Skip to main content

📣 Submit your proposal: OpenSSF Community Days: Europe, Korea | Open Source SecurityCon

search
Category

Press Release

May 14
Love0

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

By Blog, Press Release

New Customizable Global Framework Aligns IT Job Roles with Practical Cybersecurity Skills

SAN FRANCISCO, CA – May 14, 2025 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists. Produced in collaboration with the Open Source Security Foundation (OpenSSF) and Linux Foundation Education, the framework delivers actionable guidance to enterprise leaders looking to systematically reduce cyber risk.

As cybersecurity threats grow in both scale and complexity, enterprise leaders are struggling to align job roles with the practical skills needed to mount an effective defense. Despite cybersecurity being one of the top three most in-demand tech roles for enterprises, major talent readiness gaps remain. According to the Linux Foundation’s 2024 State of Tech Talent Report,  64 percent of organizations report candidates lack essential skills and it now takes an average of 10.2 months to hire and onboard new technical staff. Additional research from the Linux Foundation found that 62 percent of open source project stewards lacked dedicated personnel for security incident response, despite 74 percent maintaining formal cybersecurity reporting mechanisms.

These trends reflect a broader industry dilemma—growing awareness of cybersecurity needs without the personnel to tackle them—driven by unclear role expectations and fragmented training pathways. The Cybersecurity Skills Framework addresses these issues with a practical, globally relevant onramp that organizations can use to assess and build internal security capabilities. The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles. By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists: from app developers to web developers, network engineers to database engineers, solutions architects to enterprise architects.

The framework defines practical cybersecurity expectations across foundational, intermediate, and advanced proficiency levels, while mapping those skills to recognized standards such as the DoD 8140, CISA NICE Framework, and the ICT e-CF. By aligning with widely adopted standards and allowing for customization, the framework can be easily adopted across industries, regions, and organizational sizes. The framework is available in a free, easy to use web interface which allows users to select relevant job families, move skills between categories, delete any that don’t apply and add custom items they require. 

The framework was produced as a result of a global research effort, with contributions and feedback from cybersecurity educators, government advisors, framework stewards, and technical training experts, who together brought comprehensive expertise in workforce development, national defense, professional certification, and open source security.

“Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”

The Cybersecurity Skills Framework provides guidance for key roles, including web and software developers, DevOps engineers, IT project managers, platform architects, GRC managers and more. Each job role is defined by its primary cybersecurity responsibilities and aligned with practical skills in areas like secure design, compliance, vulnerability management, and incident response. 

“This framework is a valuable tool for CIOs, CISOs, and enterprise learning teams,” said Clyde Seepersad, SVP and General Manager of Linux Foundation Education. “In an era of accelerating threats, leaders need clear pathways for strengthening security culture across technical teams. This resource helps organizations take a proactive approach to employee development and risk reduction.”

The Linux Foundation and OpenSSF will update the framework annually and welcome community feedback from adopters. Organizations are encouraged to adapt and extend the model to align with their specific needs, security posture, and product portfolios.

To access the full Cybersecurity Skills Framework and explore how your organization can adopt it, visit: http://cybersecurityframework.io

Join us on Wednesday, June 11 at 11:00 am EDT for a webinar discussing the Cybersecurity Skills Framework. Visit here to register.

Supporting Quotes

“As cloud native adoption grows, so does the complexity of managing security across distributed systems. The Cybersecurity Skills Framework offers a clear, actionable resource for teams working in modern environments to assess skills, reduce risk, and embed security into every stage of the software lifecycle.”

– Chris Aniszczyk, CTO, CNCF

“As the cybersecurity landscape grows more complex, particularly with the rapid rise in AI technologies, security can no longer be siloed. Businesses must champion a culture of security awareness, education, and preparedness across functions. The new framework contributes to a stronger security posture by ensuring every teamfrom developers to IT leadersunderstands the specific security skills they need.”

Jamie Thomas, IBM Enterprise Security Executive

“Cybersecurity is a shared responsibility, and closing the skills gap is essential to building secure systems at scale. The OpenSSF Cybersecurity Skills Framework provides a clear, actionable roadmap for equipping technical teams with the right knowledge to protect our digital infrastructure, thus raising the bar for security readiness across the industry.”

– Arun Gupta, VP of Developer Programs, Intel / Governing Board Chair for CNCF & OpenSSF

“Cybersecurity today seems more complicated than ever. It can be difficult to keep up with the evolving cyber risk landscape and what skills internal teams need to approach and mitigate those risks. The Cybersecurity Skills Framework is a much needed blueprint for how developers should approach career development, teams plan for adapting to new risks, and organizations build training governance for the continuous evolution of their cybersecurity programs.”

