The GVIP Project Plan

The GVIP plan is managed by the project group and may change as we proceed.

Overview: The three phases

What happened in phase one?

• The OWASP board initiated the project
• The OpenSSF vulnerability disclosures working group decided to join
• Eclipse Foundation and the Open Regulatory Compliance Workgroup joines
• The project was described in many conferences and meetings
• We had the first public community meeting
• We had a workshop at OWASP Appsec Barcelona in June 2025
• The project group decided to continue the project
• The Sovereign Tech Agency decided to support the project within the Sovereign Tech Resilience program

Phase two – gather everyone

Goals:

• Agreement on core requirements on organisation and process
• Agreement on procedural requirements
• Agreement on funding of work duing phase three and initial and regular funding of the new organisation
• Start work on technical requirements
• Create a group to lead work on technical requirements
• Finalise a first set of technical requirements for a platform
• Make a detailed plan for the work in Phase 3

Methods

• Define “membership” in project
• Organise open webinars to gather input and build consensus – GVIP Community meetings
  • General
  • Technology focused
• Organise summits to meet in person – GVIP Summit
• Get funding for future work
• Get papers as inspiration and base for tech work
• Set up a technical advisory group

In phase two we continue to work on the requirements, with a special focus on the organisational requirements. When those are set, the project needs to decide if there’s an existing organisation that meets the requirements or if a new organisation is needed.

Phase 3: Building the platform

Depending upon decision in phase 2, this phase may change or not be executed.

Potential Goals

• Found a new organisation
• Write specifications for the technical architecture
• Implement the core systems
• Work on establishing trust for a new organisation
• Fund the organisation for at least five years