OpenSSF Newsletter – May 2026 – Open Source Security Foundation

What a month! May was packed with milestones for the OpenSSF community, and we’re still riding the high from an incredible OpenSSF Community Day North America in Minneapolis. The community showed up in full force to celebrate some major wins: five new members, the launch of our inaugural Ambassador Program, a brand new AI eBook, the Python Secure Coding Guide, and so much more. A full recap of Community Day is coming soon, so stay tuned. In the meantime, read on to catch up on everything new in May!

TL;DR:

🚀 Q2 Foundational Wins → Five new members, OSS-CRS sandbox project, and v1.0.0 Python Secure Coding Guide celebrated at OpenSSF Community Day North America 2026.
🤝 Ambassador Program Launches → First cohort of 13 OpenSSF Ambassadors announced to spread security best practices globally.
📖 New eBook: Securing Open Source in the Age of AI → Crafted in partnership with CNCF, this eBook translates practical expertise into actionable guidance to help your project thrive in the age of AI.
🐍 Python Secure Coding Guide v1.0 → BEST WG publishes the first framework-independent resource for Python secure coding practices.
⚖️ CRA Compliance Wake-Up Call → An urgent wake-up call: the EU Cyber Resilience Act September deadline is fast approaching, and the ecosystem must act.
📦 Package Registry Sustainability → New pressure on open source package registries fuels Part II of the “Open Infrastructure Is Not Free” series.
🤖 DARPA AIxCC Legacy → A look back at the impact and legacy of the AI Cyber Challenge, now powering OSS-CRS – the newest project of OpenSSF.

OpenSSF Notes Quarter of Growth with New Members, Added AI Security Resources, and Growing Community

Announced live at OpenSSF Community Day North America in Minneapolis, OpenSSF welcomed five new members: ActiveState, Aikido Security, Minimus, TuxCare (General Members), and the FreeBSD Foundation (Associate Member). We also released the v1.0.0 Python Secure Coding Guide, launched the first Ambassador cohort, and formally accepted OSS-CRS as a Sandbox project. Learn more about all the exciting news!

Introducing the First Cohort of the OpenSSF Ambassador Program

Securing the open source ecosystem requires passionate advocates. At OpenSSF Community Day, OpenSSF launched its inaugural Ambassador Program and announced 13 community leaders committed to spreading security best practices and growing the global OpenSSF community. Read the blog and get to know the ambassadors.

Securing Open Source in the Age of AI

Securing Open Source in the Age of AI eBook New AI Security eBook: In collaboration with CNCF, OpenSSF released Securing Open Source in the Age of AI: A Practical Guide for Maintainers, Security Engineers, and Researchers, covering AI-generated contributions and AI-assisted security workflows. Download the eBook now.

Taking Stock of the State of European Cyber Resilience Act (CRA) Compliance: An Urgent Wake-up Call for the Open Source Ecosystem

Hear from CRob as he highlights that the EU Cyber Resilience Act (CRA) is no longer theoretical – it’s live and the September deadline is fast approaching. In this blog, CRob urges the open source ecosystem to move from mapping requirements to active compliance, outlining what foundations and maintainers need to do right now. Read the blog.

Secure Coding Guide for Python (pyscg) First Release

Python powers web apps, data pipelines, AI/ML, and cloud infrastructure, yet developers have lacked a single, framework-independent secure coding resource. The BEST Working Group’s v1.0.0 release fills that gap with high-confidence anti-patterns and compliant code examples to mitigate common vulnerabilities. Read this latest guide.

Hack to the Future: The Impact and Legacy of the DARPA AIxCC Challenge

Since DARPA’s 2023 announcement, the AI Cyber Challenge (AIxCC) has developed open source AI tooling to safeguard critical infrastructure. This post charts the competition’s results, the winning teams’ strategies, and how the challenge’s output now lives on inside OpenSSF through OSS-CRS. Read the blog by Helen Woeste for OSTIF and learn about the AIxCC challenge.

The Road to Gold: How CPS Set a New Standard for Security and Quality in Open Source

The ONAP CPS project’s journey to achieving an OpenSSF Gold badge illustrates what it takes to meet rigorous security and quality baselines in a large-scale network automation framework. Read the guest blog by Toine Siebelink from Ericsson, detailing community-driven security uplift as a model for others.

Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries

Building on the 2025 open letter on open source sustainability, this post examines the growing economic pressures facing package registries as AI adoption accelerates. Rising bandwidth, security demands, and storage costs are making the status quo untenable – and the community must respond. Read the blog to learn more.