–  Michael Lieberman, CTO and Co-Founder, Kusari

“The Cybersecurity Skills Framework is grounded in extensive global research and community collaboration. By surfacing practical, role-specific insights, the framework helps enterprise leaders understand where their cybersecurity capabilities stand—and where they need to grow. It’s a meaningful step toward bridging the persistent skills gap we’ve seen across sectors.”

– Hilary Carter, SVP Research at the Linux Foundation

“Security is a shared responsibility across the open source ecosystem. This framework is a powerful tool to help developers, project leaders, and enterprise teams better understand how their roles contribute to a secure software supply chain. It supports the kind of continuous learning culture that is essential to sustainable open source development.”

– Robin Bender Ginn, Executive Director, OpenJS Foundation

“The need for experienced cybersecurity practitioners continues to increase, and a clear understanding of cybersecurity roles, responsibilities, and required skills is not just beneficial – it is the foundation for a resilient and secure organization. The Linux Foundation’s Cybersecurity Skills Framework provides guidance to help leaders and practitioners understand the baseline skills needed for various roles. It serves as an excellent starting point for cybersecurity practitioners looking to enter the field or plan their career progression. Additionally, it helps leaders identify the necessary roles and skills to meet their cybersecurity demands.”

 Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat

###

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Mar 11
Love0

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

By Blog, Global Cyber Policy, Press Release

WASHINGTON, D.C. – March 11, 2025 – The Open Source Security Foundation (OpenSSF) successfully hosted its 2025 Policy Summit in Washington, D.C., on Tuesday, March 4. The summit brought together industry leaders and open source security experts to address key challenges in securing the software supply chain, with a focus on fostering harmonization for open source software (OSS) development and consumption in critical infrastructure sectors.

The event featured keynotes from OpenSSF leadership and industry experts, along with panel discussions and breakout sessions covering the latest policy developments, security frameworks, and industry best practices for open source software security. 

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond,” said Steve Fernandez, General Manager, OpenSSF. “Our recent Policy Summit highlighted the shared responsibility, common goals, and interest in strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.” 

Key Themes and Discussions from the Summit

  1. AI, Open Source, and Security
  • AI security remains an emerging challenge: Unlike traditional software, AI has yet to experience a major security crisis akin to Heartbleed, leading to slower regulatory responses.
  • Avoid premature regulation: Experts advised policymakers to allow industry-led security improvements before introducing regulation.
  • Security guidance for AI developers: There is an increasing need for dedicated security frameworks for AI systems, akin to SLSA (Supply Chain Levels for Software Artifacts) in traditional software.
  1. Software Supply Chain Security and OSS Consumption
  • Balancing software repository governance: The summit explored whether package repositories should actively limit the use of outdated or vulnerable software, recognizing both the risks and ethical concerns of software curation.
  • Improving package security transparency: Participants discussed ways to provide better lifecycle risk information to software consumers and whether a standardized framework for package deprecation and security backports should be introduced.
  • Policy recommendations for secure OSS consumption: OpenSSF emphasized the need for cross-sector collaboration to align software security policies with global regulatory frameworks, such as the EU Cyber Resilience Act (CRA) and U.S. federal cybersecurity initiatives.

“The OpenSSF Policy Summit reaffirmed the importance of industry-led security initiatives,” said Jim Zemlin, Executive Director of the Linux Foundation. “By bringing together experts from across industries and open source communities, we are ensuring that open source security remains a collaborative effort, shaping development practices that drive both innovation and security.”

Following the summit, OpenSSF will continue to refine security guidance, best practices, and policy recommendations to enhance the security of open source software globally. The discussions from this event will inform ongoing initiatives, including the OSS Security Baseline, software repository security principles, and AI security frameworks.

For more information on OpenSSF’s policy initiatives and how to get involved, visit openssf.org.

Supporting Quotes

“The 2025 Policy Summit was an amazing day of mind share and collaboration across different teams, from security, to DevOps, and policy makers. By uniting these critical voices, the day resulted in meaningful progress toward a more secure and resilient software supply chain that supports innovation across IT Teams.” – Tracy Ragan, CEO and Co-Founder DeployHub

“I was pleased to join the Linux Foundation OpenSSF Policy Summit “Secure by Design” panel and share insights on improving the open source ecosystem via IBM’s history of creating secure technology solutions for our clients,” said Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive. “Open source has become an essential driver of innovation for artificial intelligence, hybrid cloud and quantum computing technologies, and we are pleased to see more regulators recognizing that the global open source community has become an essential digital public good.” – Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive

