Community Contribution Guidelines

How contributions work

ocsf.ai is a community resource for publishing and discovering OCSF parsers across the security ecosystem. It is maintained by Fleak.ai, with contributions welcome from any vendor, security team, researcher, or detection engineer working with the Open Cybersecurity Schema Framework.

This document explains how to contribute, what gets published, and how the community is governed.

What gets published

ocsf.ai hosts OCSF parsers in two categories:

Community parsers — open contributions covering common telemetry sources (firewalls, endpoint, cloud, identity, DNS, email, etc.). Authored by anyone, attributed to the contributor, available for the community to use, fork, or improve.
Vendor-attributed parsers — parsers contributed by named vendors for their own products or telemetry formats. Published under the vendor’s name, with their preferred attribution and links.

All published parsers must map to a current OCSF version, include test fixtures, and pass review before going live.

Two paths to contribute

There are two ways to publish a parser on ocsf.ai. They serve different contributors with different starting points. Both are equally valid.

Path 1: Author with the AI Mapping App

Best for: contributors with raw telemetry samples but no existing parser, or anyone who wants the fastest path from data sample to OCSF-mapped parser.

ocsf.ai hosts a free AI-assisted parser generator. You upload telemetry samples, the app suggests OCSF mappings, you review and refine, and the result is a complete parser ready to publish. The generator outputs Fleak DSL by default, which is supported across the OCSF community runtime.

What you get:

LLM-assisted schema mapping against the OCSF specification
Automatic test fixture generation from your sample data
Built-in validation against the current OCSF schema version
Direct submission to the community queue once authoring is complete

Path 2: Direct submission of an existing parser

Best for: contributors with parsers already authored in their preferred DSL — SPL, KQL, Bloblang, Vector, Javascript, native vendor formats, or anything else.

If you’ve already invested engineering effort in writing parsers, you can publish them directly without re-authoring. ocsf.ai accepts parsers in any DSL, so long as they meet the submission requirements.

Submission package:

Parser source in the contributor’s chosen DSL (Vector, SPL, KQL, etc.)
DSL and runtime version statement (e.g., “Lua 5.4”, “Splunk SPL 9.x”)
OCSF version compatibility statement (which OCSF version the parser maps to)
Schema mapping documentation (which OCSF event class, which fields)
Test fixtures with pre-computed outputs — at least 3 sample input records, each paired with the OCSF JSON output the parser produces when run in the contributor’s environment
Vendor or contributor attribution and contact information
License declaration (Apache 2.0 or MIT recommended for community parsers)

How non-Fleak DSL parsers are validated

ocsf.ai runs Fleak DSL parsers natively in our hosted runtime — input goes in, OCSF output comes out, all on the platform. For parsers in other DSLs, the contributor executes the parser in their own runtime and provides the resulting OCSF output as part of the submission package.

During review, our OCSF validator checks every contributor-provided output against the declared OCSF version. Outputs that fail validation are flagged for the contributor to resolve. Outputs that pass validation are published alongside the parser, so visitors can see real input → output examples regardless of which DSL the parser is written in.

This means the OCSF schema validator is the same for every parser on ocsf.ai, regardless of DSL. What differs is who executes the parser — Fleak runtime for Fleak DSL, the contributor’s runtime for everything else.

Direct-submitted parsers are published in the DSL they arrived in. ocsf.ai does not transpile between DSLs.

Review and publication

All contributions, regardless of path or DSL, go through the same review before publication.

Submission received and acknowledged within 2 business days.
Schema validation: every parser output (whether produced by Fleak runtime or contributor runtime) is checked against the declared OCSF version using the ocsf.ai validator.
Test fixture review: provided fixtures are checked for completeness and representativeness of the data source.
Editorial review: documentation, attribution, runtime version statements, and metadata are checked for clarity.
Publication: the parser goes live with proper attribution, OCSF compatibility tags, and discoverability metadata.

Average time from submission to publication is 5–10 business days, depending on review queue depth and contributor responsiveness to review feedback.

If a parser doesn’t pass review: the contributor receives specific feedback and can resubmit. Common reasons include outputs that fail OCSF validation, missing or insufficient test fixtures, OCSF version mismatch, or incomplete schema mapping documentation.

Community maintenance

ocsf.ai is maintained by Fleak.ai. This means Fleak operates the website, runs the AI Mapping App, manages the review queue, hosts the parser registry, and ensures the community resource stays usable and current.

Maintainer responsibilities include:

Operating ocsf.ai infrastructure and the AI Mapping App
Reviewing and validating all contributions before publication
Maintaining the parser test framework and fixture library
Tracking OCSF version updates and notifying contributors when parsers need refreshing
Publishing the community coverage map (which sources / event classes have parser coverage)

As the community grows, we expect to evolve into a multi-vendor steering structure. When the contributor base reaches a meaningful scale, we’ll establish a community advisory model with founding vendor seats and broader governance input. Until then, contributions flow through Fleak as the maintainer.

Attribution and licensing

Contributor attribution

Every published parser displays the contributing organization or individual. Vendor parsers carry the vendor’s name, logo, and a link to their site or documentation. Community parsers carry the author’s chosen attribution.

Default license

Community contributions default to Apache License 2.0 unless the contributor specifies otherwise. Vendors may publish under their own preferred OSI-approved license. License text is included with each parser.

Trademark

Contributing a parser does not transfer trademarks or product naming rights. Vendor names referenced in parsers (event sources, product identifiers) remain the property of their respective owners.

How to start contributing

New parser, no existing code: visit ocsf.ai and start a new parser in the AI Mapping App. Upload telemetry samples and follow the prompts.
Existing parser, want to publish: email contribute@ocsf.ai with a brief description of what you’d like to publish. We’ll send you the submission template and walk through the review process.
Vendor partnership: if your organization is publishing multiple parsers as part of a coordinated contribution, contact partnerships@ocsf.ai to discuss how we can support a smooth onboarding.