Open-source software maintainers frequently face high-risk merge decisions due to insufficient visibility into external contributors’ cybersecurity expertise and track record. To address this, we propose Actor Reputation Metric Systems (ARMS), the first systematic framework defining seven general-purpose cybersecurity reputation signals and establishing a scalable, verifiable mapping from raw data to actionable reputation metrics. Methodologically, ARMS integrates NIST/ISO security standards, static code analysis (via CodeQL), vulnerability databases (e.g., NVD), code contribution history, and community interaction logs, enabling multi-source signal modeling for quantitative contributor trustworthiness assessment. Our key contributions are: (1) the first conceptual framework for security reputation in open-source supply chains; (2) a taxonomy of reputation signals with concrete metric instantiations; (3) an evaluation pathway for metric utility; and (4) principled trade-off mechanisms balancing precision, coverage, and operational feasibility—thereby providing both theoretical foundations and practical guidance for toolchain development and community integration.

Many critical information technology and cyber-physical systems rely on a supply chain of open-source software projects. OSS project maintainers often integrate contributions from external actors. While maintainers can assess the correctness of a change request, assessing a change request's cybersecurity implications is challenging. To help maintainers make this decision, we propose that the open-source ecosystem should incorporate Actor Reputation Metrics (ARMS). This capability would enable OSS maintainers to assess a prospective contributor's cybersecurity reputation. To support the future instantiation of ARMS, we identify seven generic security signals from industry standards; map concrete metrics from prior work and available security tools, describe study designs to refine and assess the utility of ARMS, and finally weigh its pros and cons.