Bus Factor 1 Is Not a Secret
Most small open-source projects pretend to have a team. We just shipped governance docs that openly disclose ATR is a single-maintainer project — and explain how that constrains decision-making.
We just shipped CONTRIBUTING.md, MAINTAINERS.md, and SECURITY.md for the AI RMF OSCAL catalog and the ATR rules repos. The most visible thing in MAINTAINERS.md is a sentence we considered carefully:
> Bus factor is currently 1. We are actively recruiting additional maintainers.
Most small open-source security projects do not say this out loud. They use plural pronouns ("our team", "we"), list 2–3 names on the README who have not committed in a year, and hope nobody asks. That works until a downstream consumer with real procurement requirements does ask. Then the credibility cliff is unrecoverable.
The Conflict of Interest Disclosure
MAINTAINERS.md also includes an explicit COI declaration:
> The maintainer (Adam Lin) is also the founder of PanGuard AI, the commercial product that uses ATR rules. ATR is and remains MIT-licensed in perpetuity per the public GOVERNANCE.md. The maintainer recuses from decisions where vendor interest could materially influence catalog content — for example, proposals to add ATR-specific guidance to NIST controls.
This is not legal cover. It is a working rule. When a contributor opens a PR that would tilt the catalog toward language that benefits PanGuard's scanner, the maintainer steps out of the review and the decision rolls into the public-comment process.
Decision-Making With Bus Factor 1
The governance docs spell out three lanes:
- ●Routine fixes (typos, broken links, schema-conformant non-content changes): one maintainer review.
- ●Substantive changes (new controls, profile-altering edits, taxonomy updates): 7-day open discussion on the relevant issue + lazy consensus.
- ●Breaking changes (schema migration, deprecated identifiers, major-version bumps): 2 maintainer approvals OR 14-day public comment if only 1 maintainer exists.
Bus factor 1 does not mean unilateral. It means substantive and breaking decisions are forced into the open and time-windowed.
Path to Bus Factor 2+
We are actively recruiting. The path is published:
- ●3+ merged PRs
- ●8 weeks of active participation (reviewing PRs, answering issues, attending the monthly community call)
- ●Consensus add by existing maintainers
This is not a clubby filter. It is the time it takes to learn the catalog's editorial conventions well enough to do harm if rushed.
Why Disclose at All
Two reasons. First, downstream consumers — federal-adjacent compliance teams, security vendors integrating ATR rules, anyone doing third-party risk assessment on the project — get an accurate picture of project resilience. They can plan around it (mirror the repo, pin versions, contribute a maintainer).
Second, the alternative is worse. A project that hides bus factor 1 invites a single point-of-failure narrative the first time a reviewer notices. Honesty up-front reframes the same fact as a transparency strength.