Skip to main content

Register for OpenSSF Community Day Europe

search

From Beginner to Builder: Understanding OpenSSF Community and Working Groups

By August 8, 2025Blog, Guest Blog

By Ejiro Oghenekome and Sal Kimmich

The Open Source Security Foundation (OpenSSF) serves as the global hub for collaborative work on securing the software supply chain. Whether you’re an open-source maintainer, a security engineer, a student, or someone passionate about public digital infrastructure, OpenSSF invites you to participate. There are no gatekeepers, no matter where you work. This community is open, global, and powered by you.

Why Participation is Open by Design

OpenSSF is hosted by the Linux Foundation, which is legally structured to prevent exclusionary or anti-competitive behaviour. That means anyone who meets the basic criteria can participate, regardless of employer, background, or nationality.

There’s a common misconception that being employed by a member company (i.e. companies that help fund OpenSSF) is a must, but this blog should help you understand that this is absolutely not true. The contributions that someone makes to a project matter much more than the company you work for: Individual contributors are always welcome, regardless of your employment status or company affiliation. 

“The Linux Foundation is dedicated to providing a harassment-free experience for everyone… We do not tolerate harassment of participants in any form.” In other words, if you want to help make open-source software more secure, you are welcome here.

Participation is covered by the Linux Foundation Participation Guidelines.

For a personal perspective, read Eddie Knight’s story on how they got started with OpenSSF.

How to Engage with OpenSSF

Getting involved with OpenSSF requires no prior experience, just interest and willingness to collaborate. Each Working Group (WG), Project and Special Interest Group (SIG) has public meetings, a Slack channel, a mailing list, and a GitHub repository. Here are the primary steps to get started:

  1. Join the OpenSSF Slack: Request access and introduce yourself in a relevant group channel.
  2. Subscribe to a Mailing List: Subscribe and sign up for working group and SIG discussions.
  3. Attend Meetings: OpenSSF meetings are open to all. Visit the OpenSSF Community Calendar for upcoming sessions. To access recordings of previous public meetings, visit the OpenSSF LFX Public Calendar, select the specific meeting, and you will find the recording link included within the event details.
  4. Contribute via GitHub: Review active issues and ongoing projects. Contributions to code, documentation, and community practices are all welcome. We will cover some of the major open source projects at the end of this blog.

Working Groups (WG) at a Glance

Explore More on OpenSSF Working Groups 

AI/ML Security WG

The AI/ML Security Working Group explores both the security risks that artificial intelligence and machine learning introduce into software development and the ways AI can be used to improve software security. From training data integrity to model tampering to the safe usage of large language models (LLMs), this group identifies threat vectors and proposes tooling and practices to mitigate them. In 2024, the group launched a model signing initiative to help ensure that machine learning artefacts are verifiable and tamper-evident, an increasingly important requirement for enterprises adopting AI systems.

This working group is ideal for AI researchers, security professionals, and software engineers who want to guide the secure evolution of AI in open source. If you have experience in machine learning pipelines, adversarial testing, or are concerned with data poisoning, LLM misuse, or auditability of models, your expertise is especially valuable. Contributors often help draft threat models, create proof-of-concept tooling, or shape educational guidance for safe ML usage.

Associated Projects

–  AI/ML Security Best Practices

–  Model Provenance & Signing Exploration

BEAR WG (Belonging, Empowerment, Allyship, Representation)

The BEAR Working Group is focused on increasing representation, access, and opportunity within the open source security ecosystem. It provides a welcoming space for new contributors and elevates voices that have historically been excluded from tech and cybersecurity communities. BEAR hosts regular community office hours, mentorship sessions, and workshops to help people find meaningful pathways into security-related projects. Through public programming and direct engagement, the WG works to ensure that OpenSSF’s initiatives are inclusive by design and that newcomers from diverse backgrounds have access to mentorship, context, and real-world opportunities to grow.

This group is ideal for contributors passionate about equity, community organising, and mentoring. If you’ve faced barriers to entering tech or want to help dismantle them for others, BEAR offers hands-on initiatives you can support. Writers, designers, event organisers, educators, and those with lived experience navigating exclusionary systems will find space to lead and co-create programs that make security more accessible to all. This group improves diversity, inclusion, and access in open source security. The group hosts regular office hours, mentorship programs, and event collaborations to amplify underrepresented voices. Great starting point for contributors from any background. It’s also a great place to get early career advice in cybersecurity.

Global Cyber Policy WG

The Global Cyber Policy Working Group exists to bridge the worlds of public policy and open source development. With global legislation like the EU Cyber Resilience Act (CRA), U.S. Executive Orders, and international cybersecurity frameworks increasingly impacting open source software, this WG helps projects navigate compliance without compromising the core values of open collaboration. It plays a proactive role in shaping how policymakers think about open source, while also building tools and guidance to help maintainers understand what new rules mean for them.

