TL;DR:
- 💰 $12.5M New Funding → Anthropic, AWS, Google, and more invest in OSS & AI security
- 🤝 Ambassador Program Launch → New global initiative to empower community leaders
- 🛠️ No-Cost Tooling → Kusari Inspector now free for OpenSSF project maintainers
- 💎 The Gemara Model → A new 7-layer framework for GRC and automated risk assessment
7 mins read
OpenSSF Celebrates New Members, No-Cost Tooling, and Project Milestones
Announced at Open Source SecurityCon Europe, the OpenSSF welcomes Helvethink, Spectro Cloud, and Quantrexion as its newest members. This update also highlights the release of the Kusari Inspector as a no-cost tool for OpenSSF projects to help maintainers visualize and secure their software supply chains. Read more.
Leading Tech Coalition Invests $12.5 Million Through OpenSSF and Alpha-Omega to Strengthen Open Source Security
A major coalition including Anthropic, Amazon Web Services (AWS), GitHub, Google, Google Deep Mind, Microsoft, and OpenAI has committed $12.5 million in new funding. Managed by the Alpha-Omega project and OpenSSF, this investment aims to improve sustainable security solutions, focus on vulnerability remediation, and address the security of the AI ecosystem. Read the blog to learn more.
Introducing the OpenSSF Ambassador Program
The OpenSSF has officially launched the Ambassador Program, a global initiative to empower community leaders to promote secure development practices. Ambassadors will play a key role in mentoring others, contributing to working groups, and representing the Foundation at industry events worldwide. Learn more about the program and apply now.
Kusari Partners with OpenSSF to Strengthen Open Source Software Supply Chain Security
In a new partnership, OpenSSF member Kusari is providing its Inspector tool to OpenSSF project maintainers for free. This tool integrates directly into development workflows to provide real-time insights into dependencies, helping teams catch vulnerabilities and licensing issues before code is merged. Learn more.
KubeCon + CloudNativeCon Europe 2026 Co-located Event Deep Dive: Open Source SecurityCon
Taking place in Amsterdam, Open Source SecurityCon brings together the cloud-native community to tackle the most pressing threats in the software supply chain. The event features deep dives into AI security, policy, and collaborative tools for maintainers and operators. Read the Open Source SecurityCon Europe deep dive from OpenSSF community members Brandt Keller (Defense Unicorns) and Constanze Roedig.
Securing Agentic AI in Practice: From OpenSSF Guidance to Real-World Implementation
As AI agents gain more autonomy, new risks emerge. This post talks about how the recent OpenSSF Tech Talk: Securing Agentic AI in Practice: From OpenSSF Guidance to Real-World Implementation explores the implementation of the SAFE-MCP framework and provides practical guidance on managing trust, provenance, and secure interactions between AI models and users. The Tech Talk on-demand is now available to watch and the slide deck is available to download.
First Steps Towards Cyber Resilience Act Conformity: Biking the CRA with Balena at FOSDEM 2026
Following a presentation at FOSDEM 2026, OpenSSF community member Harald Fischer (balena) uses a bicycle metaphor to break down the complexities of the EU Cyber Resilience Act (CRA). It offers a practical introduction to cybersecurity risk management and the steps projects must take to achieve conformity. Read the blog.
Introducing the Gemara Model
OpenSSF community members Eddie Knight (Sonatype), Hannah Braswell (Red Hat), and Jenn Power (Red Hat) introduce Gemara, a seven-layer model for Governance, Risk, and Compliance (GRC) engineering. Much like the OSI model for networking, Gemara aims to bridge the gap between compliance officers and engineers by providing a standardized framework for automated risk assessment. Learn more about Gemara.
Your Voice Belongs Here: How to Get Involved in the OpenSSF Community
Are you new to the foundation? This guide outlines the various “User Journeys” available to contributors. Whether you are a developer looking to join a Working Group (like Best Practices or Supply Chain Integrity) or a security researcher, this post explains how to start making an impact. Read the blog and start your journey with OpenSSF here.
Case Study: Defending the Open Source Supply Chain in a New Regulatory Era
This case study examines the intersection of security and policy, specifically looking at how OpenSSF’s Premier Member Red Hat and the OpenSSF are navigating new global regulations. It provides a roadmap for how organizations can maintain compliance while fostering a vibrant and secure open source ecosystem. Read the Case Study.
What’s In the SOSS? An OpenSSF Podcast
In this episode, CRob talks with Mike Lieberman from Kusari about the current state of open source security. They discuss the growing burden on maintainers from the “deluge” of noisy, low-quality vulnerability reports, often generated by AI tools, and the vital role of “a human in the loop.”
In this episode of What’s in the SOSS? host Sally Cooper sits down with Yesenia Yser, co-lead of the OpenSSF Mentorship Program and the BEAR Working Group, and Kairo De Araujo, Open Source Software Engineer and mentor for rstuf. They dive into the success of the OpenSSF Mentorship Program, which focuses on bringing underrepresented voices into software security.
