Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea | Open Source SecurityCon

All Posts By

OpenSSF

OpenSSF Newsletter – May 2025

By Newsletter

Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles. 

Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.

OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations

OSPSTechTalkRecap

The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.

New Guide on Simplifying Software Component Updates

NewGuideonSimplifyingSoftwareComponent Updates

The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.

Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025

CFP

OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.

Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.

What’s in the SOSS? An OpenSSF Podcast:

#29 – S2E06Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.

#30 S2E07Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier René-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.

#31 – S2E08Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

What’s in the SOSS? Podcast #31 – S2E08 Cybersecurity Framework Launch

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde’s journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

Conversation Highlights

00:00 Introduction to Open Source and LF Education
02:59 Clyde’s Journey into Open Source
05:54 The Role of LF Education in Open Source
09:00 Cybersecurity and the Global IT Cyber Skills Framework
11:59 Framework Development and Industry Collaboration
15:13 Continuous Learning and Community Engagement

Transcript

Intro Music (00:00)

Clyde Seepersad (00:02)
Five years ago, eight years ago it was “What are these container things and how are they going to make a difference?” Fifteen years ago it was “What is this hypervisor and how’s it going to make a difference?” We’re having a moment now where there’s this combination of security’s super important in every single aspect.

CRob (00:20)
Welcome back to What’s in the Sauce, the OpenSSF’s podcast where we talk to interesting people that are involved in open source development and standards and supporting our amazing communities. And this is the season two we’re quite excited to have graduated on to the next level. I’m CRob, I’m one of your hosts here at the OpenSSF.

I’ve had the pleasure to be involved with this community for just under five years and I get this amazing chance to interview some amazing, interesting luminaries. And today we have a real treat. We have Clyde from the LF Education Department and they specialize in helping people understand.

open source tools and methodologies and techniques. So, Clyde, can you give us maybe a few minutes of your open source origin story and kind of explain a little bit about what LF Education does?

Clyde Seepersad (01:19)
Thanks, CRob. I’m excited to be here. I’m excited to have education be talked of as a luminary because often when we do materials, people start looking very intently at their toes and hoping that somebody else will do it. Always happy to get a platform to encourage more folks to come on in. The water is fine. I am sort of a latecomer to open source. I’ve been involved for the past 10 years or so and was off on the dark side doing my thing.

And one day a headhunter called up and said, we have this interesting opportunity. We think you’d be good for it. And at the time I was in Austin, Texas. And I thought, well, know, Austin is not that big a town. It was great to meet extra people. We’ve scheduled a 20 minute coffee and no harm, foul. And it took two and a half hours to wrap up the conversation because we just kept going and I kept thinking, I had no idea that dot, dot, dot.

And so I left that meeting, went home, told my wife that the coffee I had told her about ended up being a two and a half hour conversation and I was going to leave my job and go do this non-profit thing that she had never heard about and that I had only barely heard about several hours earlier. And it just…

CRob (02:35)
must have been some great coffee.

Clyde Seepersad (02:37)
It was good coffee. I think it got cold several times. So the refresh cycle on the coffee was good, which, you know, is important. And, It’s just been such a phenomenal ride, right? Obviously, we’re recording this, whatever, 10 days after the deep seek drop, and cool things just keep happening in collaboratively developed spaces, which is, maybe not ever was thus, but certainly ever will be thus. I think that is the new way that stuff gets done. And of course, one of our big priorities along with everybody else on planet Earth in the last few years has been the security space and trying to think about what more could and should we all be doing.

CRob (03:18)
Mm hm. So a lot of people might not be aware that the Linux Foundation has a whole group dedicated towards training and education. So maybe could you talk a little bit about your group and kind of the things that you all do for the community and our members?

Clyde Seepersad (03:33)
Technical folks like to work on technical problems, right? They like to spin up new projects. They like to work on road maps and get from beta versions to release candidates to GA to one to two to X. Some of them like to go to meetups and connect with other folks. Not terribly many like to step back and think about how will I onboard the next person who isn’t currently super excited about this. And I think that’s where this team shows up as we say, as we show up and we say, listen, we can help you with the instructional design. We can help you with the development of quizzes, with the multimedia, with the video, with the, you know, the multilingual stuff, with the production value, with the sort of mapping out of the process, with the handling of the tools that author the content.

If we, if you can work with us, because the one thing we’re not as experts in, fill in the blank, right? There’s a thousand projects at the LF. A lot of what seems scary in terms of putting education together and not just putting it together, but importantly, getting it into the hands of the right people quickly is what we can do. And so that’s what I like to brag on this team is we’re doing a lot of things that aren’t central to any one open source project or initiative, but we’re bringing a set of skills and capabilities that you typically don’t find in kind of the core maintainer community, but they’re very complimentary and we can say, we’ve got all the folks and the tools and the processes to do all the stuff that makes your, know, makes your hair hurt. Let’s work with you. Let’s work with you to get the story out. And importantly, let’s get the story out not just to the people who are already excited and way down the weeds in the GitHub repo.

Let’s get the story out to the next folks out there who, if you ask the question, and I always say to the team, the most important question we can help folks answer is what is that tech and why do I care? And that is very much about, you know, what are these technologies? What did they do that were impossible yesterday, was much easier to do, was able to do in a way that is more cost effective because it’s a shared license. Because that’s where we help, but that’s where we can really help is to bring new people into these ecosystems.

CRob (05:53)
So thinking back of your journey with the LF Education crew, what are some of the timely topics? Like what are some of the most requested things or what are you all working on? What’s your priority lately?

Clyde Seepersad (06:06)
Well, you’ll be shocked to hear that AI is on the list.