This working group is perfect for contributors with backgrounds in law, policy analysis, regulatory compliance, or public sector technology strategy. It’s also ideal for maintainers of OSS projects who want to understand how upcoming legislation may affect their development practices. Members participate in the development of policy briefs, organise community calls with regulators, and contribute to documentation that translates legal language into actionable guidance for open source developers. This WG offers a unique opportunity to directly influence how open source is represented in cybersecurity legislation globally.

Associated Projects

–  CRA Educational Materials: Access LFEL1001 here.

Security Tooling WG

The Security Tooling Working Group empowers developers by creating and maintaining tools that make secure software development easier and more automated. This group focuses on improving the developer experience around using, adopting, and integrating security tools into standard workflows. One of the major efforts is SBOM Everywhere, which promotes widespread adoption of Software Bills of Materials (SBOMs) through practical tooling and education. The group also incubates innovations like Fuzz Introspector, aimed at improving the observability of fuzzing efforts in open source projects.

This WG is ideal for developers who enjoy building tools and want to apply their skills to reduce friction around security best practices. Contributors with CI/CD experience, security research backgrounds, or product-minded engineers interested in usability are especially valuable. Whether you’re writing open source tooling, drafting user docs, or advocating for secure defaults, this group is where practical security work meets developer empathy.

Associated Projects

–  Protobom

–  Bomctl

–  SBOM Everywhere

–  Fuzz Introspector

Vulnerability Disclosures WG

The Vulnerability Disclosures Working Group addresses one of the most critical phases of software security: identifying, reporting, and responding to vulnerabilities. The group develops documentation, templates, tooling, and practices to ensure coordinated vulnerability disclosure (CVD) is straightforward and scalable for both maintainers and researchers. Key initiatives include OpenVEX (a format to share exploitability status), the Vulnerability Report Format (VRF), and guidance like the OSS Vulnerability Guide. The group also leads Autofix SIG, which explores automation for responsibly disclosing vulnerabilities to hundreds of projects at once, and has begun laying the groundwork for an open-source incident response team through OSS-SIRT.

This WG is perfect for security researchers, OSS maintainers, and developers interested in improving the global coordination of security disclosures. Contributors can help author documentation, test disclosure tooling, or help projects establish responsible vulnerability handling processes. It’s a great fit for anyone who wants to make open source software safer by improving how the community handles its most sensitive bugs.

Associated Projects

–  OpenVEX

–  OSS Vulnerability Guide

–  Vulnerability Report Format (VRF)

Securing Software Repositories WG

The Securing Software Repositories Working Group is focused on improving the security of the infrastructures that host and distribute open source packages. These include package registries such as npm, PyPI, RubyGems, and others that are essential for developers to install, share, and update code. This group collaborates with repository operators to define and share best practices, policies, and tools that can prevent tampering, hijacking, or malicious package publication. A core initiative is RSTUF (Repository Service for The Update Framework), a project aimed at providing resilient and cryptographically verifiable update mechanisms.

This WG is a great fit for contributors who are interested in the intersection of software infrastructure, DevSecOps, and platform reliability. Security researchers, registry maintainers, package publisher tool builders, and policy designers are all welcome. Whether you want to enhance trust in distribution mechanisms or build tools that enable verification of software updates, this working group is a powerful place to collaborate on protecting the foundational delivery layers of open source.

Associated Projects

–  RSTUF

Open Resources for Baselines, Interoperability, and Tooling (ORBIT)

ORBIT exists to develop and maintain interoperable resources for the identification and presentation of security-relevant data. It provides a home for collaborative activities, best practice definitions, documentation, testing, integration, and other artifacts supporting the mission.

ORBIT is focused on the Open Source Project Security Baseline (OSPS Baseline) catalog and supporting tools/automation to implement and assess based on international best practices, frameworks and regulations.

The Gemara (GRC Engineering Model for Automated Risk Assessment) project provides a logical model to describe the categories of compliance activities, how they interact, and the schemas to enable automated interoperability between them. The OSPS Assessments project provides a tiered model for assessing the security state of open source software. The Security Insights Specification (and Tooling) projects provides a mechanism and tools for projects to report information about their security in a machine-processable way.  Minder is a hosted assessment and remediation engine for enforcing software policies on repositories and other supply chain instances.

With these projects combined, the ORBIT WG hopes to support all open source in preparing for current and future compliance regulations.

