<ul>

  <li class="CopyleftCompliance"><a href="/copyleft-compliance/">Copyleft Compliance</a></li>

  <li class="VizioTopBar"><a href="/copyleft-compliance/vizio.html">Vizio Lawsuit</a></li>

  <li class="FIXME"><a href="/projects/">Member Projects</a></li>

  <li class="Outreachy"><a href="https://outreachy.org">Outreachy</a></li>

  <li class="FOSSY"><a href="/fossy/">FOSSY</a></li>

</ul>

{% extends "base_standard.html" %}

{% load static %}

{% block outercontent %}

  <div class="lh-title ttu tracked tc bg-gray"

       style="margin: -0.5rem -1rem 0; background: #24243d url('{% static "usethesource/stars.jpg" %}'); background-size: cover; background-position: 50%; overflow: auto">

  </div>

  <div class="mw8 center ph2 ph3">

    {% block content %}{% endblock %}

  </div>

  <div class="f7 mw8 center ph2 ph3 mt4 mb3">

    <p class="tc black-50 i">Header image adapted from <a href="https://commons.wikimedia.org/wiki/File:Stars_01_(MK).jpg" class="black-50 normal underline">Stars 01</a> by Mathias Krumbholz (CC BY-SA 3.0 Deed). Icons adapted from <a href="https://thenounproject.com/icon/magnifying-glass-304610/" class="black-50 normal underline">Magnifying Glass</a> by Rohith M S, <a href="https://thenounproject.com/icon/magnifying-glass-6485038/" class="black-50 normal underline">Magnifying Glass</a> by icondesign178 and <a href="https://thenounproject.com/icon/upload-6493826/" class="black-50 normal underline">Upload</a> by sureya from Noun Project (CC BY 3.0)</p>

  </div>

{% endblock outercontent %}

{% extends "usethesource/base.html" %}

{% block content %}

  {{ block.super }}

  <h1>Timelines for CCIRT email submission and notifications</h1>

  <p>We at SFC are providing an opportunity for companies who want to be notified of source candidates of theirs that we plan to post to <a href="..">Use The Source</a> to provide us with the email address of their Copyleft Compliance Incident Response Team (CCIRT), which we will email when we receive a new source candidate for the company that we plan to post.  If we have a CCIRT email address on a file for a given company, we will email this address if we receive a source candidate from that company, and then wait at least 7 days for a reply - if an updated candidate is received, we will post that, otherwise we will post the candidate that we notified the CCIRT team about as-is.</p>

  <p>As discussed in <a href="/blog/2024/feb/03/ccirt-security-and-software-right-to-repair/">our blog post</a>, the CCIRT is an important part of an organization's <abbr title="Open Source Program Office">OSPO</abbr> or cybersecurity team.  SFC hopes that companies will treat any reports from SFC with the same urgency as any security vulnerabilities they are made aware of, since failure to provide complete source code severely impedes users' and third party repair companies' ability to fix them.</p>

  <p>Based on our decades of GPL compliance experience, we expect that many of the source code candidates we receive from the public will be incomplete.  SFC cannot immediately validate nor invalidate any of those claims due to the vast number of devices on the market.  But we are willing to engage with companies' CCIRTs so they have a chance to (re-)review these candidates if they wish, before SFC publishes them.</p>

  <p>We are providing a 30-day window, starting on February 3, 2024 (and ending at 23:59 <abbr title="Anywhere on Earth">AoE</abbr> on March 4, 2024), in which companies can send us the email address of their CCIRT (to <a href="mailto:compliance@sfconservancy.org">compliance@sfconservancy.org</a> with Subject "CCIRT contact") so we can contact this team about any source candidates we receive, giving them 7 calendar days to confirm all potential copyleft licenses issues are resolved.  At the end of these 7 days, we will publish the updated source candidate (if we receive one), or the original (if no update is received).  If we have no contact registered, the source candidate will be published without any grace period following the initial 30-day window.</p>

  <p><img src="/img/ccirt-initial.png" alt="initial CCIRT process, showing 30-day and 7-day windows" /></p>

  <p>After this initial 30-day window, companies can still send us the email address of their CCIRT and, after we receive this email address, we will give them 7 calendar days from the first notification of an incomplete source candidate to resolve the issue.  However, it is best for companies to let us know about their CCIRT before this 30-day window ends in case there are any pending source candidates to publish when that 30-day window ends.  The process after these 30 days is as follows:</p>

  <p><img src="/img/ccirt-ongoing.png" alt="ongoing CCIRT process, showing standard 7-day window" /></p>

  <p>For the avoidance of doubt, and to hopefully prevent a wave of last-minute CCIRT submissions on the final day of this 30-day window, SFC is providing for 7 calendar days after the 30-day window ends (so 37 days from February 3, or until 23:59 <abbr title="Anywhere on Earth">AoE</abbr> on March 11, 2024), to any company that provides the email address of their CCIRT at any time during this 30-day window, the option to correct its source candidates before we publish them.  So it is beneficial for companies to inform us of their CCIRT sooner rather than later, so they have as much of that 37 days as possible to correct all copyleft compliance issues.  SFC looks forward to working with all the CCIRTs who register with us.</p>

{% endblock content %}

{% extends "usethesource/base.html" %}

{% block content %}

  {{ block.super }}

  <section class="f4 pv2 mt4 mb3">

    <div class="flex flex-wrap mb4" style="gap: 1rem">

      <a href="#candidates" class="db f3 ttu tc ph4 pv1 btn-orange mb2 flex items-center justify-center" style="flex-grow: 1">

