OSPO Manager
OSPO (Open Source Program Office) Managers lead the organization's open source strategy — ensuring license compliance, managing the open source security posture through SBOM, writing contribution policies, and building internal culture around open source. Their English work involves writing governance policies, presenting compliance risk reports to legal, communicating open source strategy to the board, and writing contribution guidelines. This path covers the specialized vocabulary of open source governance and program management.
Topics covered
- License compliance
- SBOM & supply chain security
- CLA management
- Contribution policy
- OSS security
- Internal OSS advocacy
Vocabulary spotlight
4 terms every OSPO Manager should know in English:
Software Bill of Materials — a formal, machine-readable inventory of all open source and third-party components in a software product, including their versions and licenses
"Our SBOM generation pipeline runs on every build, giving us an up-to-date inventory for the compliance team and enabling rapid response when a new CVE is published."
Contributor License Agreement — a legal document that contributors sign before their code can be merged into an open source project, granting the project specific rights to the contribution
"We automated CLA checking in the GitHub Actions pipeline so contributors are reminded to sign before their PR can be merged."
The practice of ensuring that all open source software used or distributed complies with the terms of each component's license — including attribution, copyleft obligations, and distribution restrictions
"The license compliance audit identified three GPL-licensed components in our commercial product that required immediate remediation."
A class of open source licenses (GPL, LGPL, AGPL) that require derivative works to also be released under the same open source license — strong copyleft licenses can create compliance obligations when used in commercial products
"The security library uses AGPL, which is a strong copyleft license — using it in our SaaS product would require us to open-source our entire application."
📚 Vocabulary Reference
Key terms organised by category for OSPO Managers:
Licenses
Compliance & SBOM
Contribution & Governance
OSS Security
Recommended exercises
Real-world scenarios you'll practise
- Writing an OSS use policy: documenting the approved license categories, copyleft obligations, and approval process for new open source dependencies
- Presenting a license compliance audit to legal and the board: explaining GPL copyleft risk, identified violations, and remediation timeline
- Writing an open source contribution policy: defining what employees can contribute, the IP assignment process, and the approval workflow for new projects
- Presenting the SBOM program to the CISO: explaining how SBOM generation, storage, and vulnerability monitoring work together to manage OSS supply chain risk