OpenSSL Library Adopts New AI Contribution Policy

The OpenSSL Library officially adopted an AI policy on June 10, 2026, according to the project's blog post. The post requires anyone who uses AI to provide a "non-trivial portion" of their contribution to: sign an updated Contributor License Agreement (CLA) that includes AI-specific clauses, and declare AI use in each contribution's commit message using an Assisted-by trailer as explained in the full policy. The post states that people who do not use AI and who have already signed the older CLA do not need to sign the new version.

The blog post describes two new CLA clauses. New clause 8(c) addresses AI-generated material that is not protected by copyright: where such material is included, the contributor does not represent it as owned intellectual property, and the Foundation accepts it on that basis. New clause 9 requires contributors who used AI to: disclose that use at submission, confirm they have reviewed and understood the AI-generated output, confirm compliance with the terms of any AI tools used, and attest that the contribution does not reproduce third-party material in a manner that would infringe IP rights. The previous clause 8 (notification of changed facts) has been renumbered to clause 10.

The post identifies three drivers: improvements in AI code assistants and an increase in AI-assisted pull requests in recent months; instances where AI models discovered vulnerabilities that were subsequently fixed in OpenSSL; and legal uncertainty around copyright of AI-generated works and the risk that AI output reproduces third-party training material, which raises infringement risk regardless of whether the output is itself protectable.

Editorial analysis: Projects and maintainers across open-source ecosystems are increasingly codifying provenance and licensing rules for AI-assisted contributions. OpenSSL's choice of a commit-level Assisted-by trailer, combined with an explicit CLA update, formalizes provenance practices at a security-critical project whose policy choices carry outsized influence. Other security libraries and foundational open-source projects will watch whether enforcement of commit-level declarations and CLA re-signing proves workable at scale.

Editorial analysis: Observers should monitor whether other major security libraries adopt similar commit-level provenance markers or CLA updates, and whether tooling and CI processes add verification or linting for Assisted-by trailers. Also watch community reactions around enforcement, edge cases for "non-trivial" AI use, and how downstream consumers interpret AI-assisted contributions in security-sensitive supply chains.