Signal in the Noise: An Industry-Wide Perspective on the State of VEX
Abstract: Software security has always been a race between complexity and clarity. The Vulnerability Exploitability eXchange (VEX) aims to bring clarity to that race.
Guest Blog
Catching Malicious Package Releases Using a Transparency Log
Trail of Bits, with funding from OpenSSF, is improving Sigstoreās rekor-monitor to help maintainers detect malicious package releases, monitor signing identities, and strengthen software supply chain security using transparency logs.
From Beginner to Builder: Free OpenSSF and Linux Foundation Education Courses
Whether you're just getting started with open source security or want to deepen your knowledge, these free courses from Linux Foundation Education and OpenSSF offer valuable, self-paced learning paths. Each is available online and designed to help contributors understand both the technical and community aspects of secure open source development.
SBOMs in the Era of the CRA: Toward a Unified and Actionable Framework
By Madalin Neag, Kate Stewart, and David A. Wheeler In our previous blog post, we explored how the Software Bill of Materials (SBOM) should not be a static artifact created...
Announcing the Sigstore Transparency Log Research Dataset
Weāre pleased to announce the creation of a new BigQuery public dataset, rekor. The rekor dataset is an easily-queryable mirror of the public good instance of Sigstoreās transparency log, Rekor.
OpenSSF Scorecard Audit is Complete!
This blog was originally published on the OSTIF website on October 9, 2025 by Helen Wooste TheĀ Open Source Technology Improvement FundĀ is proud to share the results of our security audit...
KubeCon + CloudNativeCon North America 2025 Co-Located Event Deep Dive: Open Source SecurityCon
Open Source SecurityCon has always been about bringing people together to strengthen trust in open source. From its beginnings within TAG Security to its growth as a standalone conference, and now returning to KubeCon + CloudNativeCon alongside theĀ Open Source Security Foundation (OpenSSF), the event has become a gathering place for anyone passionate about securing our…
From Beginner to Builder: Your First Code Contribution
Maybe you've used open source before and wondered how it all works, or you're early in your career and heard that open source contributions can boost your growth. Maybe you've witnessed software supply chain attacks and felt an urge to make a difference. Maybe you just started learning about OpenSSF in our last blog: āUnderstanding…
Trustify joins GUAC
By Ben Cotton and Dejan Bosanac The superpower of open source is multiple people working together on a common goal. That works for projects, too. GUAC and Trustify are two...
Securing AI: The Next Cybersecurity Battleground
The AI wave is here, and itās only getting bigger. According to a recent report from McKinsey, āover the next three years, 92 percent of companies plan to increase their AI investments.ā As this AI wave washes over almost every industry and is integrated deeply and extensively into critical and non-critical operations, it ushers in…