Associated Projects

OSPS Baseline

OSPS Assessments

Gemara

Security Insights

Security Insights Tooling

Minder

Securing Critical Projects WG

The Securing Critical Projects Working Group focuses on identifying open source projects that are foundational to the global software ecosystem but often lack the support needed to stay secure. By maintaining a curated Critical Projects List and building metrics like the OpenSSF Criticality Score, the group provides data-driven guidance on where to focus security resources. Contributors help develop tooling, improve ranking systems, and collaborate with maintainers of these high-impact projects.

While closely aligned, Alpha-Omega is an independent initiative within OpenSSF—not a sub-project of this WG. It builds on the WG’s outputs to provide direct security improvements. Alpha-Omega operates in two tracks: Alpha, which partners with critical projects for audits and fixes, and Omega, which applies scalable security automation to thousands of packages. The WG informs where help is needed most; Alpha-Omega helps deliver it.

Learn More about the Alpha-Omega project and an overview on Alpha Omega and OpenSSF.

Learn more about Alpha-Omega on GitHub.

Supply Chain Integrity WG

The Supply Chain Integrity Working Group plays a pivotal role in ensuring that open source software remains trustworthy from creation to consumption. This group works to standardise and develop practices, frameworks, and tools that help projects establish the provenance, integrity, and security of their code artefacts. Key initiatives include the promotion and development of frameworks like SLSA (Supply-chain Levels for Software Artefacts), which helps projects assess and improve the security of their build pipelines. Additionally, the group supports the development of GUAC (Graph for Understanding Artefact Composition), a tool designed to aggregate and interpret supply chain metadata from different sources.

This group is ideal for DevOps engineers, maintainers of CI/CD systems, compliance professionals, and anyone passionate about reproducible builds, verifiable artefacts, and secure distribution practices. Contributors can help refine specifications, build reference implementations, and provide feedback on real-world integrations. Whether you’re working on the build tooling of your favourite open source project or managing dependencies in enterprise software, this WG offers practical opportunities to improve security at scale.

Associated Projects

–  GUAC

–  gittuf

–  SLSA

Ready to Contribute?

Every OpenSSF group welcomes newcomers, and there are many paths to get started, no matter your background. If you’re just getting started in open source or cybersecurity, consider joining the Education SIG or BEAR WG. These are designed to provide context, mentorship, and low-barrier ways to contribute, such as helping review materials, documenting processes, or co-hosting community events.

If you’re a developer who loves tooling, the Security Tooling WG is a great fit for contributing to projects like OpenSSF Scorecard or SBOM Everywhere. Interested in building systems, CI/CD, or package registries? You’ll find natural entry points in the Supply Chain Integrity WG or the Securing Software Repositories WG.

Policy-minded contributors, especially those with backgrounds in law, compliance, or governance, can join the Global Cyber Policy WG and help translate emerging regulations into clear, actionable steps for open source maintainers. If you care about the future of OSS infrastructure, the Securing Critical Projects WG is actively supporting projects that form the backbone of modern software.

Have a background in community building, product or project management, technical writing, developer advocacy, or marketing? There’s room in every WG and project for your help. If you’re interested in helping in those ways across OpenSSF, the DevRel Community is a great place to get started.

No matter which path you choose, you can join a public meeting, introduce yourself on Slack, or contribute to an issue on GitHub. Everyone has something valuable to offer.

Want to see this topic discussed live? Watch the July 31, 2025 WG-BEAR meeting where community members talk about making it easier for first-time contributors.

About the Authors

EjiroEjiro Oghenekome is an emerging cybersecurity professional who’s turning curiosity into impact. With roots in UI/UX design and a growing body of work in software security, she brings an instinct for user-centred thinking to every technical challenge. Whether she’s breaking down secure coding practices for beginners or contributing to community documentation and tooling at OpenSSF, Ejiro makes security feel approachable. A consistent contributor across several open source projects, she’s part of a new wave of practitioners bridging design, education, and security across the African tech ecosystem and to the global community. Now focused on growing her career in cybersecurity, Ejiro is seeking roles where she can deepen her technical skills, contribute to real-world defences, and keep making security more accessible for everyone.

SalSal Kimmich is a developer advocate and security engineer working at the intersection of open source governance, software supply chain security, and privacy-enhancing technologies. They serve as a contributor to the Open Source Security Foundation’s Education SIG, BEAR WG, and co-chair of the CHAOSS data science WG. Sal helps build inclusive pathways as an international open source community leader, known for mentoring first-time contributors and shaping policy around secure development practices across Europe, the UK, and North America. By day, you’ll find Sal filling in the gaps of the latest threat models for agentic AI systems; in their free time, they mentor the next generation of exceptional engineering talent and help them find their voice in open source security.