Public Purse, Public Code: Govt Drafts National Source Code Policy for 2025

The interim government is preparing to declare all software developed with public funds as “national assets.” To protect these assets and ensure public ownership, the ICT Division has drafted the National Source Code Policy (Public Money, Public Code), 2025. Under this policy, all datasets related to government software will be classified as open, restricted, or controlled.

One of the most significant changes in the draft is the mandate for storing source code. From now on, all government-funded source code and related documentation must be stored in a centralized National Source Code Repository, to be operated by the Bangladesh Computer Council (BCC). The repository will function under the supervision of the National Data Management and Interoperability Authority.

According to the policy, no software may be deployed to production until its source code and artifacts are submitted to the repository. The system will maintain full transparency through version control, commit history, release tags, metadata, and audit logs.

Before developing new software, government agencies must adopt a “Reuse First” approach. This requires first checking the central repository for any existing solutions. If no suitable option is found, agencies must justify the need for new development and obtain approval. Reuse may include direct adoption, modular integration, forking and extending, or using approved boilerplates.

Welcoming the draft, Fahim Mashroor, Coordinator of the Tech Industry Policy Advocacy Platform (TIPAP), said, “Declaring government-funded software as national assets is a commendable step. If foreign companies refuse the repository requirements, the work must be done by local firms, which will benefit local software businesses. It will also eliminate duplicate spending and ensure proper utilization of national resources.”

Vendor Obligations & Intellectual Property Rights (IPR)

Under the draft policy, private vendors developing software for the government must comply with strict requirements. Vendors must submit all source code, documentation, and artifacts to the central repository. Crucially, all intellectual property rights (IPR) must either be fully vested in the government or the government must be granted perpetual usage rights. Vendors cannot retain exclusive control over the software or its code. Escrow arrangements may be used when necessary to ensure code availability.

Openness, Exceptions, and Licensing

The general principle of the policy—“Public Money, Public Code”—states that government-owned source code should be considered open unless specifically exempted. The code must be released under an approved open-source license. However, exemptions may be granted in cases involving national security, defense, sensitivity, confidentiality, or third-party IPR constraints. Even exempted code must be stored in the central repository with restricted access and undergo periodic review. The authority will maintain a public registry of both open and exempted systems.

Secure Development, CI/CD, and Dataset Management

A dedicated Acceptable Coding Guidelines Committee will be formed to establish secure coding standards and review reusable modules. All software deployments must follow an approved CI/CD pipeline that includes automated testing, vulnerability scanning, and license verification. Only authorized tools may be used for development.

To ensure security, the repository will operate under a Role-Based Access Control (RBAC) model. Contributors, maintainers, approvers, and auditors must sign government-approved confidentiality and non-disclosure agreements before accessing the repository.

Datasets linked to software must be categorized as open, restricted, or controlled, and registered in the national data catalog. For machine learning or API-based systems, dataset origins, input-output structures, and use-case documentation must be stored in the repository. Vendors and researchers must sign NDAs when accessing sensitive datasets.

The draft policy will be issued under Clause 8 of the National Data Management and Interoperability Ordinance, 2025, making it mandatory for all ministries, divisions, departments, statutory, autonomous, semi-autonomous bodies, and any software or digital services funded by the national budget, foreign loans, or development partners.

The authority and the council will be responsible for implementing and monitoring the policy. Non-compliance may result in administrative fines, contract suspension, or other penalties as permitted by law. The policy will be reviewed every three years to keep pace with evolving technology.

DBTech / IH / OR