Welcome to the April 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.
TL;DR
This month, the OpenSSF highlights a new free training course, “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001),” designed to help organizations prepare for the CRA’s full application by December 2027. The course covers essential requirements, roles, and compliance processes to help teams reduce risk and meet regulatory standards. The OpenSSF also invites you to join upcoming Community Day events in Japan, North America, India, and Europe to help drive collaboration in open source security. Don’t forget—submit your proposal to speak at OpenSSF Community Day Japan by April 27 and check out the live agenda for Community Day NA 2025. Explore key takeaways from VulnCon 2025, learn about the launch of Model Signing v1.0 to secure the ML supply chain, and preview our latest tech talk on global policy and the Open Source Project Security Baseline. Dive into IDC’s new research on software supply chains, enroll in the free course on the EU Cyber Resilience Act.Stay connected with OpenSSF community updates, upcoming events, and working group news!
Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy
Open source is the backbone of today’s digital infrastructure – but with great power comes great responsibility. As cybersecurity threats grow and global policies evolve, open source projects must meet increasing security expectations. Join Christopher “CRob” Robinson (OpenSSF) (Moderator), Ben Cotton (Kusari), Emily Fox (Red Hat) and Megan Knight (ARM) for a tech talk that dives into these challenges and highlights the OpenSSF community’s solution: the Open Source Project Security Baseline. Learn how this framework helps projects align with key standards and prepare for compliance.
Don’t miss out – register now and join the conversation to strengthen open source through community-driven security and global policy engagement.
NEW FREE COURSE: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
With the Cyber Resilience Act (CRA) officially published as Regulation (EU) 2024/2847 and entering into force on December 10, 2024, the countdown is on for organizations to understand and prepare for its full application by December 11, 2027. The CRA introduces broad obligations for products with digital elements, aiming to reduce cybersecurity risks and increase trust in the European digital market.
To help organizations prepare, LF Education and the Open Source Security Foundation (OpenSSF) launched a free training course: “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)” – now available online.
This course covers the key requirements of the EU’s Cyber Resilience Act (CRA), including terms, roles, obligations, essential cybersecurity requirements, product markings, compliance processes, and penalties for non-compliance. It prepares decision-makers, software developers, OSS developers, and OSS stewards to navigate CRA compliance, mitigate risks, and meet regulatory standards.
Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community
In “Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community”, Christopher Robinson (CRob), Chief Security Architect at OpenSSF, reflects on the power of collaboration and innovation that defined this year’s VulnCon. Held in Raleigh, NC, the event brought together global security professionals to tackle pressing challenges in vulnerability management. CRob shares firsthand insights from OpenSSF’s active involvement throughout the conference, highlights the importance of metadata, open source supply chain security, and evolving global regulations like the EU’s Cyber Resilience Act. If you’re passionate about strengthening the open source ecosystem and want to hear how the OpenSSF community is leading the charge, check out this blog.
Last chance to speak at OpenSSF Community Day Japan!
Call for Proposals closes Sunday, April 27 at 23:59 JST.
Join us in Tokyo and share your insights on open source security, tooling, education, AI, and more. Whether it’s a 5-minute lightning talk or a 20-minute session, we welcome diverse voices from across the ecosystem.
OpenSSF Community Day NA 2025 Agenda Live!
We are excited to share that the agenda for OpenSSF Community Day North America 2025 is now live! Join us on June 26 in Denver, Colorado, for a day filled with collaboration, technical insights, and future-focused conversations on securing the open source ecosystem.
Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain
In Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain, authors Mihai Maruseac (Google), Martin Sablotny (NVIDIA), Eoin Wickens (HiddenLayer), and Daniel Major (NVIDIA) introduce the first stable release of the model-signing project from the OpenSSF AI/ML Working Group. This blog presents the motivation, features, and broader goals of the project, including how model signing helps secure the integrity and provenance of machine learning artifacts across the supply chain. Read the full blog to learn how this initiative marks a key milestone toward a secure AI future and how you can get involved.
Community Member Updates:
Google Cloud and Canonical recently sponsored a new report by IDC on the State of Software Supply Chains. According to the report, which surveyed over 500 decision-makers in IT and Information Security roles, 7 in 10 responsible teams spend more than 6 hours per week on security patching. The report also reveals that compliance with regulations remains a challenge for most organizations, with more than a third of respondents reporting that they struggle to understand how regulations apply to specific systems and software components. The adoption of artificial intelligence is increasing compliance burdens with 60% of organizations reporting that they have only basic or no security controls to safeguard their AI/ML systems.
Download the report on Canonical’s website for other interesting stats and learnings on open source supply chains.
News from OpenSSF Community Meetings and Projects:
- CFPs for OpenSSF Community Days are open for Japan, India, and Europe.
- Best Practices WG published The Memory Safety Continuum.
- Model Signing SIG released v1.0 of the Model Signing project.
- SLSA released SLSA Version 1.1 RC2 for public review and comments by April 18.
- RSTUF completed and has shared the results of its security assessment, with no critical vulnerabilities discovered.
- Global Cyber Policy WG completed the first draft of a response for the EU CRA category descriptions and it has been submitted to the PPC for review.
- Vulnerability Disclosure WG will be at VulnCon April 7-10 (registration to attend virtually is still open).
- Quarterly updates were presented to the TAC by the BEST WG, AI/ML Security WG, and Global Cyber Policy WG.
In the News:
Meet OpenSSF at These Upcoming Events!
Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!
OpenSSF Community Days bring together security and open source experts to drive innovation in software security.
- Tokyo, Japan – June 18, 2025
- Denver, Colorado – June 26, 2025
- Hyderabad, India – August 4, 2025
- Amsterdam, Netherlands – August 28, 2025
Connect with the OpenSSF Community at these key events:
- RSA Conference: April 28 – May 1, 2025
- Open Source Summit NA: June 23 – 25, 2025
- DefCon 2025: August 7-10, 2025
- Open Source Summit EU: August 25 – 27, 2025
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team