Skip to main content

Core Infrastructure Initiative

The Core Infrastructure Initiative (CII) is a program of The Linux Foundation focused on strengthening the security and sustainability of widely used open source software components that underpin global information technology infrastructure (software supply chain security / open source program).

  • Funds and supports security improvements for widely deployed open source projects that are foundational to the internet and enterprise IT (software supply chain security).
  • Runs the CII Best Practices Badge program, which evaluates open source projects against secure development and project governance criteria (secure software development / project governance).
  • Coordinates with industry, academia, and government stakeholders to identify and prioritize core open source components that require security and maintenance support (open source risk management).
  • Promotes practices for vulnerability disclosure, code review, testing, and documentation across critical open source projects (application security / DevSecOps).
  • Operates under The Linux Foundation to channel funding, expertise, and shared resources into sustaining critical open source infrastructure (open source sustainability / funding coordination).

More About Core Infrastructure Initiative

The Core Infrastructure Initiative (CII) is a collaborative program hosted by The Linux Foundation that focuses on improving the security, reliability, and sustainability of open source software that serves as core infrastructure for the internet and enterprise systems. It was created in response to exposed weaknesses in widely used components, with the goal of providing structured support to projects that are deeply embedded in production environments yet often maintained with limited resources.

CII addresses the problem space of software supply chain security and Open Source Risk Management (OSRM) (software supply chain security) by identifying open source projects that are broadly depended upon for encryption, networking, operating systems, and other foundational services. The initiative works with maintainers to fund security reviews, audits, developer time, documentation, testing, and related improvements. This model allows organizations that rely on critical open source components to pool resources through The Linux Foundation rather than engaging projects in an ad hoc or fragmented way.

One of the core capabilities of CII is the Best Practices Badge program (secure software development), which provides a structured set of criteria for open source projects covering areas such as version control, build and test automation, cryptographic practices, vulnerability reporting, code review, and project governance. Projects that meet these criteria can display a badge, which gives enterprises a simple, observable signal about the maturity of a project’s development and security practices. The criteria are published and versioned, allowing organizations to align internal open source policies with the same controls.

In enterprise and institutional environments, CII is used primarily as a reference and assurance mechanism. Security teams, open source program offices (OSPOs), and procurement functions can use CII Badges as one input when assessing third-party open source dependencies, especially for components that provide cryptographic libraries, protocol implementations, or core system utilities (risk assessment / compliance support). By aligning with CII criteria, internal projects can also benchmark against an externally defined set of practices.

CII operates within The Linux Foundation’s ecosystem, which includes other initiatives focused on security and open source governance. It interfaces with multiple stakeholders, including commercial vendors, cloud providers, financial institutions, and government agencies, to surface priority projects and coordinate funding (ecosystem coordination). The program also promotes reproducible builds, Continuous Integration (CI), and testing practices (DevSecOps), where these are relevant to supported projects.

From a directory perspective, the Core Infrastructure Initiative is categorized as an open source security and sustainability program, not a single software package. Its technical role centers on secure software development governance, software Supply Chain Risk Management (SCRM), and funding coordination for foundational open source infrastructure that is widely embedded in enterprise stacks.