TL;DR:
- 🚀 OpenSSF Community Day NA → Agenda live, read the session highlights.
- ⚖️ TPN & SBOM Evolution → New frameworks aim to turn “dead” PDF notices and static SBOMs into active security intelligence.
- 🤖 Agentic AI Security → OpenSSF welcomes OSS-CRS and examines using SAFE-MCP to secure non-deterministic AI agents.
- 📦 Project Milestones → Gemara v1.0.0 released; Security Slam 2026 honors projects meeting rigorous security baselines.
- 🎓 Policy & Skills → CRA Readiness Guide for Maintainers and Developers in progress and LFD121 updated to align with the Cybersecurity Skills Framework.
6 mins read
Secure Your Spot: The OpenSSF Community Day North America 2026 Agenda is Live!
Join the open source community on May 21 in Minneapolis for a day of collaboration and technical insight. This year’s agenda spans the entire security spectrum — from practical sessions on trusted publishing and SBOM transparency to forward-looking deep dives into AI-driven security orchestration and post-quantum cryptographic readiness. Read the Agenda Highlights | View the Agenda | Register Now
Why Third-Party Notices Are Breaking at Scale: What the Ecosystem Needs Next
Third-Party Notices (TPNs) are the “last mile” of compliance, yet they remain stuck in unstructured PDF formats that defy automation. This post explores a new framework to transform these static documents into machine-readable security intelligence for better vulnerability management. Read the blog.
From Noise to Signal: Using Runtime Context to Win the Vulnerability Management Battle
With CVE disclosures hitting record highs, static analysis alone is no longer enough to manage alert fatigue. Read the blog and learn how integrating runtime context can help security teams prioritize the 15% of vulnerabilities actually loaded in production, reducing backlogs by over 95%.
Security Slam 2026: Celebrating Our Security Champions and Project Milestones
The 2026 Security Slam has concluded, recognizing open source projects like Privateer and CloudNativePG for achieving rigorous security baselines. This recap celebrates the contributors and “Security Champions” who moved the needle on ecosystem-wide protection.
OpenSSF Tech Talk Recap: Securing Agentic AI
AI agents are non-deterministic, creating unique security risks like “confused deputy” problems and prompt injection. Experts from Canonical, Microsoft, and Thread AI discuss the “Seven-Layer Cake” of AI infrastructure and introduce SAFE-MCP, a new threat catalog for the AI era. Read the recap, watch the on-demand recording.
Rethinking Post-Deployment Vulnerability Detection
Security doesn’t end at build time, yet many organizations lack visibility into vulnerabilities that emerge after code hits production. This blog argues for using SBOMs as “digital twins” to continuously synchronize live systems with real-time vulnerability feeds without the need for intensive rescanning. Read the blog.
From AIxCC to OpenSSF: Welcoming OSS-CRS to Advance AI Driven Open Source Security
Born from DARPA’s AI Cyber Challenge, the OSS-CRS project is officially joining the OpenSSF. This orchestration framework enables autonomous systems to find and fix bugs at scale, bridging the gap between experimental AI research and practical open source defense. Read the blog to learn more.
What’s in the SOSS? An OpenSSF Podcast:
Host CRob sits down with Brian Fox, Co-founder and CTO of Sonatype, to discuss the friction between rapid AI adoption and foundational software security. Brian shares insights from the 11th annual State of the Software Supply Chain Report, revealing the emergence of “slop squatting” and the high frequency of AI models recommending non-existent or vulnerable dependencies.
News from OpenSSF Community Meetings and Projects:
- Generative AI is transforming open source software development. How are developers using these tools, and how are their job duties shifting? What is the general sentiment, and what unique challenges and opportunities are emerging? Your insight will provide critical evidence into how generative AI is reshaping collaboration patterns and what open source foundations should do. Please share your experience with us!
- OpenSSF Vulnerability Disclosures Working Group (WG) is seeking to understand the impact of AI-Slop, AI-generated low-quality vulnerability reports, on open source projects and the other participants of the Vulnerability Disclosure Process (VDP). Take the survey by May 31, 2026.
- CFPs are open for AGNTCon + MCPCon in North America and Europe.
- Gemara reached a major milestone with a v1.0.0 release to define a complete set of schemas and stabilize Layer 2 (Controls) and Layer 5 (Evaluation) schemas.
- Security Insights appeared as a recommendation from ENISA in the upcoming Secure by Design and Default Playbook.
- The Best Practices WG completed modifications to LFD121 (“Developing Secure Software”) to cover 12 areas of the Cybersecurity Skills Framework (CSF).
- The Global Cyber Policy WG is working on a CRA Readiness Guide for Maintainers and Developers.
- The OpenSSF Global Cyber Policy Working Group gathers community feedback for the revision of the EU Cybersecurity Act (CRA) and targeted amendments to the NIS2 Directive, as well as for the ENISA “Secure by Design and Default” Playbook for SMEs.
- The monthly CRA meeting recording is now available, featuring a discussion on the community’s perspective regarding third-party conformity assessment under the CRA and an overview of Balena’s path to CRA compliance. Watch the recording here.
- OpenSSF submitted feedback on the European Commission’s draft Guidance on the CRA, welcoming it as a significant step toward practical implementation. Learn more.
- The Vulnerability Disclosures WG has opened a Community Survey on AI-Slop Impact.
- Alpha-Omega recently supported security audits for PyPI, Hex, and RubyGems and committed $250k to the Apache Software Foundation’s Responsible AI Initiative.
In the News:
- diginomica, OpenSSF’s CRob on why open source security is still a people problem – and why AI is making it worse before it makes it better https://diginomica.com/openssfs-crob-why-open-source-security-still-people-problem-and-why-ai-making-it-worse-it-makes-it
- InfoQ, CNCF and Kusari Partner to Strengthen Software Supply Chain Security across Cloud-Native Projects
- ITdaily, Does AI mean the end of open source?
- TFiR, CRA Compliance: What Manufacturers Must Do Before December 2027 | TFiR
- The Register, AI bug reports went from junk to legit overnight, says Linux kernel czar
Meet OpenSSF at These Upcoming Events!
Connect with the OpenSSF Community at these key events:
- Open Source Summit North America – May 18 – 20, 2026
- OpenSSF Community Day North America – May 21, 2026
- European Open Source Security Forum 2026 (Invite only) – June 9, 2026
- OpenSSF Community Day Europe 2026 – October 6, 2026
- Open Source Summit Europe 2026 – October 7-9, 2026
Ways to Participate:
There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.
You’re invited to…
- Join a Working Group or Project
- Chat with us on Slack
- Follow us on X, Mastodon, Bluesky, and LinkedIn
- Join OpenSSF
See You Next Month!
We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!
Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month!
Regards,
The OpenSSF Team