CRob (06:13)
You’re right I am shocked.

Clyde Seepersad (06:14)
Pretty much the only two topics I hear currently are security and AI. Five years ago, eight years ago, it was what are these container things and how are they going to make a difference? 15 years ago,it was what is this hypervisor and how is it going to make a difference?
And then you get the most specialized conversations and things like networking. But I think it is definitely true that we’re having a moment now where there’s this combination of security is super important in every single aspect and trying to figure out what exactly the Gen.ai future is going to look like and where we never ever have a junior software developer ever again because, quote, GitHub is pretty good at first pass stuff. You know, I think there’s a series of really active conversations around trying to envision what our future is going to look like. And both those components are front and center.

CRob (07:09)
Very nice. Well, one of the things that you and I have been collaborating on most recently is the global IT cyber skills framework. Could you maybe talk a little about where this idea came from and kind of what you’re intending to do with this project?

Clyde Seepersad (07:25)
Sure, and really appreciate all the support you’ve provided on this. It really started with a very simple observation, which is, as I listen to folks talking about cybersecurity, a lot of what the pattern we kept hearing was there are specific job functions and areas of responsibility related to cybersecurity that everybody wants to be very focused on. So whether that is intrusion detection, pen testing, there’s a lot of specialized focus on cyber. And it’s a little bit like the Sherlock Holmes story where the key clue was the dog that didn’t bark. What about all the people who aren’t cyber security specialists? They’re app developers, they’re network people, they’re database admins, getting up every morning thinking about where the latest vulnerability is going to come from. But they have not been part of the conversation.

And so I think that’s really what we’re trying to do here is to say, we have to find a way to make everybody who touches these systems part of the conversation on cybersecurity and make it easy for them to figure out what their part in the broader strategy is. security is not something you can inspect in at the end, right? It has to be there from the get-go. And that has not been…a big part of the conversation, which is not surprising when the fire is hot as you put in the water on the most immediate source of the flames, but you’re not paying as much attention yet as to where the fuel load is building up. And so think that’s really what we’re trying to, hoping to catalyze is a broader conversation around just how extensive the concept of cybersecurity is when you think about all these different roles in technology. And so it’s great that we’ve started with the specific folks that are in a CISO’s office, but we have to make sure we don’t stop there.

CRob (09:32)
Yeah, I love that kind of looking at the framework, the fact that we looked at many different job types and kind of thought about it from somebody’s career at the beginning of their career, they needed to have certain experiences. And as you evolve and kind of get more, you level up, so to speak, there’s more increasingly complex tasks that you’re asked to do with. you talk a little bit about – just give us kind of a sneak peek into the framework and kind of what went into some of this thinking.

Clyde Seepersad (10:01)
Yeah, think we, there were two things we were trying to make sure that we use as our North Star. The first was it had to be easy to use. We have to make it easy for people to have this conversation. So how can we develop something that is not intimidating, easy to use, people can see their way to the end goal where they’re using it. And the second is, can we make something that is not a special snowflake, that is industry agnostic, that’s geography agnostic? Because what you, and to have those two things be true, and you know, we worked with hundreds of folks who volunteered their time and expertise on this. Where we ended up was saying, to make it easy, we have to have it be, simple for folks to figure out where different people in their organization might slot in. So how can we group like with like? And so we went through this exercise with a group of experts and then validated it through a large form field study survey in the field. And we ended up with 14 or 15 job categories or job families.

Clyde Seepersad (11:23)
That’s not to say that there aren’t people out there who straddle lines, and there will always be, but we felt pretty good about having these categories as sort of people who are grouped together. So things like network specialists, things like database administrators, things like software developers as distinct from app developers, so smartphones. And then from a career perspective, as you alluded to, CRob, there’s this concept that there are things you need to know when you’re just starting out.

And there’s more things you need to know when you start taking more individual responsibility and yet there are more things you need to know, especially as you take on managerial responsibility and start supervising the works of others. And so what we ended up with, if you envision sort of a two by two framework, a set of job families where we have examples, we can help people visualize, oh yeah, I’ve got folks in that box. And then this continuum of experience where newer folks, there’s topics and we’re very, you the topics are quite specific and so they’re somewhat opinionated, but we wanted it to not be a hand wavy feel good.

We wanted people to be able to look into that framework, see things they violently agreed with, maybe see some things they violently disagree with because maybe it’s not relevant and that’s okay, right? It’s very much meant to be a alaqaat, Kanban style. I like this, I want to use it. I don’t like that, I want to take it out. I think this is missing because I’m in industry X and I want to add it in. But I think we’re hoping that the concept of it’s a simple framework. You can print it on one page. It’s a way to start and then make it your own. Make it relevant to your department. Make it relevant to your industry. Move stuff left, move stuff right, blend stuff between buckets, but use it as a accelerant, right? Instead of staring at the blank white board. This is the collective wisdom of hundreds of folks who spent decades in this space – stand on their shoulders, right? Use it as a jumping off point.

CRob (13:20)
I loved the kind of practitioner perspective that the framework brought. Could you maybe talk about, I know we’ve had some conversations with other folks within the ecosystem. How does this work alongside or complement other similar efforts?

Clyde Seepersad (13:37)
Yeah, I think our view is that this is meant to be a entry point for people to think about cybersecurity for their broad audiences and not to replace. There are some very good, more specialized frameworks that already exist out there, right? So you have things like SOFIA, you have things like the NICE framework. And our take was we look around and we listen.

