Guest blog opportunities are open to members, with limited exceptions for active contributors and thought leaders. Share your insights on open source security with our community.
OpenSSF Blog
May 12, 2026 |
Secure Coding Guide for Python (pyscg) First Release
New developers require a single, framework-independent resource to establish a baseline in secure coding practices. Python is one of the most widely adopted programming languages in the world, powering everything from web applications and data pipelines to AI/ML systems and cloud infrastructure. Read more.
May 12, 2026 |
Hack to the Future: The Impact and Legacy of the DARPA AIxCC Challenge
By Helen Woeste AIxCC Competition Background & Results:Â In 2023, DARPA announced a two-year long competition called the Artificial Intelligence Cyber Challenge (AIxCC) with the goal to safeguard open source software used in critical infrastructure throughout America. The intent is to hasten the development of open source AI tooling that… Read more.
May 7, 2026 |
The Road to Gold: How CPS Set a New Standard for Security and Quality in Open Source
In the world of open source, trust is our most valuable currency. ONAP is a “collection of individual, semi-standalone network automation functions that provide design, orchestration, observability, and automation of network and edge services for operators, cloud providers, and enterprises” (per ONAP). Read more.
May 6, 2026 |
In Blog
Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries
The September 2025 Working Together Towards Sustainable Open Source open letter raised the alarm about the economic sustainability of open source package registries, highlighting how rising adoption and the pace of innovation are placing new and growing pressures on open source package registries. Those pressures have only accelerated in the… Read more.
Apr 20, 2026 |
In Blog
Secure Your Spot: The OpenSSF Community Day North America 2026 Agenda is Live!
The 2026 OpenSSF Community Day North America agenda is live, and we invite the open source community to join us on Thursday, May 21, in Minneapolis, MN. Co-located with Open Source Summit North America, this event will serve as a collaborative space for maintainers, security researchers, and industry leaders to… Read more.
Apr 17, 2026 |
Why Third-Party Notices Are Breaking at Scale: What the Ecosystem Needs Next
By Devashri Datta, Independent Researcher, Software Supply Chain Security Third-party notices (TPNs) are documents distributed to users that list open source third-party software components included in the product and key licensing information. Every time you buy a TV or router, you’ve probably seen them. Yet TPNs were never designed for… Read more.
Apr 15, 2026 |
From Noise to Signal: Using Runtime Context to Win the Vulnerability Management Battle
By Jonas Rosland Security teams in 2026 have no shortage of data, alerts, or findings. In 2025 alone, 48,185 Common Vulnerabilities and Exposures (CVEs) were published, a 20.6% increase over 2024's already record-breaking total of 39,962. That works out to roughly 130 new vulnerabilities disclosed every single day, and for… Read more.
Apr 10, 2026 |
In Blog
Security Slam 2026: Celebrating Our Security Champions and Project Milestones
The 2026 Security Slam has officially concluded, and we couldn't be more proud of the progress made across the open source ecosystem. From automated baseline evaluations to comprehensive threat modeling, our participating projects and contributors have taken significant steps to “secure open source at the source." Read more.
Apr 8, 2026 |
In Blog
OpenSSF Tech Talk Recap: Securing Agentic AI
At our recent Open Source Security Foundation (OpenSSF) Tech Talk, experts from Microsoft, Thread AI, Canonical, and the OpenSSF AI/ML Security Working Group joined forces to dismantle the "black box" of AI security. Read more.
Apr 3, 2026 |
Rethinking Post-Deployment Vulnerability Detection
By Tracy Ragan Over the past decade, the IT community has made significant progress in improving pre-deployment vulnerability detection. Static analysis, Software Composition Analysis (SCA), container scanning, and dependency analysis are now standard components of modern CI/CD pipelines. These tools help developers identify vulnerable libraries and insecure code before software… Read more.