Skip to main content
We believe that everyone should have access to information about malicious open source. That is why we maintain a completely free feed and API that include a threat description, payload, and version details, and evidence. OpenSourceMalware is a community-driven platform dedicated to protecting the open source ecosystem. We bring together security researchers, developers, and organizations to identify, document, and share intelligence about malicious packages, repositories, and resources. By fostering collaboration and transparency, we aim to make the software supply chain safer for everyone. These guidelines define the conduct we expect from every contributor.

Core values

We prioritize accuracy over speed. Verify threats thoroughly before reporting. False positives can harm innocent developers and undermine trust in the platform.
Security research is collaborative. Share knowledge, provide constructive feedback, and help others improve their submissions. We are stronger together.
Treat all community members with respect. Disagreements happen, but personal attacks, harassment, and toxic behavior have no place in our community.
We operate openly. Report processes, verification criteria, and community standards are publicly documented. Decisions are made fairly and can be appealed.

Expected behavior

Every contributor is expected to uphold the following standards:
  • Verify before reporting: Thoroughly investigate potential threats before submission.
  • Provide evidence: Support your reports with verifiable evidence and sources.
  • Be constructive: Offer helpful feedback and suggestions to improve reports.
  • Respect privacy: Do not share personal information about threat actors unnecessarily.
  • Stay on topic: Keep discussions focused on security research and threat intelligence.
  • Acknowledge mistakes: If you submit a false positive, acknowledge it and learn from it.
  • Give credit: Acknowledge prior work and sources when building on others’ research.

Prohibited behavior

The following actions violate our community standards and may result in enforcement action:
  • Submitting false reports: Deliberately reporting legitimate packages as malicious.
  • Harassment: Targeting individuals with abuse, threats, or persistent unwanted contact.
  • Spam: Flooding the platform with low-quality or duplicate submissions.
  • Gaming the system: Attempting to manipulate points or reputation through fraudulent means.
  • Sharing exploits: Posting functional exploit code without coordinated disclosure.
  • Doxxing: Publishing private information about individuals without consent.
  • Impersonation: Pretending to be another person or organization.

Responsible disclosure

We follow responsible disclosure practices when handling security vulnerabilities:
  • Report first, publish later: Submit threats through OSM before making any public disclosure.
  • Allow time for response: Give maintainers reasonable time to address issues when possible.
  • Coordinate with registries: We work with package registries to remove malicious content.
  • Protect users: Public disclosure happens once threats are contained, or if maintainers are unresponsive.
Malicious packages created by threat actors — not legitimate maintainers — can be disclosed immediately. There is no good-faith party to coordinate with in those cases.

Enforcement

Violations are handled on a case-by-case basis. Penalties range in severity depending on the nature and history of the offense:
1

Warning

First-time minor violations receive a formal warning.
2

Temporary suspension

Repeated violations or moderate offenses result in temporary account suspension.
3

Permanent ban

Severe violations or repeated offenses after suspension lead to permanent removal from the platform.
Violating reports are removed from the platform and do not count toward your reputation score. Appeals: If you believe an enforcement action was made in error, appeal by contacting us through the Contact page. All appeals are reviewed by administrators.
Last updated: January 2025