And those are not being as used, used as much and implemented as much as you might have thought. I think part of the reason is they’re so sophisticated and there’s so much detail that they’re a little maybe intimidating if you’re starting kind of at the, at the, at the starters pistol. And so we’re envisioning this really as a gateway exercise to say, here’s a way that you could start. It’s not saying that it’s fully comprehensive of everything you’d ever think of, but it’s saying these are the lowest common denominator pieces, right?

And so it’s a discrete, easy to wrap your head around, printed on a page starting point. And hopefully what we see is that once people start their journey, they gravitate towards some of these bigger frameworks that already exist according to what makes sense for their organization, for their industry, for their geography. And so we’re very much seeing this as complimentary of frameworks that are more specialized that exist, really as a way to get more folks far enough down the path that they start using those frameworks with confidence.

CRob (15:14)
I love the effort. I’m really looking forward to kind of unleashing this and sharing it with the broader ecosystem and then starting to the devils in the details. I want to start building my own little Kanban board and kind of mapping out my journey and seeing what I and others might want to start exploring education wise next.

Clyde Seepersad (15:33)
Yeah, and that’s exactly what we’re hoping to happen, right? This is going to be a publicly available royalty free resource sponsored by OpenSSF and the LF. We want everybody to use it. We want companies, we want education providers to use it. And importantly, we want this to be an ongoing effort. So, you we’ve had a ton of people volunteer their time and expertise to get to V1. We’re very much intending to have this be an ongoing effort where we’re constantly reviewing this, you know.

At least twice a year stepping back and saying, is this still right? Because the one thing that we know is true is yesterday’s threats are not tomorrow’s threats, right? So we cannot have these be static. We have to constantly be asking ourselves, is this still relevant? Is there something else that we need to add? Because that’s the only way that you can really, if we’re trying to get people to think holistically about the security implications up and down the food chain, we have to help them keep track of stuff as it evolves. And so I think one of the beauties of doing this collaboratively is we do have the ability and the intention to continue revving, right? Just like any release schedule, right? That the 2026 version is gonna go look different and the second half of 2025 version might look different.

CRob (16:50)
Excellent. Well, let’s move on to the rapid fire part of the conversation. All right. I got a couple of wacky questions. I just want your first answer right out of the gate. What’s your favorite open source mascot?

Clyde Seepersad (17:06)
You know, it’s still Tux. It’s just, you know, I’ve got a dozen of them on my desk and it’s an oldie but a goodie.

CRob (17:19)
Excellent. Good, good, Spicier mild food.

Clyde Seepersad (17:23)
I grew up in the Caribbean, so definitely spicy.

CRob (17:30)
Ooh, that’s spicy. Excellent. What’s your favorite adult beverage?

Clyde Seepersad (17:34)
Rum and Coke.

CRob (17:35)
Classic. I love that as well. So as we wrap up here, what advice might you offer someone that’s just getting into, whether it’s open source development or cybersecurity, how can you help them start their journeys?

Clyde Seepersad (17:50)
You know, the key thing I say to folks anymore is that the world has really changed. Even when I started my career, you could pick a spot and say, I wanted to be an X. I wanted to be a database person. I wanted to be a Cisco switch person. I wanted to be an Oracle person. Because we used to have these long runways of technology staying pretty stable.

And that’s just not true anymore. I think everybody should be coming into tech and even those of us who’ve been in it should be thinking about it as an ongoing journey of lifelong learning. You’ve got to stay on your toes. The thing that made you successful three years ago probably is not going to be the thing that makes you successful this year. And so committing to this idea that it’s your responsibility to figure out the things you’re passionate about and learn them and implement them and stay on this sort of continuous journey.

That’s going to be what the foreseeable future looks like, is all of us just cross-skilling, up-skilling, feeling like we’re always slightly behind, but making that commitment to our own learning and development.

CRob (18:58)
I like to learn something new every day. And finally, what call to action do you want to give the community right now? What actions can people take to help make the world a little bit better place?

Clyde Seepersad (19:09)
Yeah, I would say for everybody who touches a tech stack, step back and start inventorying where do you think in your day-to-day job you could do one thing better that would narrow or close a security gap. We all have goals and the targets we’re trying to meet and we’re on the treadmill. Take a moment to step back.

Get off the goals treadmill. Try to find one thing, one thing that you can do better that helps narrow the surface, the attack surface, and find a way to make that happen.

CRob (19:52)
Excellent. Well, thank you. Sage advice learned over your journey. Thank you, Clyde, for coming today and sharing about the IT skills matrix and about LF education.

Clyde Seepersad (20:03)
Thanks so much for having me, CRob

CRob (20: 05)
Cheers

Outro Music (20:05)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

By Blog, Case Studies

Ericsson, a global leader in telecommunications and networking, has been deeply engaged in open source and software security for over a decade. Through its Open Source Program Office (OSPO), Ericsson coordinates its participation across multiple foundations and initiatives, including the Open Source Security Foundation (OpenSSF). This case study highlights Ericsson’s collaboration with the OpenSSF, with a specific focus on their C/C++ Compiler Option Hardening Guide, which has served as both an internal resource and a community contribution.

Problem

C++ remains a foundational language in many critical systems, but it’s notoriously difficult to use securely. Given the massive volume of existing C and C++ code underpinning today’s infrastructure, many organizations today face a familiar dilemma: how to improve the security of these systems without the unrealistic burden of rewriting everything in a memory-safe programming language. The team recognized the need for a pragmatic solution that could strengthen existing infrastructure.

Solution

Ericsson, together with partners found through its engagement in the OpenSSF, developed and released the C/C++ Compiler Option Hardening Guide as a practical approach to increasing software security through better compiler configurations. The guide maps out various hardening flags and compiler options, analyzing their implications on performance and security. Originally drafted by Ericsson’s product security team, the initial guide was donated to the OpenSSF and is now jointly developed in the Best Practices Working Group of the OpenSSF.

