The Open Source Security Foundation (OpenSSF) marked a strong presence at two cornerstone cybersecurity events, Black Hat USA 2025 and DEF CON 33, engaging with security leaders, showcasing our initiatives, and fostering collaboration to advance open source security.
At DEF CON, one of the most anticipated moments was the conclusion of the AI Cyber Challenge (AIxCC), a two-year U.S. Defense Advanced Research Projects Agency (DARPA) and Advanced Research Projects Agency for Health (ARPA-H) initiative led to advance AI-driven vulnerability detection and remediation. As part of our ongoing collaboration with DARPA, OpenSSF served as a challenge advisor, helping ensure the competition’s design and outcomes deliver meaningful value to the open source community.Â
OpenSSF at Black Hat USA 2025
At Black Hat, OpenSSF participated in the six-day program, which included four days of specialized training, Summit Day, the main Briefings, the Arsenal demo zone, and an immersive Business Hall experience.
We hosted a community-building kickoff with a Happy Hour at 1923 Prohibition Bar, sparking valuable conversations with contributors, maintainers, and security practitioners.
The following day, Christopher “CRob” Robinson (OpenSSF), Stephanie Domas (Canonical), and Anant Shrivastava (Cyfinoid Research) hosted a standing-room-only “Ask Me Anything About FOSS” panel, sparking thoughtful questions and big ideas for securing open source software.
Over two days, the OpenSSF team met with more than a dozen current and prospective members and connected with leaders from eight potential member organizations. These in-person conversations strengthened relationships and opened the door for new collaborations.
OpenSSF at DEF CON 33 – Spotlight on AIxCC
Original image: https://aicyberchallenge.com/
At DEF CON 33, the spotlight was on the AI Cyber Challenge (AIxCC), a U.S. Defense Advanced Research Projects Agency (DARPA) and Advanced Research Projects Agency for Health (ARPA-H) competition to develop AI-enabled software that can automatically identify and patch vulnerabilities, especially in open source software supporting critical infrastructure.
In the Final Competition, teams’ cyber reasoning systems (CRS) attempted to identify and generate patches for synthetic vulnerabilities across 54 million lines of code. Competitors’ systems discovered 54 unique synthetic vulnerabilities in the Final Competition’s 70 challenges, patching 43 of them. Teams also discovered 18 real, non-synthetic vulnerabilities that are being responsibly disclosed to open source project maintainers.
Winners:
- First place: Team Atlanta (Georgia Tech, Samsung Research, KAIST, POSTECH)
- Second place: Trail of Bits (OpenSSF General Member) with Buttercup, their open source Cyber Reasoning System
- Third place: Theori (U.S. and South Korea-based AI researchers and security professionals)
OpenSSF supported AIxCC as a challenge advisor, guiding organizers to ensure the competition’s solutions will be valuable for the open source community. Monthly meetings with our community of open source leaders allowed AIxCC planners to gather feedback from project maintainers and design the competition to emphasize the value of patching bugs, not just finding them. We are now working with DARPA and ARPA-H on an engagement program to help open source projects benefit from the discoveries, research, and tools emerging from AIxCC.
“AIxCC underscored the importance of bringing technical innovation and policy leadership together. Our partnerships with DARPA and ARPA-H demonstrate how OpenSSF can help align government initiatives with open source communities to deliver lasting security improvements.” – Steve Fernandez, General Manager, OpenSSF
Advancing MLSecOps at DEF CON
OpenSSF also hosted the “Applying DevSecOps Lessons to MLSecOps” panel in the AIxCC Village, featuring Christopher “CRob” Robinson (OpenSSF), Sarah Evans (Dell Technologies), and Eoin Wickens. Building on insights from our recent whitepaper, Visualizing Secure MLOps (MLSecOps): A Practical Guide for Building Robust AI/ML Pipeline Security, to explore how proven tools like SLSA, Sigstore, and Scorecard can be adapted to secure AI/ML workflows.Â
Trail of Bits and the Buttercup Success Story
Original image: https://blog.trailofbits.com/2025/08/09/trail-of-bits-buttercup-wins-2nd-place-in-aixcc-challenge/
Trail of Bits, an OpenSSF General Member, earned second place in AIxCC with Buttercup, their open source Cyber Reasoning System that proved its strength against projects like SQLite, nginx, and the Linux kernel.
“We’re thrilled to be one of the three winning teams in the AIxCC! Seeing Buttercup excel under real-world conditions shows how AI can transform vulnerability remediation at scale. Over the past month, we’ve turned the competition version into a practical open source tool that runs on any developer’s laptop, because the entire security community deserves access to best-in-class AI-powered tools. By open sourcing Buttercup, Trail of Bits reaffirms its commitment to securing the open source ecosystem by sharing our research, tools, and knowledge.”
— Michael Brown, Buttercup Team Lead and Principal Security Engineer, Researcher at Trail of Bits
What’s Next and How to Get Involved
- Get Involved with the AI/ML Security Working Group
- Stay tuned to What’s in the SOSS? Podcast for upcoming episodes recorded live on-site
- Meet the community at OpenSSF Community Day Europe, OpenSSF Community Day Korea, The Linux Foundation Europe Roadshow, and Open Source SecurityCon 2025