

The OpenSSF Policy Summit DC 2025 brought together open source, government, and industry leaders to tackle pressing security challenges. The event fostered open dialogue under the Chatham House Rule, emphasizing shared responsibility and commitment to strengthening the open source ecosystem.
“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond. Our recent Policy Summit highlighted the shared responsibility, common goals, and commitment to strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.” – Steve Fernandez, General Manager, OpenSSF
The summit opened with remarks from OpenSSF General Manager Steve Fernandez emphasizing the importance of collaboration between industry, government, and the broader open source community to tackle security challenges. Jim Zemlin, Executive Director of The Linux Foundation, delivered a keynote on the importance of securing open source in modern infrastructure, followed by Robin Bender Ginn of the OpenJS Foundation, who provided insights into systemic security challenges. Panels covered key topics such as integrating security into the software lifecycle, regulatory harmonization, AI security risks, and the adoption of open source in government.
The policy summit included various breakout sessions; below are some key takeaways from each.
AI security is at a crossroads, with many of the same supply chain risks seen in traditional software. Unlike past security crises, AI has not yet had its “Heartbleed moment”, making this the time to proactively address risks.
AI presents both new challenges and an urgent need to reinforce existing security efforts led by OpenSSF and The Linux Foundation. If the origins of AI models are unclear, how can we truly trust them? Understanding and measuring the risks associated with AI is critical, especially as AI frameworks and libraries integrate with other tools, potentially introducing new vulnerabilities. Yet, security in this space is often left as an afterthought—an exercise for the user rather than a built-in safeguard. As AI intersects with open source software, traditional cybersecurity risks remain relevant, raising key questions: What are the existing guardrails, and how can we strengthen them to ensure a more secure AI ecosystem?
The conversation centered on improving how open source components are updated, ensuring clear maintenance statuses, and reducing dependencies on U.S.centric platforms.
Improving component updates is a critical challenge, especially when backward-incompatible changes prevent seamless upgrades. The industry needs clear guidance on enabling and streamlining updates, ensuring that software remains secure without unnecessary friction. Best practices for downstream consumers should be more widely established—such as evaluating whether a project is actively maintained before adopting it and identifying major backward-incompatible API changes as potential risks.
A structured approach to declaring an open source project’s maintenance or production status is also essential. There should be a formal, machine-ready way to indicate when a project is no longer maintained, making it easy to see and act upon. Additionally, as organizations strive to avoid being U.S.centric, requirements should be designed to be platform-agnostic rather than tied to specific tools.
Transparency is another key consideration. There needs to be a way to self-attest disagreements in security scans—allowing individuals to provide justification with supporting URLs when a requirement is met or missed. While knowing who maintainers are can be useful, it should not be the sole security measure.
Finally, ensuring that executables match their claimed source code is fundamental to software integrity. Protecting the build process through frameworks like SLSA and enabling verified reproducible builds can help mitigate risks, preventing attacks like those seen with xz utils.
As open source software faces increasing regulatory scrutiny, the need for cross-compliance agreements and clear policies has become a priority.
There are many open questions surrounding the EU’s Cyber Resilience Act (CRA)s definition of an open source steward. Clarity on what qualifies as stewardship is essential, as it impacts compliance responsibilities and obligations under the regulation.
A key concern for organizations navigating the CRA is the lack of a Mutual Recognition Agreement (MRA)—a framework that would allow compliance with one regulation to satisfy the requirements of another. Without this reciprocity, manufacturers must meet CRA standards separately to sell in Europe, adding complexity for global companies. Many U.S.based organizations are now grappling with whether and how to align these requirements domestically to avoid maintaining multiple sets of policies.
One proposal to strengthen open source sustainability is requiring government contracts to include provisions mandating that any changes to open source software made as part of the contract be contributed upstream. This would ensure that improvements benefit the broader ecosystem rather than remaining siloed.
Another growing concern is the financial sustainability of open source projects. Large organizations often look to cut costs, and open source funding is frequently among the first areas to be reduced. Regulation could help prevent this by recognizing the critical role open source plays in security and innovation.
Finally, organizations need better ways to quantify the impact of their open source contributions across distributed teams and departments. Some efforts are underway to address this challenge, but it remains difficult to track how contributions tie back to business value. While The Linux Foundation’s LFX provides some insight, similar visibility is lacking across other foundations, leaving a gap in industry-wide solutions.
Discussions focused on improving how package repositories handle security and lifecycle management.
