The OpenSSL Library AI Policy | OpenSSL Library
The OpenSSL Library has adopted an AI<br>policy. To summarize:
Anyone who uses AI to provide a non-trivial portion of their<br>contributions to the OpenSSL Library must:
Sign an updated Contributor License Agreement<br>(CLA) that includes<br>the AI clauses.
Declare any AI use in the commit message of each<br>contribution. This is done via an Assisted-by trailer as<br>explained in the policy.
People who do not use AI, who have already signed the old CLA, do<br>not need to sign a new CLA.
The policy<br>goes into greater detail about what constitutes “non-trivial”<br>contributions and how to properly declare AI use.
Why are we implementing this policy and why now?
AI code assistants have been around for several years. Early on they<br>were error-prone and veteran developers tended to avoid using the<br>technology. In the last year or so the technology has made dramatic<br>improvements. Notably, AI models have discovered many of the recent<br>vulnerabilities that have been fixed in the<br>OpenSSL Library. Engineers at the OpenSSL Corporation and OpenSSL<br>Foundation have experimented with AI models to help with tedious tasks<br>such as refactoring code.
In recent months we’ve also seen an increase in pull requests that<br>seem to have been created using AI models, at least in part. This<br>presented a problem with our Contributor License Agreement (CLA) which<br>assumed:
The contributor is the “author”.
The contributor is able to grant the copyright and patent<br>licenses set out in the CLA.
The contributor can truthfully warrant that the code is original<br>and does not infringe 3rd-party IP rights.
In most jurisdictions only a work created by a human author is<br>copyrightable; work that is entirely AI-generated is generally not.<br>Where a portion of a contribution isn’t protected by copyright, there<br>is no copyright for the contributor to license — so rather than require<br>ownership, the updated CLA has the contributor acknowledge that such<br>material is not their owned IP and that the Foundation accepts it on<br>that basis (new clause 8(c)). Separately, AI output may reproduce<br>3rd-party material from training data, which raises infringement risks<br>regardless of whether the output itself is protectable.
What has been added to the CLAs?
The updated CLAs include<br>two new clauses:
Intellectual Property Ownership. You represent and warrant that:<br>(a) You hold all rights necessary to grant the licenses in this<br>Agreement in respect of Your Contribution, and Your Contribution, to<br>the best of Your knowledge, will not give rise to any third-party<br>intellectual property infringement claims against the Foundation or<br>recipients of software distributed by the Foundation; (b) to the<br>extent any portion of Your Contribution is protected by copyright, You<br>are the author or owner of that portion, or are otherwise duly<br>authorized to grant the licenses in this Agreement in respect of it;<br>and (c) where any portion of Your Contribution was generated using<br>generative artificial intelligence tools and is not protected by<br>copyright, You do not represent that portion as owned intellectual<br>property, and You understand that the Foundation accepts such material<br>on that basis.
If any part of Your Contribution was created with the assistance<br>of generative artificial intelligence tools (including large language<br>model-based tools), You represent that: (a) You have disclosed such<br>use to the Project at the time of submission, in accordance with the<br>Project’s contribution guidelines; (b) You have reviewed and<br>understood the AI-generated output incorporated in the Contribution;<br>(c) You have complied with the terms of use of any such tools,<br>including any provisions relating to the ownership of outputs; and (d)<br>to the best of Your knowledge, the Contribution does not reproduce or<br>derive from any third-party material in a manner that would infringe<br>third-party intellectual property rights.
The previous clause 8 concerning notification of any change in facts<br>or circumstances has been renumbered to clause 10.
The full updated agreements can be read in their entirety: the<br>Individual CLA (v1.1)<br>and the Corporate CLA (v1.1).
Summary
Contributors to the OpenSSL Library who wish to use AI tools must<br>familiarize themselves with the updated AI<br>policy and sign the updated<br>CLA . Note that the Corporate Contributor License<br>Agreement (CCLA) has also been updated and will need to be completed<br>for corporate contributors using AI.
If you have any questions about your situation, please ask on the<br>OpenSSL Q&A<br>Discussions.