approved disclosure processes.

4. Approval Requirements

4.1 Approval Needed (Default). Approval is required before submitting a Contribution when:

• it includes Company-developed code or materials,

• it relates to a Company product or customer work,

• it is made during work hours or using Company resources,

• it requires signing a CLA or other legal terms, or

• it may expose IP, security, or compliance risk.
  4.2 Pre-Approved Contributions (Optional). Certain contributions may be pre-approved, such as:

• typo fixes, documentation-only changes, or non-functional changes, within limits: [Define].
  4.3 Approver(s). Approvals are granted by: [OSS Committee / Legal / Engineering Lead], depending on risk.

5. Contribution Review Workflow

5.1 Request Submission. Before contributing, submit a request including:

• project name and link,

• description of the Contribution,

• files/modules affected,

• license of the project (if known),

• whether a CLA is required, and

• whether the Contribution includes Company code or was created using Company resources.
  5.2 Technical Review. Engineering will review for code quality, security, and removal of confidential information.
  5.3 Legal/License Review (If Needed). Legal/Compliance will review license impact, CLA terms, and IP concerns.
  5.4 Approval Decision. Outcome: ☐ Approved ☐ Approved with conditions ☐ Rejected.
  5.5 Recordkeeping. Approved contributions must be logged in: [Tracker/Tool] with approver, date, and conditions.

6. IP Ownership and Licensing

6.1 Company IP. Work created within scope of employment or using Company resources may be Company-owned; contributions must be approved accordingly.
6.2 Project License Acceptance. Contributions will be made under the project’s license and contribution rules; contributors must not agree to additional terms without approval.
6.3 No Patent Grants (Optional). Contributors may not grant patent rights beyond what is required by approved terms, unless authorized.
6.4 Third-Party IP. Contributors must not submit code they do not have the right to contribute.

7. Contributor License Agreements and Terms

7.1 CLAs. If a project requires a CLA, it must be reviewed and signed by: ☐ Legal ☐ Authorized officer ☐ Contributor (only if approved).
7.2 No Unauthorized Agreements. Contributors must not accept click-through terms, DCO/CLA, or other legal commitments on behalf of the Company without approval if those terms bind the Company.
7.3 Documentation. Signed CLAs and approvals must be stored at: [Location].

8. Security and Vulnerability Disclosure

8.1 No Public Vulnerability Disclosure. Security issues must be handled through responsible disclosure processes.
8.2 Security Review. Contributions affecting security-sensitive areas require additional review by: [Security team].
8.3 Dependency Risk. If a contribution introduces a new dependency, follow the OSS approval policy: [Policy reference].

9. Branding and Communications

9.1 No Public Statements (Optional). Contributors must not speak as an official Company representative unless authorized.
9.2 Brand Use. Use of Company name/logo in OSS projects requires permission from: [Marketing/Legal].
9.3 Press/Announcements. Public announcements about contributions require approval: ☐ Yes ☐ No ☐ Only for major releases.

10. Compliance, Audits, and Training

10.1 Audits. The Company may periodically review public contributions made on its behalf.
10.2 Training. Required training frequency: ☐ Onboarding ☐ Annual ☐ Other: [Frequency].
10.3 Violations. Violations may result in corrective actions, including removal of contributions where possible.

11. Exceptions

11.1 Exception Requests. Exceptions must be requested in writing and approved by: [Approver/Committee].
11.2 Documentation. Exceptions must include scope, reason, risk assessment, mitigations, and an expiration date.

12. Policy Administration

12.1 Owner. Policy owner: [Team/Role].
12.2 Review Cycle. This Policy will be reviewed: ☐ Annually ☐ Every [__] months ☐ As needed.
12.3 Updates. Updates must be approved by: [Approver/Role].

Signatures

By signing below, the undersigned acknowledge they have read and agree to comply with this Open Source Contribution Policy.

Company Representative: [Name]
Title: [Title]
Date: [Date]
Signature: ___________________________

Employee/Contractor: [Name]
Title/Role: [Role]
Date: [Date]
Signature: ___________________________