Are we allowed to contribute to external open source projects?

Short answer

Yes, under defined conditions. Contributing to external open source projects is permitted and encouraged within a formal authorization process designed to protect the organization’s intellectual property while enabling responsible community engagement.

Detailed explanation

Why contribute back?

Contributing to open source is not just a matter of good citizenship — it is a strategic decision:

• Influence the direction of projects we depend on.
• Reduce technical debt by avoiding the maintenance burden of private forks.
• Attract talent — developers actively look at a company’s public contributions when evaluating employers.
• Improve code quality through community review.
• Build reputation in the ecosystems that matter to our business.

Types of contributions covered

This process applies to all external contributions, including:

• Code (patches, new features, refactoring)
• Documentation
• Bug reports (issues) that may contain information about our infrastructure
• Participation in a project’s governance discussions

Authorization process

Minor contributions (< 100 lines, obvious fixes)

For low-impact contributions (typo fixes, simple bugfixes, documentation improvements that reveal no sensitive information), self-declaration to your direct manager is sufficient.

Significant contributions

For any substantial contribution:

1. Initial assessment

   • Does the code contain differentiating intellectual property?
   • Does the contribution reveal details about our internal architecture?
   • Does the target project require signing a Contributor License Agreement (CLA)?

2. Submit a request to the OSPO

   • Fill in the contribution request form (available on the OSPO intranet page).
   • Describe the target project, the nature of the contribution, and the volume of code.
   • The OSPO will respond within business days. #Add your SLA here if specified !!!!!!!!!!!!!!!!!!!

3. Legal review if required

   • The OSPO consults the legal department for contributions involving patents, proprietary algorithms, or sensitive data.

4. Publishing

   • Contributions must be submitted from a professional email address or an identifiable organizational GitHub account.
   • Copyright remains the property of the organization unless otherwise agreed.

Licenses and CLAs

A contribution policy typically covers:

• Allowed licenses for target projects (preference for OSI-approved licensed projects).
• Management of Contributor License Agreements (CLAs) — some projects (particularly those under the Linux Foundation or Apache) require an organization-level CLA. The OSPO manages these agreements centrally.
• Inbound license — by default, the contribution is granted under the same license as the target project.

Best practices for a successful contribution

• Start small — don’t aim for massive contributions from the outset. Build a track record of small, high-quality contributions first.
• Respect the project’s culture — each community has its own conventions (code style, review process, communication channels).
• Respond promptly to maintainer feedback to maximize the chance of acceptance.
• Write clear commit messages — communication quality matters as much as code quality.

Common pitfalls

• Contributing from a personal email without authorization — the contribution may be considered personal, creating ambiguity over code ownership.
• Signing an individual CLA on behalf of the organization — only the OSPO or the legal department can commit the organization to a corporate CLA.
• Publishing code tied to a confidential project — even an apparently harmless patch may reveal sensitive architectural details.
• Not checking license compatibility between the contribution and the target project.

See also

• Can we open source our own internal projects?
• What licenses are approved?
• FINOS — Open Source Contribution Policy
• Best practices for upstream contributions — Linux Foundation