Open sourcing the guide proved invaluable. By contributing it to the OpenSSF, Ericsson gained access to a wider range of expertise—receiving high-quality feedback from compiler maintainers, Linux distribution contributors, and others across the ecosystem. These external insights not only validated Ericsson’s approach but improved the guide itself.

Results

  • The guide has been promoted internally at Ericsson and adopted or experimented with by community projects and organizations such as Wireshark, Chainguard, and the CPython project.
  • Feedback from community experts helped refine the guide, especially regarding how different compiler flags interact in real-world builds.
  • Ericsson’s work raised broader awareness about the importance of compiler-level hardening and provided a widely usable educational resource.
  • The collaborative development process reinforced the value of community feedback loops and pragmatic security practices.

Secondary Initiatives

In addition to the compiler guide, Ericsson is co-chairing the Best Practices Working Group and leading the development of a Python Secure Coding Guide therein.. The team also benefits from other OpenSSF work, such as threat modeling and participation in the AI/ML security working group.

“We’ve seen tremendous value in contributing our C/C++ Compiler Options Hardening Guide to the OpenSSF. The community feedback significantly improved the guide and validated our approach. It’s a win-win—for our internal teams and the broader open source ecosystem.” — Mikko Karikytö, Head of Product Security & CPSO 

Future Plans

Ericsson plans to continue contributing to and evolving its secure coding practices through collaboration with the OpenSSF. As part of that commitment, Ericsson encourages peers in telecom, networking, and adjacent industries to explore the C/C++ Compiler Options Hardening Guide, apply its recommendations, and contribute to its ongoing improvement.

🔹 Visit Ericsson’s Open Source Program Office (OSPO) page to learn more about their broader open source strategy.

🔹 Get involved with the OpenSSF Best Practices Working Group to shape and support secure software development practices.

About Ericsson and OpenSSF

Ericsson has been a vocal advocate for responsible open source use and software security. Its OSPO leads efforts across multiple standards bodies and open source foundations. The OpenSSF provides a vendor-neutral forum for collaboration on secure software development and supply chain security.

For more case studies, visit: https://openssf.org/case-studies/

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

By Blog, Press Release

New Customizable Global Framework Aligns IT Job Roles with Practical Cybersecurity Skills

SAN FRANCISCO, CA – May 14, 2025 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists. Produced in collaboration with the Open Source Security Foundation (OpenSSF) and Linux Foundation Education, the framework delivers actionable guidance to enterprise leaders looking to systematically reduce cyber risk.

As cybersecurity threats grow in both scale and complexity, enterprise leaders are struggling to align job roles with the practical skills needed to mount an effective defense. Despite cybersecurity being one of the top three most in-demand tech roles for enterprises, major talent readiness gaps remain. According to the Linux Foundation’s 2024 State of Tech Talent Report,  64 percent of organizations report candidates lack essential skills and it now takes an average of 10.2 months to hire and onboard new technical staff. Additional research from the Linux Foundation found that 62 percent of open source project stewards lacked dedicated personnel for security incident response, despite 74 percent maintaining formal cybersecurity reporting mechanisms.

These trends reflect a broader industry dilemma—growing awareness of cybersecurity needs without the personnel to tackle them—driven by unclear role expectations and fragmented training pathways. The Cybersecurity Skills Framework addresses these issues with a practical, globally relevant onramp that organizations can use to assess and build internal security capabilities. The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles. By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists: from app developers to web developers, network engineers to database engineers, solutions architects to enterprise architects.

The framework defines practical cybersecurity expectations across foundational, intermediate, and advanced proficiency levels, while mapping those skills to recognized standards such as the DoD 8140, CISA NICE Framework, and the ICT e-CF. By aligning with widely adopted standards and allowing for customization, the framework can be easily adopted across industries, regions, and organizational sizes. The framework is available in a free, easy to use web interface which allows users to select relevant job families, move skills between categories, delete any that don’t apply and add custom items they require. 

The framework was produced as a result of a global research effort, with contributions and feedback from cybersecurity educators, government advisors, framework stewards, and technical training experts, who together brought comprehensive expertise in workforce development, national defense, professional certification, and open source security.

“Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”

The Cybersecurity Skills Framework provides guidance for key roles, including web and software developers, DevOps engineers, IT project managers, platform architects, GRC managers and more. Each job role is defined by its primary cybersecurity responsibilities and aligned with practical skills in areas like secure design, compliance, vulnerability management, and incident response. 

“This framework is a valuable tool for CIOs, CISOs, and enterprise learning teams,” said Clyde Seepersad, SVP and General Manager of Linux Foundation Education. “In an era of accelerating threats, leaders need clear pathways for strengthening security culture across technical teams. This resource helps organizations take a proactive approach to employee development and risk reduction.”

The Linux Foundation and OpenSSF will update the framework annually and welcome community feedback from adopters. Organizations are encouraged to adapt and extend the model to align with their specific needs, security posture, and product portfolios.

To access the full Cybersecurity Skills Framework and explore how your organization can adopt it, visit: http://cybersecurityframework.io

Join us on Wednesday, June 11 at 11:00 am EDT for a webinar discussing the Cybersecurity Skills Framework. Visit here to register.

Supporting Quotes

“As cloud native adoption grows, so does the complexity of managing security across distributed systems. The Cybersecurity Skills Framework offers a clear, actionable resource for teams working in modern environments to assess skills, reduce risk, and embed security into every stage of the software lifecycle.”

