fastify · jsumners · Oct 30, 2023 · Oct 21, 2023 · jsumners · Oct 22, 2023
diff --git a/SECURITY.md b/SECURITY.md
@@ -130,3 +130,30 @@ work as a member of the Fastify Core team.
 * [__KaKa Ng__](https://github.com/climba03003)
 * [__James Sumners__](https://github.com/jsumners),
   <https://twitter.com/jsumners79>, <https://www.npmjs.com/~jsumners>
+
+## OpenSSF CII Best Practices
+
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/7585/badge)](https://bestpractices.coreinfrastructure.org/projects/7585)
+
+There are three “tiers”: passing, silver, and gold.
+
+### Passing
+We meet 100% of the “passing” criteria.
+
+### Silver
+We meet 87% of the “silver” criteria. The gaps are as follows:
+  - we do not have a DCO or a CLA process for contributions.
 <a id="developers-certificate-of-origin"></a> 
 ## Developer's Certificate of Origin 1.1 
 By making a contribution to this project, I certify that: 
 * (a) The contribution was created in whole or in part by me and I have the 
   right to submit it under the open source license indicated in the file; or 
 * (b) The contribution is based upon previous work that, to the best of my 
   knowledge, is covered under an appropriate open source license and I have the 
   right under that license to submit that work with modifications, whether 
   created in whole or in part by me, under the same open source license (unless 
   I am permitted to submit under a different license), as indicated in the file; 
   or 
 * (c) The contribution was provided directly to me by some other person who 
   certified (a), (b) or (c) and I have not modified it. 
 * (d) I understand and agree that this project and the contribution are public 
   and that a record of the contribution (including all personal information I 
   submit with it, including my sign-off) is maintained indefinitely and may be 
   redistributed consistent with this project or the open source license(s) 
   involved. 
 <a id="developers-certificate-of-origin"></a> 
 ## Developer's Certificate of Origin 1.1 
  
 By making a contribution to this project, I certify that: 
  
 * (a) The contribution was created in whole or in part by me and I have the 
   right to submit it under the open source license indicated in the file; or 
  
 * (b) The contribution is based upon previous work that, to the best of my 
   knowledge, is covered under an appropriate open source license and I have the 
   right under that license to submit that work with modifications, whether 
   created in whole or in part by me, under the same open source license (unless 
   I am permitted to submit under a different license), as indicated in the file; 
   or 
  
 * (c) The contribution was provided directly to me by some other person who 
   certified (a), (b) or (c) and I have not modified it. 
  
 * (d) I understand and agree that this project and the contribution are public 
   and that a record of the contribution (including all personal information I 
   submit with it, including my sign-off) is maintained indefinitely and may be 
   redistributed consistent with this project or the open source license(s) 
   involved. 
+  - we do not currently document
+    “what the user can and cannot expect in terms of security” for our project.
+  - we do not currently document ”the architecture (aka high-level design)”
+    for our project.
+
+### Gold
+We meet 70% of the “gold” criteria. The gaps are as follows:
+  - we do not yet have the “silver” badge; see all the gaps above.
+  - We do not include a copyright or license statement in each source file.
+    Efforts are underway to change this archaic practice into a
+    suggestion instead of a hard requirement.
+  - There are a few unanswered questions around cryptography that are
+    waiting for clarification.
+