The OpenSSL Library AI Policy

Jun 10, 2026

The OpenSSL Library has adopted an AI policy. To summarize:

• Anyone who uses AI to provide a non-trivial portion of their contributions to the OpenSSL Library must:
  1. Sign an updated Contributor License Agreement (CLA) that includes the AI clauses.
  2. Declare any AI use in the commit message of each contribution. This is done via an Assisted-by trailer as explained in the policy.
• People who do not use AI, who have already signed the old CLA, do not need to sign a new CLA.

The policy goes into greater detail about what constitutes “non-trivial” contributions and how to properly declare AI use.

Why are we implementing this policy and why now?

AI code assistants have been around for several years. Early on they were error-prone and veteran developers tended to avoid using the technology. In the last year or so the technology has made dramatic improvements. Notably, AI models have discovered many of the recent vulnerabilities that have been fixed in the OpenSSL Library. Engineers at the OpenSSL Corporation and OpenSSL Foundation have experimented with AI models to help with tedious tasks such as refactoring code.

In recent months we’ve also seen an increase in pull requests that seem to have been created using AI models, at least in part. This presented a problem with our Contributor License Agreement (CLA) which assumed:

1. The contributor is the “author”.
2. The contributor is able to grant the copyright and patent licenses set out in the CLA.
3. The contributor can truthfully warrant that the code is original and does not infringe 3rd- party IP rights.

In most jurisdictions only a work created by a human author is copyrightable; work that is entirely AI-generated is generally not. Where a portion of a contribution isn’t protected by copyright, there is no copyright for the contributor to license — so rather than require ownership, the updated CLA has the contributor acknowledge that such material is not their owned IP and that the Foundation accepts it on that basis (new clause 8(c)). Separately, AI output may reproduce 3rd-party material from training data, which raises infringement risks regardless of whether the output itself is protectable.

What has been added to the CLAs?

The updated CLAs include two new clauses:

8. Intellectual Property Ownership. You represent and warrant that: (a) You hold all rights necessary to grant the licenses in this Agreement in respect of Your Contribution, and Your Contribution, to the best of Your knowledge, will not give rise to any third-party intellectual property infringement claims against the Foundation or recipients of software distributed by the Foundation; (b) to the extent any portion of Your Contribution is protected by copyright, You are the author or owner of that portion, or are otherwise duly authorized to grant the licenses in this Agreement in respect of it; and (c) where any portion of Your Contribution was generated using generative artificial intelligence tools and is not protected by copyright, You do not represent that portion as owned intellectual property, and You understand that the Foundation accepts such material on that basis.

9. If any part of Your Contribution was created with the assistance of generative artificial intelligence tools (including large language model-based tools), You represent that: (a) You have disclosed such use to the Project at the time of submission, in accordance with the Project’s contribution guidelines; (b) You have reviewed and understood the AI-generated output incorporated in the Contribution; (c) You have complied with the terms of use of any such tools, including any provisions relating to the ownership of outputs; and (d) to the best of Your knowledge, the Contribution does not reproduce or derive from any third-party material in a manner that would infringe third-party intellectual property rights.

The previous clause 8 concerning notification of any change in facts or circumstances has been renumbered to clause 10.

The full updated agreements can be read in their entirety: the Individual CLA (v1.1) and the Corporate CLA (v1.1).

Summary

Contributors to the OpenSSL Library who wish to use AI tools must familiarize themselves with the updated AI policy and sign the updated CLA. Note that the Corporate Contributor License Agreement (CCLA) has also been updated and will need to be completed for corporate contributors using AI.

If you have any questions about your situation, please ask on the OpenSSL Q&A Discussions.