Welcome to the February 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
Join us at OpenSSF Community Day Events in North America and Europe 2025!
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
- Denver, Colorado – June 26, 2025
- Amsterdam, Netherlands – August 28, 2025
✅ Secure your spot – Register today!
✅ Have insights to share? Submit to speak before CFP closes!
✅ Support the mission – Become a sponsor!
Join us in shaping a safer and more secure digital world.
OpenSSF Announces Initial Release of the Open Source Project Security Baseline
The Open Source Security Foundation (OpenSSF) has announced the initial release of the Open Source Project Security Baseline (OSPS Baseline)—a new initiative designed to help open source projects enhance their security posture through tiered best practices. The OSPS Baseline aligns with global cybersecurity frameworks, including the EU Cyber Resilience Act (CRA) and NIST Secure Software Development Framework (SSDF), making it easier for maintainers and contributors to adopt practical security measures.
With adoption commitments from projects like GUAC, OpenVEX, bomctl, and Open Telemetry, the OSPS Baseline is already helping open source communities strengthen their security foundations. This release marks a significant step toward providing maintainers with clear, actionable security guidance that grows alongside their projects. Learn more.
Does the EU CRA affect my business?
The European Union’s Cyber Resilience Act (CRA), which came into effect on December 10, 2024, introduces significant cybersecurity requirements for products sold or commercially available in the EU market. With wide-ranging impacts set to take effect by November 2026, businesses must assess whether they fall under the CRA’s scope and take necessary steps for compliance.
This blog provides key insights into how the CRA applies to Products with Digital Elements (PDEs), its implications for manufacturers, businesses, and open source projects, and what steps organizations need to consider. While some view it as an added burden, cybersecurity professionals see it as an opportunity to strengthen security practices across the software supply chain.
If you develop software, hardware, or services that interact with digital products in the EU, understanding the CRA is critical. Read the full blog to determine if the CRA affects your business and how you can prepare for compliance.
Securing Public Sector Supply Chains is a Team Sport
Everyone is increasingly aware that software supply chain security is critical, but the challenges in the public sector come with added complexity—stringent policies, high-risk exposure, and slow approval processes. In this blog, Daniel Moch (Lockheed Martin) explores the unique security hurdles faced by public sector organizations and how the open source community, alongside OpenSSF, can help mitigate them.
From SLSA Provenance and VEX adoption to reputation-based contributor scoring, the blog outlines practical ways to enhance supply chain transparency and security. Read on to discover how collaborative efforts can make software security stronger for everyone. Read the blog here.
Linux Foundation Europe and OpenSSF Launch Initiative to Prepare Maintainers, Manufacturers, and Open Source Stewards for Global Cybersecurity Legislation
Linux Foundation Europe and OpenSSF have launched a global initiative to help open source communities navigate the EU Cyber Resilience Act (CRA) and worldwide cybersecurity regulations. The effort will focus on cybersecurity standards, compliance frameworks, and tooling to support maintainers and manufacturers. Learn more about this collaborative effort and how to get involved. Read the announcement here.
Alpha-Omega 2024 Annual Report
Alpha-Omega’s 2024 Annual Report highlights major strides in open source security, including $6 million in grants to strengthen critical projects like the Linux kernel, Python Software Foundation, and RubyGems. Through funding, security audits, and scaled vulnerability fixes, Alpha-Omega has helped build a sustainable security culture across the open source ecosystem. Discover the impact of these investments and the vision for 2025 in the full report. Read the blog and full report here.
News from OpenSSF Community Meetings and Projects:
- Help OpenSSF improve by taking 5 minutes to fill out our Community Survey.
- GUAC published its 2024 in review.
- Global Cyber Policy WG had in-person meetups at FOSDEM. Notes here. They are setting up a new meeting series and drafting a mission statement for the EU CRA Standardization SIG https://doodle.com/group-poll/participate/dL0rpGWd.
- SLSA completed and merged updates to its governance document.
- gittuf released version 0.9.0.
- SBOM Everywhere SIG SIG previewed using AI tooling to help update the SBOM Landscape catalog.
- OpenSSF Scorecard has a new donation submission for an Azure Pipelines task.
- Central now performs Sigstore Signature Validation (Java) https://central.sonatype.org/news/20250128_sigstore_signature_validation_via_portal/
- Securing Software Repositories WG is hiring a technical writer to create guidance on when to allow a previously published package to be deleted from software repositories.
- Three Working Groups submitted new quarterly updates to the TAC: BEAR, Vulnerability Disclosure, and Supply Chain Integrity.
- Protobom added Allen Shearin as a maintainer.
- Security Baseline has two open pull requests to refactor the baseline compiler, extending the cli to support more use cases and making the loader and generator easier to use.
In the News:
- Tech.eu: Linux Foundation Europe and OpenSSF Launch Initiative for EU Cyber Resilience Act Compliance
- ADTMag: Linux Foundation and OpenSSF to Help Developers Navigate EU Cyber Resilience Act
Meet OpenSSF at These Upcoming Events!
- OpenSSF Policy Summit DC 2025: March 4, 2025
- OpenSSF Community Day North America 2025: June 26, 2025
- OpenSSF Community Day Europe 2025: August 28, 2025
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team