The group explored how to effectively track when open source projects reach end-of-life or end-of-support, recognizing the need for clearer visibility into project status. One proposal discussed was the Global Cyber Policy Working Group’s idea to introduce a “steward.md” file, which would explicitly indicate whether a project is maintained by an OSS Steward. A key question raised was how package repositories should track and surface Steward information. Ensuring that repositories can reliably display this data would help users make informed decisions about software adoption and maintenance. Security was another focus of discussion, particularly the importance of isolating components of the build pipeline to minimize attack surfaces. One suggestion was to remove pre-install scripts, which can introduce vulnerabilities if not properly managed. Finally, the group considered next steps for the Principles of Package Repository Security document. Identifying priority areas for improvement will be crucial in strengthening repository security and ensuring alignment with broader security best practices.
The Policy Summit reinforced OpenSSF’s commitment to improving open source security through collaboration and actionable insights. We encourage the community to stay engaged and contribute to ongoing efforts in these key areas.
In this episode,CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry.
CRob (00:50.337)
Hello and welcome to What’s in the SOSS, the Open Source Security Foundation’s podcast where we talk to folks from all around the open source ecosystem—interesting developers, thought leaders, and participants within this amazing movement that we call open source. Today, I have some amazing guests on the podcast with us that you may remember from previous sessions. I have Arun and Zach, who are part of the leadership of the foundation, and we’re here today to talk about some of the amazing things we’re planning on doing in 2025. But before we jump into the cool stuff, let’s just briefly, Arun and then Zach, if you could give us a TLDR of who you are and what you do with the foundation.
Arun Gupta (01:38.222)
Absolutely, I can start. Very happy to be here, CRob. Yeah, I’ve been with the OpenSSF Foundation for over two years now, been on the governing board all along. I was the governing board chair for 2024, and I was fortunate enough to be elected again for 2025. So, I guess the work I was doing was liked by somebody at least, so I’m happy to be here. OpenSSF is doing something really, really cool, which we’ll talk about today. And I’m really happy to help with my share.
Zach Steindler (02:18.392)
Yeah, thanks, Arun. I’m Zach Steindler. I work at GitHub on supply chain security for open source users, but also for our enterprise customers. I’m just about to start my third year serving on the OpenSSF TAC. I took over as 2024 tech chair, CRob, when you made the jump into the OpenSSF Chief Architect role. I also co-chair the Securing Software Repositories Working Group, where we get together folks from PyPI, Homebrew, and RubyGems to talk about best practices for securing those ecosystems.
CRob (03:00.161)
Excellent. And I want to thank you both for your ongoing leadership and community involvement. I think 2025 is going to have some amazing stuff in store for us all. Reflecting back, last year, 2024 was a very busy year for the foundation. I would encourage everyone to review our annual report, which came out in December, to see some of the amazing things our community members are working on. But looking at all of that, 2025 looks even busier. From your perspective, Arun, what were some of the key lessons we learned about open source security in 2024?
Arun Gupta (03:41.058)
Yeah, if you look at 2024, a few themes easily emerged. The reliance on open source is only going to grow. If you look at a typical application, roughly 80%, sometimes 90%, of the stack is open source. So it is definitely a critical part of our infrastructure. Pick any industry, vertical, or domain, and open source is prevalent. With a bigger scope comes a bigger attack area as well. The kinds of things we saw include dependency vulnerabilities continuing to be big. It started with Log4Shell during the pandemic back in 2021, and it has only grown. Many organizations still face outdated or insecure dependencies and need help tracking and fixing them. We have projects like GUAC, the AI cybersecurity challenge, and other OpenSSF efforts driving this part of the industry.
Another issue we saw was social engineering attacks. Open source is built on a human engineering fabric, so threats like the XZ Utils backdoor are a real concern. OpenSSF and OpenJS worked together to issue an alert on what needs to be done. Should we have trusted maintainers whom we’ve met in real life? These are important questions.
Supply chain attacks also continue to rise due to reliance on open source, particularly with government mandates requiring SBOMs to improve transparency and manage supply chains. OpenSSF is working on projects like Protobomb and BombCTL to simplify SBOM creation and portability.
Finally, regulatory pressures increased. The Cyber Resilience Act and the U.S. executive order on stricter open source compliance created unintended consequences for small businesses and open source communities. OpenSSF is working with the EU to ensure a balanced implementation that supports open source while keeping it secure.
Zach, what else would you add?