“I was delighted to join this year’s OpenSSF Summit on behalf of JFrog as I believe strongly in the critical role public/private partnerships and collaboration plays in securing the future of open source innovation. Building trust in open source software requires a dedicated focus on security and software maturity. Teams must be equipped with tools to understand and vet open source packages, ensuring we address potential vulnerabilities while recognizing the need for ongoing updates. As the value of open source grows, securing proper funding for these efforts becomes essential to mitigate risks effectively.” – Paul Davis, U.S. Field CISO, JFrog

“Great event. I really enjoyed the discussions and the idea exchange between speakers, panelists and the audience.  I especially liked the afternoon breakout discussion on AI, open source, and security.” Bob Martin, Senior Software and Supply Chain Assurance Principal Engineer at the MITRE Corporation

“The Internet is plagued by chronic security risks, with a majority of companies relying on outdated and unsupported open source software, putting consumer privacy and national security at risk. As explored at the OpenSSF Policy Summit, we are at an inflection point for open source security and sustainability, and it’s time to prioritize and invest in the open source projects that underpin our digital public infrastructure.” – Robin Bender Ginn, Executive Director, OpenJS Foundation

“It is always a privilege to speak at the OpenSSF Policy Summit in D.C. and converse with some of the brightest minds in security, government, and open source. The discussions we had about the evolving threat landscape, software supply chain security, and the policies needed to protect critical infrastructure were timely and essential. As the open source ecosystem expands with skyrocketing open source AI adoption, it’s vital that we work collaboratively across sectors to ensure the tools and frameworks developers rely on are secure and resilient. I look forward to continuing these important conversations and furthering our collective mission of keeping open source safe and secure.” – Brian Fox, CTO and Co-Founder, Sonatype

“The OpenSSF Policy Summit highlighted the critical intersection of policy, technical innovation, and collaborative security efforts needed to protect our software supply chains and address emerging AI security challenges. By bringing together policy makers and technical practitioners, we’re collectively building a more resilient open source ecosystem that benefits everyone, we look forward to future events and opportunities to collaborate with the OpenSSF to help strengthen this ecosystem.” – Jim Miller, Engineering Director of Blockchain and Cryptography, Trail of Bits

***

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Feb 25
Love0
OpenSSF Announces Initial Release of the Open Source Project Security Baseline

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

By Blog, Press Release

New Initiative Aims to Enhance Open Source Software Security Through Tiered Best Practices

SAN FRANCISCO – February 25, 2025 – The Open Source Security Foundation (OpenSSF) is pleased to announce the initial release of the Open Source Project Security Baseline (OSPS Baseline). The Baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects.

“The OSPS Baseline release is a significant milestone in advancing security initiatives within the open source ecosystem,” said Christopher Robinson, Chief Security Architect at OpenSSF. “We’re excited to roll out OSPS Baseline following community testing and validation — we are confident that these security best practices are both practical and impactful across open source projects.”

The OSPS Baseline offers a tiered framework of security practices that evolve with project maturity. It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security. By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).

“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts. “We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project. Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone!”

“I’m excited to see the release of OSPS Baseline,” said Ben Cotton, Open Source Community Lead at Kusari & OSPS Baseline co-maintainer. “This effort provides actionable, practical guidance to help developers achieve appropriate security levels for their projects. Too often, security advice is vague or impractical, but Baseline aims to change that. Every improvement to open source security strengthens the modern software ecosystem, making it safer for everyone.”

OpenSSF invites open source developers, maintainers, and organizations to make use of the OSPS Baseline. Through engaging with this initiative, stakeholders can also contribute to refining the framework and promoting widespread adoption of security best practices in the open source community.

For more information and to get involved, please visit the OSPS Baseline website or GitHub.

Supporting Quotes:

“The OSPS Baseline release is an important step toward efficiently addressing the security and resilience of open source projects. Open source stewards, manufacturers who rely on open source, and end users will all benefit long-term as this community-defined criteria shines light on project security best practices.”

 – Eddie Knight, Open Source Program Office Lead at Sonatype and OSPS Baseline Project Lead

“We applaud the launch of the OSPS Baseline as a crucial initiative in bolstering the security landscape of open source projects. At TestifySec, we recognize the importance of robust security frameworks like the OSPS Baseline in safeguarding software integrity and enhancing resilience against evolving cyber threats. We look forward to leveraging these guidelines to further fortify our commitment to delivering secure solutions for our clients and the broader open source community.” 

