By Justin Cappos, OpenSSF Ambassador, Professor at New York University
Introduction: The Evolving Threat Landscape
Let’s be completely honest about how we’ve historically handled security research: academia and open source practitioners have basically been living on two different planets.
In academia, the primary incentive is publishing, and the magic word is novelty. Because of that, there’s a strong tendency for researchers to write papers that build on what other academics think the problems are, without ever really talking to the people maintaining real-world projects. Meanwhile, open source software is now used in a staggering 98% of all codebases. It is literally the digital foundation of the modern world, and we desperately need more people with the dedicated time and energy to look deeply at its vulnerabilities.
But a paper doesn’t secure a repository if a maintainer can’t actually deploy it.
That’s why we created SCORED (the Workshop on Software Supply Chain Offensive and Defensive Research). It’s a complete reimagining of the traditional academic model. We aren’t interested in purely theoretical breakthroughs; we want to publish and promote work that has immediate, practical value to the open source community.
Why Co-Location is a Massive Win for the Ecosystem
To fix a disconnect, you have to put people in the same room. By co-locating SCORED ’26 with OpenSSF Community Day Europe 2026 in Prague, we are physically bringing academics face-to-face with the cutting edge of open source ecosystems.
But the bridge goes deeper than just sharing a venue. We’ve deliberately built our program committee to be heavily drawn from both university faculties and active open source maintainers.
We’ve also introduced something I’m incredibly excited about: the Security-in-Practice (SIP) Track. Alongside traditional 11-page research papers, this track features 20-minute talks designed specifically for industry practitioners and maintainers.
Personally, I learn an immense amount from hearing from the folks running day-to-day operations for infrastructure like Sigstore or PyPI. Their real-world friction points are exactly what should be guiding academic focus. By bringing practitioners into the fold, we can bust open academic misconceptions and make sure research is actually helpful.
2026 Focus Areas: Solving Tomorrow’s Attack Vectors Today
For our 2026 Call for Papers (CFP), we are focusing heavily on areas where we can drive immediate conflux between research and reality.
- AI Supply Chains: AI usage has absolutely exploded, making its supply chain security a massive, obvious priority.
- Reproducible Builds: This tackles one of the most prevalent attack vectors we’ve seen over the last few years. Academics are already deeply engaged here, and we want to cross-pollinate that knowledge with practitioners.
- Dataset Benchmarking (like SBOMs): Without effective data, it’s impossible to know what to protect first. Better datasets give us the macro-level visibility we need to understand the overall health – and the hidden weaknesses – of the open source ecosystem. It’s how we move from constantly reacting to fires to proactively preventing them.
Call to Action: Shape the Future of Open Source Trust
If you’re an academic or a practitioner sitting on the fence about submitting your work before the July 12th deadline, here is my direct pitch to you:
If you bring your work to SCORED, it will be scrutinized by the exact community of people who should actually adopt it. This isn’t about padding a resume with another paper; it’s a genuine opportunity to ensure your research has a measurable, positive impact on the real world. Speaking from experience, finding out that code you helped research is protecting millions of users is immensely rewarding.
SCORED ’26 Deadlines & Details
- Submission Deadline (Papers & SIP Talks): July 12, 2026
- Author Notification Date: August 22, 2026
- Final Materials Due: August 30, 2026
- Conference Date: October 6, 2026
- Location: Prague, Czechia (Co-located with OpenSSF Community Day Europe)
- Submission Portal: scored.dev/call_for_papers
Engineering Systemic Ecosystem Resilience
When I look out over the next few years, my ultimate goal for SCORED is simply to grow the total number of security experts who are actively engaged with and embedded in open source communities.
Academics who have participated in SCORED in the past have already gone on to create a number of massively, widely used technologies across the software supply chain. We’ve proven that this pipeline works. Now, we just want to expand the circle, bring in fresh perspectives, and get to work solving the next generation of supply chain issues together.
We hope to see you – and your work – in Prague.