Zach Steindler (07:15.736)
That was a fantastic overview. I’ve spent much of my career on the defensive side of things in OpenSSF with supply chain security. It has been interesting to see how some of the capabilities we’ve developed have helped in incident response, such as build provenance in the Python package Ultraylitics compromise. That helped us understand what the attacker was doing and how to respond.
Going back to XZ Utils, I think a lot about how we can make the lives of open source maintainers easier in 2025. We ask a lot from them, and while we’re building new security capabilities, they shouldn’t add extra burdens. We must ensure security improvements come with usability improvements to make maintainers’ lives easier.
CRob (08:29.697)
Excellent points. Let’s talk about some things the foundation wants to collaborate on this year. We adopted a practice called MVVSR last year. Zach, maybe you could give an overview of what MVVSR is.
Zach Steindler (08:51.074)
OpenSSF is exiting an exciting early phase where we tried a lot of things to see what worked. Now, we’re borrowing practices from nonprofits and the business world to be more thoughtful about engagement. MVVSR stands for Mission, Vision, Values, Strategy, and Roadmap. It helps us define where we want the organization to go. The mission is high-level, perhaps on a 10-year timeline. The roadmap outlines immediate actions, spanning months or a year.
In late 2024, the OpenSSF TAC, Governance Committee, and Governing Board revised the MVVSR, focusing on strategy. We defined three key categories:
CRob (13:13.505)
Awesome. Arun, you’re involved in various foundations. How important is having a roadmap for OpenSSF’s strategy?
Arun Gupta (13:41.486)
It’s critical. Success depends not just on creating guidelines but on their adoption by other foundations. OpenSSF’s mission is to improve open source security, but much of the work happens in other foundations like CNCF, Apache, and Eclipse. Our success is defined by how widely our recommendations are adopted.
For example, Kubernetes adopting OpenSSF recommendations is a big win. At Intel, we ran the OpenSSF Scorecard across all public GitHub repos, tracking incremental security improvements. These efforts align back to OpenSSF’s mission.
CRob (26:18.849)
We’ve accomplished a lot in 2024 and have exciting plans for 2025. Thank you both for your leadership, and thanks to our community of contributors for driving these projects forward. It’s amazing to see initiatives like Salsa and sigstore, which started over four years ago, continue to grow. Gentlemen, I appreciate your time today, and I look forward to working together in 2025. Thank you.
Arun Gupta (27:05.486)
Thank you so much.
Zach Steindler (27:05.72)
Thanks, CRob, pleasure to be here.
WASHINGTON, D.C. – March 11, 2025 – The Open Source Security Foundation (OpenSSF) successfully hosted its 2025 Policy Summit in Washington, D.C., on Tuesday, March 4. The summit brought together industry leaders and open source security experts to address key challenges in securing the software supply chain, with a focus on fostering harmonization for open source software (OSS) development and consumption in critical infrastructure sectors.
The event featured keynotes from OpenSSF leadership and industry experts, along with panel discussions and breakout sessions covering the latest policy developments, security frameworks, and industry best practices for open source software security.
“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond,” said Steve Fernandez, General Manager, OpenSSF. “Our recent Policy Summit highlighted the shared responsibility, common goals, and interest in strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.”
“The OpenSSF Policy Summit reaffirmed the importance of industry-led security initiatives,” said Jim Zemlin, Executive Director of the Linux Foundation. “By bringing together experts from across industries and open source communities, we are ensuring that open source security remains a collaborative effort, shaping development practices that drive both innovation and security.”
Following the summit, OpenSSF will continue to refine security guidance, best practices, and policy recommendations to enhance the security of open source software globally. The discussions from this event will inform ongoing initiatives, including the OSS Security Baseline, software repository security principles, and AI security frameworks.
For more information on OpenSSF’s policy initiatives and how to get involved, visit openssf.org.