– Chris Aniszczyk, CTO, CNCF

“As the cybersecurity landscape grows more complex, particularly with the rapid rise in AI technologies, security can no longer be siloed. Businesses must champion a culture of security awareness, education, and preparedness across functions. The new framework contributes to a stronger security posture by ensuring every teamfrom developers to IT leadersunderstands the specific security skills they need.”

Jamie Thomas, IBM Enterprise Security Executive

“Cybersecurity is a shared responsibility, and closing the skills gap is essential to building secure systems at scale. The OpenSSF Cybersecurity Skills Framework provides a clear, actionable roadmap for equipping technical teams with the right knowledge to protect our digital infrastructure, thus raising the bar for security readiness across the industry.”

– Arun Gupta, VP of Developer Programs, Intel / Governing Board Chair for CNCF & OpenSSF

“Cybersecurity today seems more complicated than ever. It can be difficult to keep up with the evolving cyber risk landscape and what skills internal teams need to approach and mitigate those risks. The Cybersecurity Skills Framework is a much needed blueprint for how developers should approach career development, teams plan for adapting to new risks, and organizations build training governance for the continuous evolution of their cybersecurity programs.”

–  Michael Lieberman, CTO and Co-Founder, Kusari

“The Cybersecurity Skills Framework is grounded in extensive global research and community collaboration. By surfacing practical, role-specific insights, the framework helps enterprise leaders understand where their cybersecurity capabilities stand—and where they need to grow. It’s a meaningful step toward bridging the persistent skills gap we’ve seen across sectors.”

– Hilary Carter, SVP Research at the Linux Foundation

“Security is a shared responsibility across the open source ecosystem. This framework is a powerful tool to help developers, project leaders, and enterprise teams better understand how their roles contribute to a secure software supply chain. It supports the kind of continuous learning culture that is essential to sustainable open source development.”

– Robin Bender Ginn, Executive Director, OpenJS Foundation

“The need for experienced cybersecurity practitioners continues to increase, and a clear understanding of cybersecurity roles, responsibilities, and required skills is not just beneficial – it is the foundation for a resilient and secure organization. The Linux Foundation’s Cybersecurity Skills Framework provides guidance to help leaders and practitioners understand the baseline skills needed for various roles. It serves as an excellent starting point for cybersecurity practitioners looking to enter the field or plan their career progression. Additionally, it helps leaders identify the necessary roles and skills to meet their cybersecurity demands.”

 Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat

###

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

What’s in the SOSS? Podcast #30 – S2E07 Scaling Security: Inside the GitHub Securing Open Source Software Fund

By Podcast

Summary

In this episode of What’s in the SOSS?, CRob sits down with Kevin Crosby and Xavier René-Corail from GitHub to unpack the GitHub Secure Open Source (SOS) Fund – an innovative program that combines funding, education, and community to strengthen open source security. Learn how this unique initiative connects maintainers with training, resources, and a $10K stipend to scale security best practices. The trio also shares the origins of the fund, surprising takeaways from the first cohort, and what’s next for this rapidly growing initiative.

Conversation Highlights

00:00 – Introduction
00:58 – Meet the Guests
02:26 – Open Source Origin Stories
06:10 – The Spark Behind the SOS Fund
10:19 – What Participating in the Fund Looks Like
12:39 – Inside the Curriculum
14:50 – Unique Program Design & Outcomes
16:23 – Key Learnings from the First Cohort
19:09 – Feedback & Areas to Improve
21:50 – What’s Next for the Fund
23:00 – Rapid Fire Round
24:23 – Call to Action

Transcript

Intro Music (00:00)

Kevin Crosby (00:04)
I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (00:18)
Welcome to what’s in the sauce. The open SSF’s podcast where I talk to maintainers and developers, security researchers and experts all around the open source security ecosystem. It is my pleasure to be your host. My name is CRob. I’m the security architect for the open source security foundation and one of our co-hosts for this amazing little endeavor. And today I think we have a real treat. We have some people that have been deeply involved in upstream open source security for a very long time. And they have a pretty innovative idea that they’re going to be talking about this program we’re collaborating on together. So please let me welcome my friends, Kevin and Xavier from GitHub.

Kevin (01:04)
Thanks for having us today. It’s exciting to join the podcast and get to share this journey. And also very thankful for the partnership that you’ve brought through this program as well. Just quick background, Kevin here from GitHub. I lead our open source funding programs, specifically focused on things around GitHub sponsors that enable developers to get paid for their open source work. Think of things like hobbyists that are working on open source part-time to even full-time careers, or even folks that are starting to build companies around open source. And then programs beyond that through the secure open source fund as well as get up fund with with Microsoft’s venture fund as well

CRob (01:44)
and Xavier. Want to introduce yourself?

Xavier René-Corail (01:45)
Hey, Crob. Yes, I’m Xavier René-Corail from GitHub. I’m a Senior Director of Security Research and I lead the GitHub Security Lab. Our mission is to help secure open source. I’ve got a team of hackers who are doing security research. Another team who is in charge of creating the GitHub advisory database and managing our CNA. And, well, also, I’ve been with you, Crob, one of the…kind of initial members of the open source security foundation. We work together in the best practices working group and we are continuing to work together on securing open source.

CRob (02:26)
Yeah, I know Xavier, he and I used to be one of like 15 people that attended all the OG meetings five years ago when we got started off. I’m very glad to continue our partnership with this new evolution of kind of GitHub’s engagement with helping improve open source security.

Xavier René-Corail (02:34)
Haha right.

Xavier René-Corail (02:41)
Yes.

