Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS

Kiteworks Open Source Program Office

Our Commitment to Open Source

Kiteworks is consolidating all of its open-source activities under the Open Source Program Office, operating under the ownCloud brand. That single decision reflects something larger: the acquisition of ownCloud was an investment not just in software, but in the idea that the future of collaboration should be built on federation, sovereignty, and openness. The OSPO is where we formalize that conviction with a published Governance Charter, a formal Vulnerability Disclosure Program, a Developer Certificate of Origin contribution model, and the dedicated product, engineering, community, and security resources required to keep open source healthy in production. With the ownCloud Desktop Client, we now offer our first fully open-source application to our entire customer base. That is a first step, and we are building on it.

HomePlatformWhy Open Source?

Why Open Source?

We see open source not as a business model but as a social contract one that we sustain through commercial investment. Innovation must be shared. Trust must be earned through transparency. Technology must serve the greater good, not just commercial interests. Here is what that means in practice for the organizations that rely on our platforms.

Championing Digital Sovereignty by Design

Championing Digital Sovereignty by Design

Sovereignty cannot be achieved through contractual agreements with a SaaS provider. It requires architectural control: the ability to deploy on chosen infrastructure, audit every line of code, enforce policy through programmable rules, and operate independently of any vendor’s roadmap, pricing, or corporate actions. The OSPO exists to protect that architectural guarantee. Full source code and Software Bill of Materials are transparent. Deployment happens on infrastructure the organization controls. Open standards such as— WebDAV, OIDC, Open Cloud Mesh, LibreGraph prevent the vendor lock-in that turns every acquisition and pricing change into a business risk.

Building Trust Through Transparency and Open Governance

Proprietary software asks customers to trust its security posture. Open source lets them verify it.

Architectural decisions are published as ADRs in the repository. Dependencies are tracked through a formal Software Bill of Materials process. Contributions use the Developer Certificate of Origin, which keeps intellectual property ownership with the people who wrote the code. When a regulator, an auditor, or a security team asks how the Kiteworks OSPO handles disclosure, patching, or attribution, the answer is a published process and— not a marketing claim.

Building Trust Through Transparency and Open Governance
Enabling Cross-Organizational Collaboration Without Lock-In

Enabling Cross-Organizational Collaboration Without Lock-In

Collaboration should not stop at the organizational boundary, and it should not require both sides to adopt the same proprietary vendor. Our commitment to open standards is what makes cross-organizational workflows possible: Open Cloud Mesh for federated sharing between independent deployments, ScienceMesh for European research network integration, Webfinger for multi-instance identity. Each organization maintains sovereign control of its own data while collaborating across boundaries. That is interoperability with integrity and the opposite of the vendor ecosystems that make your collaboration portfolio a liability.

Driving Sustainable Innovation for the Greater Good

The best infrastructure software of the past two decades: Linux, Kubernetes, PostgreSQL, Apache was built in the open because no single vendor could have produced it alone. ownCloud belongs to that tradition, and Kiteworks intends to sustain it. We fund the roadmap, contribute upstream to the open source components we depend on, and invest in the community infrastructure that turns a codebase into a living commons. Open source is a force for good a way to empower communities, strengthen institutions, and ensure that innovation is accessible to all. The OSPO is how we honor that commitment organizationally.

Driving Sustainable Innovation for the Greater Good

Secure Exchange Channels Secure Exchange Channels

Driving Sustainable Innovation
for the Greater Good

Everything you need to get started with the Kiteworks Open Source Program Office our commitments to the open-source community, how you can engage, and more.

Vision and Mission

Vision & Mission

The north star: ownCloud as the digital sovereignty backbone, open source as a social contract.

Foreword

Foreword

Tim Freestone’s executive pledge that buying ownCloud was buying into an idea, not just software.

Manifesto

Manifesto

Twelve documents. Every commitment, every boundary, every uncomfortable truth. Read them and hold us to it.

Product Vision oCIS

Product Vision (oCIS)

Open, federated, sovereign, scaling from home server to millions.

Lessons Learned

Lessons Learned

A candid confession about the ownCloud forks, and what unheard voices cost a project.

Governance Charter

Governance Charter

The rulebook, honestly labelled “aspirational” and admitting Kiteworks steers the roadmap.

Code of Conduct

Code of Conduct

The community compact, with actual teeth for moderators to remove persistent offenders.

Engagement

Engagement

How ownCloud treats contributors, licenses code, and opens governance — welcoming all people, not all behavior.

Empowerment

Empowerment

The companion piece on empowering external partners and internal staff alike.

Contribution Guide

Contribution Guide

The how-to, headlined by ditching the old copyright-grabbing CLA for a lightweight DCO sign-off.

AI Contribution Policy

AI Contribution Policy

A progressive stance: AI-assisted PRs welcome, provided you disclose, comprehend, and don’t smuggle in bad licenses.

Security Disclosure Policy

Security Disclosure Policy

The vuln reporting playbook with bounties and a firm “don’t tweet the zero-day” rule.

What Is the Kiteworks Open Source Program Office?

The Kiteworks OSPO is the organizational body responsible for open-source strategy, governance, licensing, community health, and ecosystem engagement. It is led by the Vice President, Open Source Program Office at Kiteworks, operates under the ownCloud brand, and sustains the platforms, security practices, and contributor community that make sovereign open-source data exchange work in production.

A Published Governance Charter

A Published Governance Charter

We operate under a public Governance Charter that spells out how decisions get made, how contributors advance, and how disputes get resolved. Four roles form the contributor pathway Contributors, Reviewers, Maintainers, and the OSPO itself with advancement based on earned authority rather than title or tenure.