Supporting Quotes
“The 2025 Policy Summit was an amazing day of mind share and collaboration across different teams, from security, to DevOps, and policy makers. By uniting these critical voices, the day resulted in meaningful progress toward a more secure and resilient software supply chain that supports innovation across IT Teams.” – Tracy Ragan, CEO and Co-Founder DeployHub
“I was pleased to join the Linux Foundation OpenSSF Policy Summit “Secure by Design” panel and share insights on improving the open source ecosystem via IBM’s history of creating secure technology solutions for our clients,” said Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive. “Open source has become an essential driver of innovation for artificial intelligence, hybrid cloud and quantum computing technologies, and we are pleased to see more regulators recognizing that the global open source community has become an essential digital public good.” – Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive
“I was delighted to join this year’s OpenSSF Summit on behalf of JFrog as I believe strongly in the critical role public/private partnerships and collaboration plays in securing the future of open source innovation. Building trust in open source software requires a dedicated focus on security and software maturity. Teams must be equipped with tools to understand and vet open source packages, ensuring we address potential vulnerabilities while recognizing the need for ongoing updates. As the value of open source grows, securing proper funding for these efforts becomes essential to mitigate risks effectively.” – Paul Davis, U.S. Field CISO, JFrog
“Great event. I really enjoyed the discussions and the idea exchange between speakers, panelists and the audience. I especially liked the afternoon breakout discussion on AI, open source, and security.” – Bob Martin, Senior Software and Supply Chain Assurance Principal Engineer at the MITRE Corporation
“The Internet is plagued by chronic security risks, with a majority of companies relying on outdated and unsupported open source software, putting consumer privacy and national security at risk. As explored at the OpenSSF Policy Summit, we are at an inflection point for open source security and sustainability, and it’s time to prioritize and invest in the open source projects that underpin our digital public infrastructure.” – Robin Bender Ginn, Executive Director, OpenJS Foundation
“It is always a privilege to speak at the OpenSSF Policy Summit in D.C. and converse with some of the brightest minds in security, government, and open source. The discussions we had about the evolving threat landscape, software supply chain security, and the policies needed to protect critical infrastructure were timely and essential. As the open source ecosystem expands with skyrocketing open source AI adoption, it’s vital that we work collaboratively across sectors to ensure the tools and frameworks developers rely on are secure and resilient. I look forward to continuing these important conversations and furthering our collective mission of keeping open source safe and secure.” – Brian Fox, CTO and Co-Founder, Sonatype
“The OpenSSF Policy Summit highlighted the critical intersection of policy, technical innovation, and collaborative security efforts needed to protect our software supply chains and address emerging AI security challenges. By bringing together policy makers and technical practitioners, we’re collectively building a more resilient open source ecosystem that benefits everyone, we look forward to future events and opportunities to collaborate with the OpenSSF to help strengthen this ecosystem.” – Jim Miller, Engineering Director of Blockchain and Cryptography, Trail of Bits
***
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org
Welcome to the February 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
✅ Secure your spot – Register today!
✅ Have insights to share? Submit to speak before CFP closes!
✅ Support the mission – Become a sponsor!
Join us in shaping a safer and more secure digital world.
The Open Source Security Foundation (OpenSSF) has announced the initial release of the Open Source Project Security Baseline (OSPS Baseline)—a new initiative designed to help open source projects enhance their security posture through tiered best practices. The OSPS Baseline aligns with global cybersecurity frameworks, including the EU Cyber Resilience Act (CRA) and NIST Secure Software Development Framework (SSDF), making it easier for maintainers and contributors to adopt practical security measures.
With adoption commitments from projects like GUAC, OpenVEX, bomctl, and Open Telemetry, the OSPS Baseline is already helping open source communities strengthen their security foundations. This release marks a significant step toward providing maintainers with clear, actionable security guidance that grows alongside their projects. Learn more.
The European Union’s Cyber Resilience Act (CRA), which came into effect on December 10, 2024, introduces significant cybersecurity requirements for products sold or commercially available in the EU market. With wide-ranging impacts set to take effect by November 2026, businesses must assess whether they fall under the CRA’s scope and take necessary steps for compliance.
This blog provides key insights into how the CRA applies to Products with Digital Elements (PDEs), its implications for manufacturers, businesses, and open source projects, and what steps organizations need to consider. While some view it as an added burden, cybersecurity professionals see it as an opportunity to strengthen security practices across the software supply chain.
If you develop software, hardware, or services that interact with digital products in the EU, understanding the CRA is critical. Read the full blog to determine if the CRA affects your business and how you can prepare for compliance.
Everyone is increasingly aware that software supply chain security is critical, but the challenges in the public sector come with added complexity—stringent policies, high-risk exposure, and slow approval processes. In this blog, Daniel Moch (Lockheed Martin) explores the unique security hurdles faced by public sector organizations and how the open source community, alongside OpenSSF, can help mitigate them.