CRob (02:44)
So before we jump into the the SOS program, let’s talk a little bit and explore your open source origin stories. How did you get into open source and you cannot know why what drives you to keep participating here?

Kevin (02:57)
Xavier, you want to go first?

Xavier René-Corail (02:59)
Yeah, I can. So my first step in open source, let me check. So first of all, I started programming in the 80s. I think I started with Tron and I think, yes, my two first games were a snake and a pong. But then, after, you know, during high school, teenage years, I forgot a bit about that then got back to…to coding during college. And then after that, started my career as a developer. And then very quickly, I came into being in charge of development practices. And as part of that, I created the open source policy for the company I was in. And this is how I discovered open source by…um empowering the developers of my company to take advantage of open source and also of course to give back to open source and to contribute to open source. So this is how I came to work in open source.

CRob (04:11)
Awesome. What about you, Kevin?

Kevin (04:13)
Mine’s kind of an interesting story. So I’m non-technical background. Originally, I was in economics, almost did a PhD and freaked out right at the housing bust and decided to go into corporate finance. So a little bit different of an experience. But during that journey, I started working with some early stage startups and venture firms and they were building open source tools coming out of university labs and innovation. And so I got the first flavor through that and really understanding how do you leverage this technology to build innovative products, sometimes even companies around it. And then fast forward a couple of years when I was at Amazon, my next touch point was we were building products that leverage things like OpenFire and Hazelcast to build messaging applications.

One of the coolest things was because we were building with it, I wanted to make sure our engineering team was able to contribute back to that open source project. And so we were actually shipping alongside the community and making sure that they were getting some of the innovations, which was super, super cool to see. And then fast forwarding a little bit further is kind of staying within tech and venture. I was in the Alexa fund. We got to work with early stage startups investing in early stage open source AI companies got to evaluate and meet folks like Hugging Face, for example, and just kind of understanding where this ecosystem was going. And all that kind of brought this view of when I came to GitHub of how do you bolt on funding for open source, make it sustainable, drive innovation, and also create new pathways of funding for these maintainers through their journey. And so that’s what I came here to do. And it’s been super exciting over the past almost two years to think about how we can build new funding models for open source maintainers and projects. So excited for this new addition to that as well being kind of a next iteration of all of the career touch points I’ve had with open source.

CRob (06:10)
Totally didn’t arrange it, but that is an amazing transition. So let’s talk about GitHub Securing Open Source Software Fund. You know, why have you all decided to kind of organize and run this program?

Kevin (06:25)
Yeah, maybe kicking it off with an interesting insight that we had from the GitHub accelerator last year. One of the key modules that I was thinking about, and this was a brainstorm with Xavier, was do we actually know how much security education and training do people have for these emerging, fast growing projects? And even some of the ones that are becoming vital to the ecosystem.

And so I just literally threw it out to Xavier as an experiment. Like, can we try to run this content and engagement with these projects and see what the results would be? And so we did it. And maybe Xavier, if you want to talk about that initial experience, it’d be great to just kind of get your point of view from it as well.

Xavier René-Corail (07:08)
Yeah, well, it was exactly as you said, it was an experiment at first, right? And part of the accelerator and it came a bit last minute, right? But we, but I mean, at GitHub, we are ready to pivot fast and to try to think fast. And so we did some, we did some office hours, we did some one-on-one audits of this project and we did some basic training about security posture. And yes, and the results were great. mean, the engagement of the maintainers and the result, the impact that it had on them was great. So, so Kevin came again.

Kevin (07:58)
I came asking again, like, can we make this bigger? you know, I think the learning that we had is when you connect funding with time training and expertise, you’re able to maximize the impact of the training and education. so, and it also kind of dovetailed with a lot of the needs around security within the open source supply chain. So you kind of had this serendipitous moment of

high need, both in terms of like a macro level, but also high need from a developer level to make this work. And also lining that up with the incentive structure of funding and education that make it really special for these maintainers. so that actually is what kind of seeded this idea of let’s build a programmatic open source fund targeting security that links the funding to the outcomes of security specifically. And so we tested that hypothesis.

Honestly, I’ll say it took us, I think, 30 days round trip from like the seed to actually getting the program previewed at GitHub universe, bringing folks along, getting funders to commit to the program, lining up what a scaffolding curriculum might look like. And so we had that in like 27 days to preview it at GitHub universe. And I actually think that was the first time you and I spoke about it too, because we were like, hey, what do you think?

CRob (09:26)
Great, that was exactly.

Xavier René-Corail (09:27)
Yeah. I mean, it was great because so my team, the security lab, you know, we’re already doing these trainings, these free training, these additional content, this office hours. It was already part of what we do for open source. But with this program, we had the opportunity, you know, to have the, yeah, the programmatic power, know, and the marketing and the partnership and the funding, et cetera. So when Kevin came to me with that, said, yes, please, yes, let’s do that. And I must say that, yes, the turnaround was impressive. And in particular, thanks to partners like OpenSSF, who, I mean, CoreView, immediately said, yes, let’s do it. And yes, it went pretty fast indeed.

CRob (10:19)
So for our audience that may not be familiar, could you just broadly describe if a project is participating in the fund? How does that? What does that look like? What do they do?