Governance changes follow a 30-day public comment period, so nothing about how we work changes without community visibility. Disputes escalate to the OSPO.

A Community Advisory Board of 5–9 external contributors, partners, and institutional to provide structured, ongoing feedback on roadmap and governance. The CAB serves 12-month renewable terms, meets quarterly, and publishes its meeting summaries.

A Formal Security Disclosure Program

The OSPO operates a formal Vulnerability Disclosure Program at security.owncloud.com. An active bug bounty on YesWeHack rewards researchers in defined tiers.

Supply chain vulnerabilities are monitored through automated dependency scanning and a formal Software Bill of Materials process, with coordinated upstream disclosure.

For issues outside the bug bounty scope, contact security@owncloud.com.

A Formal Security Disclosure Program
Contribution Done Right: DCO, Not CLA

Contribution Done Right: DCO, Not CLA

The legacy Contributor License Agreement which required contributors to assign full copyright to ownCloud GmbH has been retired. It no longer reflects who we are. Going forward contributions use the Developer Certificate of Origin, a lightweight per-commit attestation via git commit -s. Contributors retain full ownership of their work and attest only that they have the right to submit it. All new repositories default to Apache License 2.0. License changes to existing repositories will be triaged and conducted. We do not use license ambiguity as a commercial lever boundaries are public, intentional, and consistently applied. AI-assisted contributions are welcome under the same quality bar as any other contribution, with disclosure of tools used, contributor comprehension, adequate testing, and licensing compliance as the ground rules.

A Community That Drives the Project

We are honest about our model: ownCloud is a commercially backed open-source project, not a foundation-governed one, and Kiteworks steers the roadmap. What we commit to is that the roadmap is public, the rationale is explained, and the community has meaningful channels to influence it. If you build something good, it has a path to merge regardless of whether it was on the roadmap.

Maintainers are enablers rather than gatekeepers, and contribution counts in many forms beyond code:

documentation, testing, translation, design, mentorship, and advocacy are all recognized. Our Code of Conduct is enforced through a dedicated escalation path at coc@owncloud.com. An annual OSPO report, planned for Q1 2027, will cover contribution statistics, governance changes, and community health.

A Community That Drives the Project

Frequently Asked Questions

The Kiteworks Open Source Program Office (OSPO) is the organizational body within Kiteworks that consolidates all of the company’s open-source activities under a single governance structure, operating under the ownCloud brand. It is led by the Vice President, Open Source Program Office at Kiteworks, and is responsible for open-source strategy, governance policy, licensing, community health metrics, ecosystem engagement, and upstream contribution strategy.

The OSPO stewards ownCloud Classic, ownCloud Infinite Scale, and the ownCloud Desktop, Android, and iOS clients, the oCIS MCP Server, and all other Kiteworks Open Source products and contributions. It also supervises the Vulnerability Disclosure Program at security.owncloud.com, maintains the public Governance Charter, and serves as the interface between the open-source community and Kiteworks leadership. Contact: ospo@kiteworks.com.

Digital sovereignty, auditability, and vendor independence cannot be delivered through contractual agreements alone. They require architectural guarantees that only open-source software provides. Regulatory frameworks and public investment programs confirm the trajectory: organizations need inspectable code, published Software Bills of Materials, and self-hostable platforms.

Kiteworks has a long history of integrating open-source components into its secure platform. The acquisition of ownCloud was an investment in open source as an idea that the future of collaboration should be built on federation, sovereignty, and openness. With the ownCloud Desktop Client, we now offer our first fully open-source application to our entire customer base. The OSPO is how we sustain that commitment organizationally through dedicated product, engineering, community, and security resources, and through transparent governance that contributors, customers, and regulators can verify.

The Kiteworks OSPO stewards ownCloud Classic, also known as ownCloud 10, ownCloud Infinite Scale (oCIS) — the Go-native microservices platform with zero database dependency, deployable as a single binary on a home server or as distributed microservices on Kubernetes — and the full ownCloud client family: the Desktop Client, Android app, iOS app, and MCP Server. The Desktop Client is the first fully open-source application Kiteworks offers to its entire customer base, regardless of plan.

The OSPO also coordinates our upstream contributions to the many open-source components woven through the Kiteworks Private Data Network, and operates community infrastructure including GitHub.

The OSPO operates under a public Governance Charter defining four roles — Contributors, Reviewers, Maintainers, and the OSPO itself — with earned-authority advancement rather than title-based assignment. Contributions use the Developer Certificate of Origin (DCO) rather than a Contributor License Agreement, so contributors retain full ownership of their work. New repositories default to Apache License 2.0, and license changes to existing repositories include Community Advisory Board consultation.

A Community Advisory Board of 5–9 external members provides structured roadmap and governance feedback, with 12-month renewable terms, quarterly meetings, and published meeting summaries. Disputes escalate to the OSPO. Code of Conduct violations go to coc@owncloud.com and are handled through the CoC enforcement process. An annual OSPO report will cover contribution statistics, governance changes, and community health.

The Kiteworks OSPO facilitates a formal Vulnerability Disclosure Program at security.owncloud.com. An active bug bounty program on YesWeHack rewards researchers. We do not initiate legal action against researchers who act in good faith and follow the disclosure policy.

Supply chain and dependency vulnerabilities are monitored through automated scanning and a formal Software Bill of Materials (SBOM) process, with coordinated upstream disclosure. Critical incidents trigger public incident reports with timeline and impact, direct customer notification, updated container images, and binaries with verification hashes. For issues outside the bug bounty scope, contact security@owncloud.com.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo
Share
Tweet
Share
Explore Kiteworks