        <span class="mr2" style="flex-shrink: 1">View the candidates</span>

        <svg version="1.1" x="0px" y="0px" viewBox="-255 347 70 70" xml:space="preserve" xmlns="http://www.w3.org/2000/svg" style="width: 60px; padding: 15px 0" fill="currentColor"><path d="m -253.8,415.8 c 1.6,1.6 4.1,1.6 5.7,0 l 15,-15 c 5,3.8 11.3,6.2 18.1,6.2 16.6,0 30,-13.4 30,-30 0,-16.6 -13.4,-30 -30,-30 -16.6,0 -30,13.4 -30,30 0,6.8 2.3,13.1 6.2,18.1 l -15,15 c -1.6,1.6 -1.6,4.1 0,5.7 z M -215,353 c 13.3,0 24,10.7 24,24 0,13.3 -10.7,24 -24,24 -13.3,0 -24,-10.7 -24,-24 0,-13.3 10.7,-24 24,-24 z" /><path d="m -202.77458,376.73992 h -17.24 c -0.83,0 -1.5,0.67 -1.5,1.5 0,0.83 0.67,1.5 1.5,1.5 h 17.24 c 0.83,0 1.5,-0.67 1.5,-1.5 0,-0.83 -0.67,-1.5 -1.5,-1.5 z" /><path d="m -214.74458,372.14992 c 0,0.83 0.67,1.5 1.5,1.5 h 17.24 c 0.83,0 1.5,-0.67 1.5,-1.5 0,-0.83 -0.67,-1.5 -1.5,-1.5 h -17.24 c -0.82,0 -1.5,0.67 -1.5,1.5 z" /><path d="m -217.19458,372.14992 c 0,-0.83 -0.67,-1.5 -1.5,-1.5 h -8.25 c -0.83,0 -1.5,0.67 -1.5,1.5 0,0.83 0.67,1.5 1.5,1.5 h 8.25 c 0.82,0 1.5,-0.67 1.5,-1.5 z" /><path d="m -225.79458,377.16992 c -0.28,0.28 -0.44,0.67 -0.44,1.06 0,0.4 0.15,0.78 0.44,1.06 0.28,0.28 0.66,0.44 1.06,0.44 0.4,0 0.78,-0.16 1.06,-0.44 0.14,-0.14 0.25,-0.3 0.33,-0.48 0.07,-0.19 0.11,-0.38 0.11,-0.58 0,-0.39 -0.16,-0.78 -0.44,-1.06 -0.56,-0.56 -1.57,-0.56 -2.12,0 z" /></svg>

      </a>

      <a href="#submit-a-candidate" class="db f3 ttu tc ph4 pv1 btn-orange mb2 flex items-center justify-center" style="flex-grow: 1">

        <span style="flex-shrink: 1">Submit a candidate</span>

        <svg xmlns="http://www.w3.org/2000/svg" version="1.1" x="0px" y="0px" viewBox="0 5 100 100" xml:space="preserve" style="width: 90px; vertical-align: middle" fill="currentColor"><g><path d="M49.67,65.06c1.1,0,2-0.9,2-2V27.28l12.47,12.47c0.39,0.39,0.9,0.59,1.41,0.59s1.02-0.2,1.41-0.59   c0.78-0.78,0.78-2.05,0-2.83L51.08,21.03c-0.38-0.38-0.88-0.59-1.41-0.59s-1.04,0.21-1.41,0.59L32.37,36.92   c-0.78,0.78-0.78,2.05,0,2.83c0.78,0.78,2.05,0.78,2.83,0l12.47-12.47v35.79C47.67,64.17,48.56,65.06,49.67,65.06z"/><path d="M73.66,47.77H61.23c-1.1,0-2,0.9-2,2s0.9,2,2,2h12.43c1.21,0,2.19,0.98,2.19,2.19v19.41c0,1.21-0.98,2.19-2.19,2.19H26.34   c-1.21,0-2.19-0.98-2.19-2.19V53.96c0-1.21,0.98-2.19,2.19-2.19H40.1c1.1,0,2-0.9,2-2s-0.9-2-2-2H26.34   c-3.41,0-6.19,2.78-6.19,6.19v19.41c0,3.41,2.78,6.19,6.19,6.19h47.33c3.41,0,6.19-2.78,6.19-6.19V53.96   C79.85,50.54,77.08,47.77,73.66,47.77z"/></g></svg>

      </a>

    </div>

    <p>Software Freedom Conservancy works for your right to repair and modify the software on your devices. <strong>Use The Source</strong> shows you how we evaluate the source code candidates  companies must provide for GPLed software. Join us as we highlight common issues in source candidates, and what companies need to do to fix them.  Check out the options below, or subscribe to our <a href="https://lists.sfconservancy.org/mailman/listinfo/ccs-review">mailing list</a> to participate in the public discussion on these candidates.</p>

  </section>

  <h2 id="submit-a-candidate" class="f2 lh-title ttu mt0 mb2">Submit a Candidate</h2>

  <p>One crucial way to get involved is to let us know about any source candidates you find!  Many devices have an offer for source code (check the manual or device's user interface to find it) and we'd be very interested to know what they send you when you request it.  Here are the steps to submit a new source candidate to list on this page:</p>

  <ol class="pl4">

    <li class="mb2">find a source candidate offered by a company - normally this is offered to you in the manual or user interface of your device, through a link or email address (the company's GitHub page is not canonical, unless they explicitly say so in this offer)</li>

    <li class="mb2"><a href="https://usl-upload.sfconservancy.org/s/4Ykmx7rSGMJ7s43">upload the source candidate</a> to us - write down the file name(s) you uploaded for the next step (can be multiple), and upload a firmware image if you have it and are ok with us publishing it</li>

    <li class="mb2">email us at <a href="mailto:compliance@sfconservancy.org">compliance@sfconservancy.org</a> with the following details:

      <div class="bg-black-10 mt2 pv2 ph3">

        <code>

        Subject: candidate to add: [brand/model]<br><br>