Open Source Program Lead (OSPO) Interview Questions
5 exercises — choose the best-structured answer to common OSPO Lead interview questions. Focus on open source strategy, license compliance, contribution governance, community health, and upstream engagement.
Structure for OSPO Lead interview answers
Define the OSPO mandate: inbound (consuming OSS), outbound (releasing projects), and upstream engagement are three distinct functions
Explain license risk tiers: permissive (MIT, Apache 2.0), weak copyleft (LGPL), strong copyleft (GPL) — the business implications differ significantly
Quantify community health: contributor count, bus factor, response time, issue close rate — not just GitHub stars
Show strategic thinking: the OSPO should align with business strategy, not just manage legal risk
0 / 5 completed
1 / 5
The interviewer asks: "What are the three core functions of an OSPO, and how do you balance them?" Which answer best explains the OSPO mandate?
Option B names all three functions with specific sub-activities under each, explains the urgency vs strategy tension (inbound is always urgent, outbound is strategic, upstream is chronically underfunded), and provides a concrete capacity allocation (40/30/30). Options A, C, and D name the functions at a surface level but do not explain the sub-activities, tensions, or prioritisation logic.
2 / 5
The interviewer asks: "How do you manage open source licence compliance at scale in a large organisation?" Which answer demonstrates the most mature compliance programme?
Option B covers all five programme components: a four-tier risk taxonomy with specific licence examples and their business implications, SCA tooling integrated into CI/CD with merge blocking, an approved dependency allowlist to reduce friction, an obligations register tied to product releases, and education as a scale multiplier. Option A describes tooling without a programme. Option C describes a single policy (GPL prohibition) without the broader taxonomy. Option D names a tool and adds legal escalation but lacks the programme design.
3 / 5
The interviewer asks: "How do you measure the health of an open source project that your organisation sponsors or maintains?" Which answer provides the most complete health framework?
Option B provides a five-category health framework (contributor health including bus factor and diversity, responsiveness with specific thresholds, adoption beyond GitHub stars, security posture, governance maturity) with 14 specific metrics and what each indicates. The bus factor and contributor diversity metrics are the most important differentiators — they are what actually matters for a sponsor organisation. Options A and C rely primarily on vanity metrics (stars, forks) that measure popularity rather than health.
4 / 5
The interviewer asks: "How do you develop and enforce a policy for employee contributions to external open source projects?" Which answer best covers the policy design?
Option B covers six policy components: contribution scope classification with three tiers and default approvals, IP clearance with SLA, CLA/DCO compliance automation, prohibited categories with escalation path, policy discoverability (where it lives matters), and measurement. The three-tier contribution classification with "job-related = pre-approved by default" is the key friction-reduction design that distinguishes a mature policy from a bureaucratic one. Options A, C, and D each describe one aspect (manager approval, IP clearance, encouragement) without the full policy architecture.
5 / 5
The interviewer asks: "How do you build an upstream engagement strategy for open source projects that the organisation depends on?" Which answer best explains the strategic approach?
Option B provides a five-part upstream strategy: dependency criticality mapping (scoring by breadth, bus factor, substitutability), risk-driven investment options (sponsorship, hiring contributors, governance participation), upstream-first development policy (with the maintenance cost argument for internal forks), contribution velocity tracking as an engineering health metric, and relationship building as a strategic enabler. Option A describes encouragement without strategy. Option C (fork and maintain) is the most expensive anti-pattern. Option D tracks usage but has no engagement strategy.