Kevin (10:30)
Yeah, that’s a great question. Maybe I’ll tee this up really quickly by saying the overall architecture of the fund brings together funders, organizations, community partners like OpenSSF and some others that actually bring resource expertise and kind of shape the program and then GitHub as well as our maintainers. And so we kind of have this ecosystem surrounding this. And so what we’ve done as a program, as a maintainer that gets brought in,

You go through a standard application process, highlighting things around what your project is, what you do with your project, what your project does for the ecosystem, level of security awareness and education, the benefit of the funding specifically, what it can do to unlock resourcing, et cetera. And that’s kind of the process to bring them in. And once we’ve done that, we architected what I would consider a really unique structure. And I’m excited to talk about it for variety of reasons, but…

It’s effectively a three-week boot camp focused on security fundamentals, thinking about things that you need to have at day zero of building a project, all the way up to the lifespan of your project, thinking about implementing some of these techniques within the project itself, and then also some of the frontier stuff around AI. And so this three-week boot camp is around security fundamentals, best practices, but then we bolt on things like six months check-ins, 12 months check-ins.

community engagement with experts throughout the program to make sure that we actually line up all the resources that a maintainer would need, not just to learn it, but to actually embed it and embody it in their culture, make it scale out to their contributors, their communities, and even their consumers of their software. So I’m really excited about how the program’s been shaped. And a big kudos to Xavi, and I want him to talk about this in depth.

the security lab team is what bolts this together. And so I want to make sure like the impact of like how this all comes together is really focused on the security lab and the work they do. So Xavier, I would love you to kind of like jump in on the curriculum and education.

Xavier René-Corail (12:39)
Yeah, thank you, Kevin. Well, again, I mean, this is things that we were doing, but this program really brought the opportunity to amplify it. So it’s not only, it’s really together that we that we are, that we managed to put that up. So, so in terms of curriculum, yes, we, are trying during this free week bootcamp to, to, to, to have a mix of, you know, basic security posture and some advanced training on, for example, on fuzzing, on static analysis, things like that.

So you really have to mix because you have a mixed audience first. you need to, I mean, not everyone is at the same moment of their security journey, right? So you have to mix of that. We are trying to address all aspects from coding to incident response to vulnerability management.

So again, a mix of that. And of course, the important thing is that we are in continuous improvement mode. from the feedback from the first cohort, we will get to add more content. We have some people who are coming to us and proposing new content. And we’re like, yes, please come in.

So yeah, that’s in a nutshell, yes, that’s how we built this program. We are trying to get experts giving these training. So from us, but also from our partners, from the great David Wheeler, for example, from OpenSSF. So this is adding…

This is adding something to the learners, to maintainers, to have these great presenters who know what they’re talking about, giving them these presentations and answering the questions. So yes, that’s it.

Kevin (14:53)
I was gonna say, and just to double click on that a little bit, I mean, I think the uniqueness of it, to Xavier’s point, is how we framed and packaged it. So if we zoom out and say, what does a maintainer get? It’s three weeks security bootcamp with all of the education and expertise with these topics really focused on the programming. They get access to the security lab. They get access to the maintainer community.

They get access to the ecosystem partners that we’ve brought in and the funding partners as well. And then on top of that, they get embedded with like the data of like, how are we progressing in our own security journey? Like, we making progress? Are we embedding it in our community? How are we collaborating with other projects and maintainers through that as well? And so that’s kind of what the maintainers get. And the last thing that I think, you we didn’t really touch on, but the funding is really, you know, aligning the maintainers to spend the time commitment on it. So we provide a $10,000 stipend to the projects.

CRob (15:52)
Wow.

Kevin (15:52)
Most of that comes upfront, you know, the $6,000 upfront of the program to really solidify the three week boot camp. And then the others are to align onto the reporting and kind of the touch points and making sure they’re continuing on their security journey. so by aligning the funding and linking it to the outcomes that we’re trying to get with security, it becomes a really great model that is helpful for maintainers and for the projects that are being improved with security throughout the program.

CRob (16:20)
That’s awesome. So Xavier touched on it. We are just coming towards the end of the first cohort. Could maybe you share what’s been some of the most surprising things you’ve learned so far in interacting with both the funders and the maintainers and projects?

Kevin (16:41)
Maybe Xavier, do you want to go first?

Xavier René-Corail (16:44)
Well, yeah, my big surprise was the enthusiasm of everyone. I mean, I know this is something that is a passion for me, but I was, I mean, I don’t know, I wasn’t expecting that level of enthusiasm and of engagement from everyone. Really, you know, I was expecting some of the projects to be already quite advanced on the…you know, in their journey and then to be, to react a bit like, okay, there is content that is interesting for me, but some of the content is too basic. I was expecting that, right? No, everyone was really, really super engaged and super enthusiastic. So that was the big positive surprise for me. What about you, Kevin?

Kevin (17:41)
Yeah, I echo that. I kind of bucket them in three different functions. One is I think there was a very strong level of trust from the outset because they were all shared alignment on security within their project. And so I think everyone walked in and this kind of drove the enthusiasm of like, we’re all here for the same thing and having the same impact. So that was great. Two, I think the community lens was very fascinating to me just to see folks across different sizes of projects, stages of their growth or in kind of like distribution, as well as their own maturity journey within security, and like just seeing that community fuse really well together to cut across different frameworks, languages, et cetera, was really powerful. And I think the last thing that I’d say on this is the outcomes that we see is meaningful. Like not just from like, did the…things go red to green or anything like that, but really like you see them embody this change of what it means to be a steward of security with an open source. And that’s really unique. don’t think, and we kind of saw glimmers of that within the accelerator, but I didn’t think we’d, I didn’t know if we’d see it at this scope and scale. And I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (19:09)
Awesome. So on top of this, sounds like you’ve gotten a lot of great feedback. Is there anything that kind of stands out that you’ve got a maintainer or project kind of shared something really valuable to you all back from this experience?