Detecting Malicious Packages Using the OSV API

The OpenSSF Malicious Packages repository is the first open source system for collecting and distributing malicious package data. This guest post by Nigel Douglas from Cloudsmith walks through how security teams can integrate the OSV API into day-to-day supply chain workflows to catch threats early. Read the blog.

What’s in the SOSS? An OpenSSF Podcast:

#60 – S3E12 Packaging, Transferring, and Deploying Software in Air-Gapped Environments with Zarf

Join Brandt Keller (Staff Software Engineer at Defense Unicorns and Maintainer of the OpenSSF Sandbox Project Zarf) as he discusses Zarf’s origins as a tool for deploying software in fully air-gapped environments. Listen to the podcast and learn about the growing need for defense and critical infrastructure operators in the ecosystem.

61 – S3E13 Beginner to Builder: Shaping the Conversation in Open Source Security

In this episode of the podcast, Yesenia Yser interviews cybersecurity analyst Ejiro Oghenekome about her journey from UI/UX design to becoming a key contributor to the OpenSSF. Ejiro shares the inspiration behind her public “100 Days of Cybersecurity” challenge, which has helped her maintain discipline and consistency while making the field less intimidating for beginners.

News from OpenSSF Community Meetings and Projects:

Upcoming community meetings

CFPs are open for OpenSSF Community Day Europe, Open Source Summit Europe, and AGNTCon + MCPCon in North America, Japan, and Europe.
Summer 2026 Mentorship Program: OpenSSF selected eight mentees for its Summer 2026 cohort. Contributors will work on RSTUF, GITTUF, SBOMit, and Minder.
The Global Cyber Policy WG published a CRA Readiness Guide for Maintainers.
Community Call for Input: Provide your feedback on the first two publicly available AI Act standards and the NIST SP 1800-41 draft. See details on Slack.
Public Consultation Responses: OpenSSF has submitted formal feedback on the EU CSA Revision, NIS2 Directive amendments, and ENISA’s “Secure by Design and by Default Playbook” for SMEs. View the full details and access all relevant links in this Slack post.
OpenVEX has drafted a v1 roadmap.
The OpenSSF community is drafting an AI Contribution Policy for OpenSSF Technical Initiatives.
Following the conclusion of DARPA’s AI Cyber Challenge, the Open Source Cyber Reasoning System is now formally part of OpenSSF, enabling autonomous vulnerability finding and patching at scale.
The Best Practices WG completed the first release of the Secure Coding Guide for Python.
Minder welcomed 10 new contributors to the project.
Zarf released v0.75.1.
OpenSSF Scorecard released v.5.5.0.
OpenBao released v2.5.4.
Alpha-Omega kicked off May by exploring how to scale Ruby’s defenses with AI and highlighting the security risks of unmaintained software in Weekend at Bernie’s: Which of Your Dependencies are Wearing Sunglasses.
Vulnerability Disclosures WG Survey Still Open: The Community Survey on AI-Slop Impact (AI-generated low-quality vulnerability reports) remains open through May 31, 2026. Take the survey and help inform the WG’s response.
Generative AI Developer Survey: How is generative AI reshaping open source development? Share your experience with the Linux Foundation research team.

In the News:

DevOps.com: OpenSSF’s CRob: ‘The Runway Is Rapidly Running Out’ on EU CRA Readiness – DevOps.com
Techstrong TV: EU Cyber Resilience Act Pressures Software Makers
The New Stack: “Morally repugnant shortsightedness”: Why open source security leaders say companies must stop freeloading on maintainers
ZDNET Korea: Professor Choi Yoon-sung of Korea University Selected as Only Korean Inaugural Ambassador for Open Source Security Foundation

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

European Open Source Security Forum 2026 (Approval required) – June 9, 2026
All Things Open 2026 – October 19-20
OpenSSF Community Day Europe 2026 – October 6, 2026
Open Source Summit Europe 2026 – October 7-9, 2026
Open Source SecurityCon North America 2026 – November 9, 2026
KubeCon + CloudNativeCon North America 2026 – November 9-12, 2026

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

Join a Working Group or Project
Chat with us on Slack
Follow us on X, Mastodon, Bluesky, and LinkedIn
Join OpenSSF

See You Next Month!

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!

Regards,

The OpenSSF Team

OpenSSF Newsletter – May 2026

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get the latest announcements, event info, and the community news in your inbox