Hannah Braswell and Jenn Power, Security Engineers from Red Hat and contributors to the OpenSSF, join host Sally Cooper to discuss the Gemara project. Gemara, an acronym for GRC Engineering Model for Automated Risk Assessment, is a seven-layer logical model that aims to solve the problem of incompatibility in the GRC (Governance, Risk, and Compliance) stack.
News from OpenSSF Community Meetings and Projects:
- OpenSSF Scorecard has drafted a 2026 roadmap and OSPS Baseline conformance proposal.
- The European Commission released draft guidance on the Cyber Resilience Act and the Global Cyber Policy WG is collecting comments for review and submission to the public consultation.
- SLSA is finalizing a new website build strategy.
- OpenBao released v2.5.1.
- The Vulnerability Disclosures and BEAR working groups presented quarterly updates to the TAC.
- The ORBIT Launchpad SIG has a poll open to identify the best time for its bi-weekly meeting.
- OSSAfrica and OpenSSF are hosting a panel discussion on March 27 at 3 pm ET: Advancing Open Source Security in Africa.
- Our Live Stream, Security in an Open World, is available on YouTube.
- SLSA is working on a refactor of the Source Tool.
- The Vulnerability Disclosures WG continued drafting Best Practices for Open Source Maintainers Responding to AI Slop.
- Security Insights approved a proposal to create a website to make it easier to create or edit Security Insights files.
- Minder released v0.1.2.
In the News:
-
- Axios, Sam Sabin: AI agents spam the volunteers securing open-source software
- betanews, Wayne Williams: The Linux Foundation secures $12.5 million to boost open source security
- CFOtech Asia, Staff: Linux Foundation secures USD $12.5m for AI security
- +23 unique postings on TechDay sister sites like SecurityBrief US
-
- CFOtech US, Sofiah Nichole Salivio: OpenSSF adds members, boosts AI & supply chain security
- + 7 unique postings on TechDay sister sites like eCommerce News UK
- Cyber Technology Insights, Staff: Big Tech Backs Open Source Security Ecosystem
- DevOps Digest, Pete Goldin: Linux Foundation Announces $12.5 Million in Grant Funding
- DevOps.com, Mike Vizard: Google, Microsoft and Peers Donate to Support Overloaded Open Source Maintainers
- diginomica, Alyx MacQueen: Open source maintainers are drowning in AI-generated security noise – $12.5 million is being deployed to throw them a lifeline
- Dutch IT Leaders, Witold Kepinski: Linux Foundation wapent open source tegen vloedgolf aan AI-aanvallen
- EdTech Innovation Hub, Staff: Tech giants commit $12.5M to open source security as AI pressure grows
- Heise Online, Martin Holland: AI Slop vs. Open Source: AI Industry to Help with 12.5 Million US Dollars
- Help Net Security, Sinisa Markovic: Big tech companies step in to support the open source security ecosystem
- HPCwire, Jaime Hampton: Linux Foundation Announces $12.5M in Grant Funding to Advance Open Source Security
- IT Brew, Billy Hurley: Linux Foundation gets funding boost from Big Tech
- IT Pro, Emma Woollacott: Big tech is clamping down on open source ‘AI slop’ reports
- It’s FOSS, Sourav Rudra: AI Companies Put $12.5M Into Open Source Security to Fix a Problem Their Tools Helped Create
- ITOps Times, David Rubenstein: Linux Foundation to Use $12.5M in Grant Funding to Advance Open Source Security
- Linux Magazin, Ulrich Bantle: Allianz aims to promote the open source software supply chain
- Neowin, David Uzondu: Google announces multi-million dollar investment in open source security
- Phoronix, Michael Larabel: Microsoft, OpenAI & Others Pony Up $12.5M To Strengthen Open-Source Security
- Pulse 2.0, Amit Chowdhry: Linux Foundation: $12.5 Million Raised For Open Source Security Initiative
- SecurityWeek, Ionut Arghire: Tech Giants Invest $12.5 Million in Open Source Security
- Techzine, Mels Dees: Linux Foundation receives 12.5 million for open source security
- +2 unique regional postings on Techzine Global
- The Register, Simon Sharwood: Linux Foundation kicks off effort to shield FOSS maintainers from AI slop bug reports
- theCUBE, Rob Strechay: KubeCon + CloudNativeCon EU 2026 Preview: AI, Sovereignty, and the Rise of Cloud-Native as the Control Plane
- UC Today, Kristian McCann: Securing Open Source: Google and Industry Giants Unite to Protect “Internet’s Backbone”
- Windows Report, Milan Stanojevic: Google Leads $12.5M Push to Secure Open Source Against AI Threats
Meet OpenSSF at These Upcoming Events!
- Open Source Summit North America – May 18 – 20, 2026
- OpenSSF Community Day North America – May 21, 2026
- OpenSSF Community Day Europe 2026 – October 6, 2026
- Open Source Summit Europe 2026 – October 7 – 9, 2026
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team