Kevin (19:23)
I have a lot. I think one of the things that stands out in feedback is kind of going to the point of maturity curve is that it’s a very meaty subject. And so being able to scale content and education appropriately to meet maintainers where they are in their own journey is like one of the most critical things. And I think we’re we’re, you know, adjusting to that is like one one thing to think about. And then to Being able to touch upstream and downstream projects within their own Ecosystems is another area where I think that that’s a big opportunity for us to engage and kind of think about securing through the program as well. So those are just two immediate ones that I’m pretty excited about Xavi, what about you?

Xavier René-Corail (20:17)
Yeah, will double down on what you said Kevin: scaling to more projects, this will be the big challenge. And one other thing that I will add that I want to focus on also, because that was a positive feedback from participants, is adding some fun to the training. All of the training that were interactive and fun and with quizzes, et cetera. worked very well. so, yeah, you know, I used to say that boring is the arch enemy of learning. And so, yeah, I, I think that I want to add a bit more fun to the to the curriculum. So..

CRob (20:58)
I for one, totally agree with that. I think security is a lot of fun.

Xavier René-Corail (21:02)
It is.

Kevin (21:02)
The security is a lot of fun. You know, it was super interesting to see the modules I’d say that had interactive coding engagement. Like people really love just diving into it. And the other thing that was kind of unique that I don’t think it’s super surprising, but this concept of like see one, do one, teach one. Like it’s people coming through this journey and like, as you emerge, the first time you see it, like, my gosh, like this is overwhelming. The next time you do it, like I can actually do a coding exercise on this and actually implement some changes.

And then you see people a day later that are teaching like, this is how I did it, or this is how I’m thinking about it. It’s really cool to see that like, transpire throughout the program. And people loved it. Like to your point on fun, that made it fun, you know, to be able to teach people and engage is really unique.

CRob (21:50)
So let’s gaze out over the horizon, kind of what’s coming down the pipe for the GitHub Securing Open Source Software Fund. What do you have in your bag of tricks next?

Kevin (22:00)
Bag of tricks, that’s always a great question. As Xavier said, I mean, we have to scale. So we did the first session. Our objective is to do 125 projects this year. So we have multiple sessions that will be going on throughout the back half of the year. Session two will be kicking up in the next couple of months. And so we’re rapidly preparing for that. Yeah, I think that that’s where we’re looking forward to just in the back half of the year.

CRob (22:28)
Mm-hmm.

Xavier René-Corail (22:30)
Yeah. And in terms of curriculum, as I said, I’m receiving a lot of proposals to add content. going through that, going to add this content, I’m in particular interested if I have some ecosystem partners who are listening, I’m interested in language specific training for security. So if anyone has them, please reach out.

CRob (22:56)
Patches welcome, right?

Xavier René-Corail (22:58)
Yes, always.

CRob (23:00)
Nice. Well, let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I have some wacky questions I’m going to ask you. Just give me the first thing that comes out of your on top of mind. First question and potentially controversial, VI or Emacs.

Xavier René-Corail (23:04)
Ha

Kevin (23:04)
Love it.

Xavier René-Corail (23:24)
Emacs.

Kevin (23:25)
I’m going to go the opposite just to say VI

CRob (23:29)
There are no wrong answers. Some are better than others, though. Also equally contentious, tabs or spaces.

Xavier René-Corail (23:30)
spaces.

Kevin (23:31)
I like tabs.

CRob (23:45)
You guys are balancing each other out very well.

Xavier René-Corail (23:45)
Right?

Kevin (23:45)
Yeah.

CRob (23:47)
Ice or neat?

Xavier René-Corail (23:50)
Neat.

Kevin (23:51)
Neat.

CRob (23:52)
excellent, excellent answer. Who’s your favorite open source mascot?

Xavier René-Corail (23:58)
Mona, of course.

Kevin (24:00)
Yeah, you can’t go wrong with Mona.

CRob (24:04)
That is perfectly fine. And finally, the most important question, mild or spicy food?

Kevin (24:12)
I’m all about spicy food.

Xavier René-Corail (24:12)
Spicy for me. Yeah, good, spicy. I’m from the Caribbean and yeah.

CRob (24:22)
Ohhhhhh….that’s spicy. Nice. Excellent. Well, thank you all for playing along. And as we wrap up, do you have any call to action or anything you want to ask our audience to potentially think about in regards to your program?

Kevin (24:33)
Certainly, I mean, right now, any maintainers that are interested in joining to up level their security, we’re welcoming applications. They’re rolling on going throughout the year. As you know, we have a robust pipeline of projects to go through in multiple sessions. So always feel free to apply. And then for funders, if they’re interested in helping secure their own dependencies, welcome those conversations. I think it allows us to unlock more opportunities and projects with with funders. They also bring unique insights and resources from their own ecosystems and Xavier said it too, and ecosystem partners that are ready for the journey to provide education, curriculum, engagement with maintainers. Some of them are even unlocking referrals for their maintainers that are coming through the program, things like that. So we would certainly welcome those opportunities throughout the year. It’s not just today, it’s not just tomorrow, but it’s an ongoing journey.

CRob (25:18)
Very nice.

CRob (25:27)
Xavi any advice for the audience to have or a call to action?

Xavier René-Corail (25:30)
No, honestly, nothing to add. I already made my cultivation. I need some language specific training for security. So if you want to help open source projects, please reach out to me.

CRob (25:48)
love it. Thank you gentlemen for helping shepherd this amazing project program together to help the ecosystem. And I really am excited to see the results as you are engaging directly with these maintainers. So thank you all for coming and I will wish everybody a happy open source and out there. Thanks all.

Xavier René-Corail (26:08)
Thank you, Crob.

Kevin (26:08)
Thanks for having us.

Outro (26:10)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.