– Cole Kennedy, Co-Founder and CEO of TestifySec

“Security is a fundamental priority for the cloud native ecosystem, and the OSPS Baseline represents a major step forward in providing clear, actionable guidance for projects of all sizes. By establishing a tiered framework that evolves with project maturity, OSPS Baseline empowers maintainers and contributors to adopt security best practices that are scalable and sustainable. The CNCF is proud to support efforts like this that strengthen open source software at every level of development and we look forward to collaborating with the OpenSSF on adoption.”

– Chris Aniszczyk, Chief Technology Officer, Cloud Native Computing Foundation

“As open source has become integral in most of our technology stacks, it has become increasingly critical to streamline and standardize the security expectations between open source maintainers and consumers.  By synthesizing the requirements and controls from a variety of laws, regulations, and standards, the OpenSSF Baseline provides a clear roadmap for open source consumers to understand their security foundations.”

– Evan Anderson, Principal Software Engineer at Stacklok and Open Source Maintainer

“The Open Source Project Security Baseline is a vital tool for enhancing the security of open source projects. By offering a comprehensive set of actionable measures, the Security Baseline provides effective guidance for all stakeholders in the open source ecosystem – manufacturers, stewards, and projects alike – to collaboratively assume responsibility and take meaningful steps to secure the open source supply chain on which we all rely.”

– Per Beming, Chief Standardization Officer at Ericsson

***

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Dec 09
Love0

In the Face of Mounting Regulatory Oversight, Honda and Guidewire Join Industry Leaders Securing Software Development at the Open Source Security Foundation (OpenSSF)

By Blog, Press Release

Growing Member Base and Launch of SOSS Community Day India Continue to Advance Open Source Software Security

Delhi, India – December 10, 2024 – The Open Source Security Foundation (OpenSSF), a global cross-industry initiative of the Linux Foundation, helps individuals and organizations build secure software by providing guidance, tools, and best practices applicable to all software development. Today, the OpenSSF announced new members from the automotive and insurance technology industries at the first-of-its-kind Secure Open Source Software (SOSS) Community Day India. SOSS Community Day India brings together community members from across the security and open source ecosystem to share ideas and advance solutions for sustainably securing the software we all depend on, building a foundation for a more secure and innovative future.

New general member commitments come from Honda Motor Co., Ltd. and Guidewire Software, Inc. With support from these new organizations, the OpenSSF heads into the last month of 2024 with 126 members that together recognize the importance of backing, maintaining, and promoting secure open source software.

“We are excited to welcome our newest members and celebrate this milestone with the launch of the first SOSS Community Day in India,” said Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair. “India has an incredible open source ecosystem, and this event provides an opportunity to foster collaboration, address shared challenges, and ensure the security of the open source software powering the digital world. Together, we’re building a more secure and innovative future.”

SOSS Community Day India features a packed agenda with sessions led by top experts on topics like education, innovation, tooling, vulnerabilities, and threats. The event not only highlights the OpenSSF community’s ongoing work, but also provides an avenue to expand its reach through new partnerships and memberships, welcoming inquiries from potential collaborators. Participants will see how the OpenSSF community is driving improvements in open source software security and advancing its mission to create a more secure ecosystem for everyone.

General Member Quotes

Honda Motor Co., Ltd.

“Honda is pleased to be able to participate in the OpenSSF project as OSS security becomes increasingly important. In addition to contributing to the OpenSSF community, we look forward to working to strengthen OSS security across the industry in the future.” Yuichi Kusakabe, Chief Architect – IVI software PF/OSPO Tech Lead, Honda Motor Co., Ltd.

Guidewire Software, Inc.

“We’re excited to become a member of OpenSSF,” said Anoop Gopalakrishnan, vice president, Engineering, Guidewire. “This partnership reflects our continued commitment to advancing open source security and collaborating with like-minded innovators to create a more secure and resilient software ecosystem.” 

Additional Resources

  • View the complete list of OpenSSF members.
  • Explore the SOSS Community Day India program schedule to see the lineup of sessions and speakers.
  • To learn more about the OpenSSF community, including information about membership, contribution, project participation, and more, contact us here.

###

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com

Oct 29
Love0

OpenSSF Welcomes New Members and Introduces New Initiatives at SOSS Community Day Japan

By Blog, Press Release

Growing Member Base and New Initiatives Continue to Advance Open Source Software Security

TOKYO, JAPAN – October 30, 2024 – The Open Source Security Foundation (OpenSSF), a global cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), is excited to announce new members from leading technology, security, and research firms. The OpenSSF is also thrilled to host Secure Open Source Software (SOSS) Community Day at Open Source Summit Japan 2024, bringing together community members, maintainers, and contributors from across the globe.

