The OpenSSL Library published an AI policy on June 10, 2026, requiring contributors who use AI to provide a non-trivial portion of a contribution to sign an updated Contributor License Agreement (CLA) and declare AI use in each commit message via an Assisted-by trailer, according to the project's blog post. The post states that contributors who do not use AI and already signed the prior CLA do not need to re-sign. The updated CLA adds two new clauses: clause 8(c), which addresses AI-generated material not protected by copyright, and clause 9, requiring disclosure and attestation of AI tool use at submission time. The post cites copyright uncertainty, third-party infringement risk from AI training data, and AI-discovered OpenSSL vulnerabilities as rationale for the change.
What happened
The OpenSSL Library officially adopted an AI policy on June 10, 2026, according to the project's blog post. The post requires anyone who uses AI to provide a "non-trivial portion" of their contribution to: sign an updated Contributor License Agreement (CLA) that includes AI-specific clauses, and declare AI use in each contribution's commit message using an Assisted-by trailer as explained in the full policy. The post states that people who do not use AI and who have already signed the older CLA do not need to sign the new version.
CLA changes
The blog post describes two new CLA clauses. New clause 8(c) addresses AI-generated material that is not protected by copyright: where such material is included, the contributor does not represent it as owned intellectual property, and the Foundation accepts it on that basis. New clause 9 requires contributors who used AI to: disclose that use at submission, confirm they have reviewed and understood the AI-generated output, confirm compliance with the terms of any AI tools used, and attest that the contribution does not reproduce third-party material in a manner that would infringe IP rights. The previous clause 8 (notification of changed facts) has been renumbered to clause 10.
Why now - per the blog post
The post identifies three drivers: improvements in AI code assistants and an increase in AI-assisted pull requests in recent months; instances where AI models discovered vulnerabilities that were subsequently fixed in OpenSSL; and legal uncertainty around copyright of AI-generated works and the risk that AI output reproduces third-party training material, which raises infringement risk regardless of whether the output is itself protectable.
Industry context
Editorial analysis: Projects and maintainers across open-source ecosystems are increasingly codifying provenance and licensing rules for AI-assisted contributions. OpenSSL's choice of a commit-level Assisted-by trailer, combined with an explicit CLA update, formalizes provenance practices at a security-critical project whose policy choices carry outsized influence. Other security libraries and foundational open-source projects will watch whether enforcement of commit-level declarations and CLA re-signing proves workable at scale.
What to watch
Editorial analysis: Observers should monitor whether other major security libraries adopt similar commit-level provenance markers or CLA updates, and whether tooling and CI processes add verification or linting for Assisted-by trailers. Also watch community reactions around enforcement, edge cases for "non-trivial" AI use, and how downstream consumers interpret AI-assisted contributions in security-sensitive supply chains.
Scoring Rationale #
OpenSSL is a high-impact, security-critical library whose contributor policy decisions influence norms across the open-source cryptographic ecosystem. Formalizing AI provenance via a CLA update and commit-level Assisted-by trailers is a notable and concrete policy step, though it is narrower in scope than a model release or regulatory milestone.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.