Re: [Hyperledger Project TSC] CII Badge as graduation/1.0 requirement

Middleton, Dan

+1 from Dan Middleton.

For those that have not been exposed to the CII badge details you can look at existing projects (here is sawtooth's:, for example.)

Tom might be updating this imminently based on Dave's feedback during today's TSC meeting. At the moment, however, you can see where Tom was conservative in his answers to subjective questions like "All medium and high severity exploitable vulnerabilities discovered with static code analysis MUST be fixed in a timely way after they are confirmed."

I think the current wording of Dave's proposal recognizes that there are subjective questions in that list. Between the Hyperledger Security Maven role and the TSC we should apply appropriate scrutiny when it comes to "Not-applicable". I think trying to define and document that in absolute terms for all projects apriori will be less effective than just doing an interactive review with each project.


-----Original Message-----
From: [] On Behalf Of Gregory Haskins via hyperledger-tsc
Sent: Thursday, May 18, 2017 13:21
To: David Huseby <>
Cc: hyperledger-tsc <>
Subject: Re: [Hyperledger Project TSC] CII Badge as graduation/1.0 requirement

I don't really have a full understanding of what it entails to be CII compliant yet. With that caveat, this kind of formally/neutrally defined criteria and evaluation mechanism sounds like a reasonable condition for acceptance to me. I do think we should strive to classify, in advance, the rules in which we decide "applicable criteria" for a given type of proposal where possible so as to avoid the perception that the community is applying the rules unfairly.

+2 from me.

On Thu, May 18, 2017 at 12:15 PM, David Huseby via hyperledger-tsc <> wrote:
Thank you everybody for the discussion about my proposal. Because we
lot quorum right at the last minute, the decision was made to move
this discussion and vote to the mailing list. The amended proposal is this:

A team seeking to graduate from incubation shall have started the CII
Badge application and be nearly complete with incomplete badge
requirements referenced in their graduation proposal. 100% of the
applicable criteria for the CII Badge is a requirement for releasing a
1.0 of the project. That does not mean the project must have 100% of
all criteria, just 100% of the applicable criteria. This is to allow
for projects such as test harnesses, that have "N/A" answers for questions that don't offer that as an option.

If everybody is good with the proposal language, I ask Chris to
conduct an electronic vote on including this language in the
Hyperledger guidelines document and adopt this as evaluation criteria
for graduation and 1.0 approval.


David Huseby
Security Maven, Hyperledger
The Linux Foundation
Skype: dwhuseby

hyperledger-tsc mailing list
hyperledger-tsc mailing list

Join to automatically receive all group messages.