New general member commitments from Arm, embraceable AI and Fujitsu along with new associate member commitments from Ruby Central and Trifecta Tech further strengthen the support for open source software security. With backing from these new organizations, the OpenSSF heads into the final quarter of 2024 with a robust member base dedicated to promoting a strong, vibrant, and secure open source software ecosystem.

“The addition of our newest members to the OpenSSF highlights the growing global commitment to strengthening open source software security,” said Arun Gupta, Vice President and General Manager, Developer Programs at Intel and OpenSSF Governing Board Chair. “By joining forces, we can address security challenges, foster innovative solutions, and build a safer digital future for everyone. With the support of these new members, we are further enabled to drive forward our shared mission.”

To celebrate its growing community, the OpenSSF is hosting SOSS Community Day Japan at Open Source Summit Japan 2024. SOSS Community Day Japan is an opportunity for community members from across the open source security ecosystem to come together and share ideas. With an agenda packed with sessions led by industry experts, the event will cover critical topics like education, innovation, tooling, vulnerabilities, and threats, showcasing the ongoing efforts of the OpenSSF community to enhance open source software security.

General Member Quotes

Arm

“At Arm, we recognize that collaboration is key to advancing the security of the global software ecosystem. By joining OpenSSF, we look forward to contributing to its mission of raising the bar on open source software security and underscoring our dedication to fostering standardization across the industry to give developers the confidence and tools they need to innovate.”

— Andrew Wafaa, Senior Director and Fellow, Software Communities, Arm

embraceable AI

“Security in the realm of AI is not just a feature; it’s the foundation of trust. As we empower enterprises with intelligent services, we prioritize safeguarding data and ensuring privacy, so our clients can innovate fearlessly.”  

— Dr.-Ing. Christian Gilcher, General Manager, embraceable AI 

Fujitsu

“Fujitsu is proud to have achieved conformance with OpenChain ISO/IEC 18974, demonstrating our commitment to open source compliance and excellence. Our next step is to join the OpenSSF. We take our dedication a step further to enhance the security and trustworthiness of the global software supply chain. Open source software is a key driver of innovation, and we look forward to collaborating with the OpenSSF community to ensure the resilience and transparency of the technologies shaping our future.”

— Teppei Asaba, Senior Director, Mission Critical System Business Unit, Fujitsu Limited

Associate Member Quotes

Ruby Central

“Joining OpenSSF aligns perfectly with Ruby Central’s commitment to advancing the security of open source ecosystems. By collaborating with OpenSSF and its community of forward-thinking organizations, we’re excited to bring our expertise from the Ruby ecosystem and work together on solutions that enhance the security and sustainability of open source software for all developers.”

— Marty Haught, Interim Open Source Lead, Ruby Central

Trifecta Tech

“We are excited to join the OpenSSF as an associate member as we continue to actively contribute to the security of the open source software we all rely on. Trifecta Tech Foundation is a non-profit working on safer software for the underlying infrastructure of the Internet and vital systems for water, energy, and communication. We develop and maintain open source software and contribute to open standards for these essential systems. Our projects include memory-safe alternatives to critical pieces of software like sudo, the Network Time Protocol, and zlib.”

— Erik Jonkers, Chair, Trifecta Tech Foundation

New Initiatives 

In addition to welcoming new members, OpenSSF is excited to announce several new initiatives aimed at bolstering open source software security.

Minder: contributed by Stacklok, is now a sandbox project within OpenSSF. Minder simplifies the integration and use of powerful security tools like OSV, OpenSSF Scorecard, and Sigstore, allowing developers and security teams to establish policies on code repositories and dependencies, reducing risk before and after code is merged.

bomctl: A format-agnostic Software Bill of Materials (SBOM) tooling project introduced in September 2024, aimed at enhancing SBOM generation and management across various formats.

Zarf: created by Defense Unicorns, launched in July 2024, Zarf is a free, open source tool enabling continuous software delivery on systems disconnected from the internet, facilitating secure software distribution in air-gapped environments.

These new initiatives demonstrate the OpenSSF’s continued dedication to fostering innovation and providing tools to enhance open source software security across diverse use cases.

Additional Resources

  • View the complete list of OpenSSF members.
  • To learn more about the OpenSSF community, including information about membership, contribution, project participation, and more, contact us.

###

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit openssf.org.

About the Linux Foundation

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page. Linux is a registered trademark of Linus Torvalds.

Media Contact
Jennifer Tanner
Look Left Marketing
openssf@lookleftmarketing.com

We envision a future where OSS is universally trusted, secure, and reliable. Join us in making open source more secure.

Get Involved
Close Menu