From SLSA Provenance and VEX adoption to reputation-based contributor scoring, the blog outlines practical ways to enhance supply chain transparency and security. Read on to discover how collaborative efforts can make software security stronger for everyone. Read the blog here.
Linux Foundation Europe and OpenSSF have launched a global initiative to help open source communities navigate the EU Cyber Resilience Act (CRA) and worldwide cybersecurity regulations. The effort will focus on cybersecurity standards, compliance frameworks, and tooling to support maintainers and manufacturers. Learn more about this collaborative effort and how to get involved. Read the announcement here.
Alpha-Omega’s 2024 Annual Report highlights major strides in open source security, including $6 million in grants to strengthen critical projects like the Linux kernel, Python Software Foundation, and RubyGems. Through funding, security audits, and scaled vulnerability fixes, Alpha-Omega has helped build a sustainable security culture across the open source ecosystem. Discover the impact of these investments and the vision for 2025 in the full report. Read the blog and full report here.
You’re invited to…
We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team
New Initiative Aims to Enhance Open Source Software Security Through Tiered Best Practices
SAN FRANCISCO – February 25, 2025 – The Open Source Security Foundation (OpenSSF) is pleased to announce the initial release of the Open Source Project Security Baseline (OSPS Baseline). The Baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects.
“The OSPS Baseline release is a significant milestone in advancing security initiatives within the open source ecosystem,” said Christopher Robinson, Chief Security Architect at OpenSSF. “We’re excited to roll out OSPS Baseline following community testing and validation — we are confident that these security best practices are both practical and impactful across open source projects.”
The OSPS Baseline offers a tiered framework of security practices that evolve with project maturity. It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security. By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).
“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts. “We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project. Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone!”
“I’m excited to see the release of OSPS Baseline,” said Ben Cotton, Open Source Community Lead at Kusari & OSPS Baseline co-maintainer. “This effort provides actionable, practical guidance to help developers achieve appropriate security levels for their projects. Too often, security advice is vague or impractical, but Baseline aims to change that. Every improvement to open source security strengthens the modern software ecosystem, making it safer for everyone.”
OpenSSF invites open source developers, maintainers, and organizations to make use of the OSPS Baseline. Through engaging with this initiative, stakeholders can also contribute to refining the framework and promoting widespread adoption of security best practices in the open source community.
For more information and to get involved, please visit the OSPS Baseline website or GitHub.
Supporting Quotes:
“The OSPS Baseline release is an important step toward efficiently addressing the security and resilience of open source projects. Open source stewards, manufacturers who rely on open source, and end users will all benefit long-term as this community-defined criteria shines light on project security best practices.”
– Eddie Knight, Open Source Program Office Lead at Sonatype and OSPS Baseline Project Lead
“We applaud the launch of the OSPS Baseline as a crucial initiative in bolstering the security landscape of open source projects. At TestifySec, we recognize the importance of robust security frameworks like the OSPS Baseline in safeguarding software integrity and enhancing resilience against evolving cyber threats. We look forward to leveraging these guidelines to further fortify our commitment to delivering secure solutions for our clients and the broader open source community.”
– Cole Kennedy, Co-Founder and CEO of TestifySec
“Security is a fundamental priority for the cloud native ecosystem, and the OSPS Baseline represents a major step forward in providing clear, actionable guidance for projects of all sizes. By establishing a tiered framework that evolves with project maturity, OSPS Baseline empowers maintainers and contributors to adopt security best practices that are scalable and sustainable. The CNCF is proud to support efforts like this that strengthen open source software at every level of development and we look forward to collaborating with the OpenSSF on adoption.”
– Chris Aniszczyk, Chief Technology Officer, Cloud Native Computing Foundation
“As open source has become integral in most of our technology stacks, it has become increasingly critical to streamline and standardize the security expectations between open source maintainers and consumers. By synthesizing the requirements and controls from a variety of laws, regulations, and standards, the OpenSSF Baseline provides a clear roadmap for open source consumers to understand their security foundations.”
– Evan Anderson, Principal Software Engineer at Stacklok and Open Source Maintainer
“The Open Source Project Security Baseline is a vital tool for enhancing the security of open source projects. By offering a comprehensive set of actionable measures, the Security Baseline provides effective guidance for all stakeholders in the open source ecosystem – manufacturers, stewards, and projects alike – to collaboratively assume responsibility and take meaningful steps to secure the open source supply chain on which we all rely.”
– Per Beming, Chief Standardization Officer at Ericsson
***
About the OpenSSF
The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.
Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org