Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea | Open Source SecurityCon

Tag

Cybersecurity

Member Spotlight: Trail of Bits – Driving Open Source Security Through Standards, Prototypes, and Policy

By Blog

Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.

Key Contributions

Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:

  1. PEP 740 – Index-Hosted Attestations for PyPI
    In 2023, Trail of Bits authored and implemented PEP 740, which introduced support for digitally signed attestations for Python packaging. This new security feature helps developers verify the integrity and origin of packages—an important step toward a more secure and trustworthy software supply chain, and already more than 270,000 package distributions have already been uploaded with attestations. 
  2. Drafting Project Lifecycle Metadata Standards
    More recently, Trail of Bits drafted a new Python Enhancement Proposal that introduces lifecycle metadata—markers like “active,” “archived,” or “maintenance only”—that could be surfaced through PyPI’s API. While still under discussion, this draft shows their continued push to improve transparency and project health visibility for the broader Python ecosystem.
  3. OpenSSF Scorecard Dashboard Prototype
    In collaboration with OpenSSF, Trail of Bits built a prototype dashboard to help visualize OpenSSF Scorecard metrics across projects and over time. While the dashboard is not yet in public use, it provided valuable insights during development—including identification of a non-functioning Scorecard check—and helped shape conversations about visibility tooling and adoption patterns.
  4. Tooling and Publications
    Trail of Bits builds and open sources custom security tools across multiple domains—including static and dynamic analysis, AI/ML security, and fuzzing capabilities—maintaining them for public use and community benefit. This dedication to open source resources extends to their publication practices, where Trail of Bits regularly shares client audits, testing methodologies, and research through detailed blog posts and comprehensive handbooks that have become essential references in the security community. 
  5. Contributions to Secure Standards
    Their work spans other critical areas of open source security, including contributions to Sigstore, Homebrew build provenance (via Alpha-Omega), and other OpenSSF working groups. They continue to advocate for secure defaults and verifiable development practices across the OSS ecosystem.

Why It Matters

As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.

Looking Ahead

Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.

Learn More

Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.

What’s in the SOSS? Podcast #31 – S2E08 Cybersecurity Framework Launch

By Podcast

Summary

In this episode of What’s in the SOSS, host CRob interviews Clyde Seepersad from the LF Education Department. They discuss Clyde’s journey into open source, the role of LF Education in supporting the community, and the importance of cybersecurity education. They also delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

Conversation Highlights

00:00 Introduction to Open Source and LF Education
02:59 Clyde’s Journey into Open Source
05:54 The Role of LF Education in Open Source
09:00 Cybersecurity and the Global IT Cyber Skills Framework
11:59 Framework Development and Industry Collaboration
15:13 Continuous Learning and Community Engagement

Transcript

Intro Music (00:00)

Clyde Seepersad (00:02)
Five years ago, eight years ago it was “What are these container things and how are they going to make a difference?” Fifteen years ago it was “What is this hypervisor and how’s it going to make a difference?” We’re having a moment now where there’s this combination of security’s super important in every single aspect.

CRob (00:20)
Welcome back to What’s in the Sauce, the OpenSSF’s podcast where we talk to interesting people that are involved in open source development and standards and supporting our amazing communities. And this is the season two we’re quite excited to have graduated on to the next level. I’m CRob, I’m one of your hosts here at the OpenSSF.

I’ve had the pleasure to be involved with this community for just under five years and I get this amazing chance to interview some amazing, interesting luminaries. And today we have a real treat. We have Clyde from the LF Education Department and they specialize in helping people understand.

open source tools and methodologies and techniques. So, Clyde, can you give us maybe a few minutes of your open source origin story and kind of explain a little bit about what LF Education does?

Clyde Seepersad (01:19)
Thanks, CRob. I’m excited to be here. I’m excited to have education be talked of as a luminary because often when we do materials, people start looking very intently at their toes and hoping that somebody else will do it. Always happy to get a platform to encourage more folks to come on in. The water is fine. I am sort of a latecomer to open source. I’ve been involved for the past 10 years or so and was off on the dark side doing my thing.

And one day a headhunter called up and said, we have this interesting opportunity. We think you’d be good for it. And at the time I was in Austin, Texas. And I thought, well, know, Austin is not that big a town. It was great to meet extra people. We’ve scheduled a 20 minute coffee and no harm, foul. And it took two and a half hours to wrap up the conversation because we just kept going and I kept thinking, I had no idea that dot, dot, dot.

And so I left that meeting, went home, told my wife that the coffee I had told her about ended up being a two and a half hour conversation and I was going to leave my job and go do this non-profit thing that she had never heard about and that I had only barely heard about several hours earlier. And it just…

CRob (02:35)
must have been some great coffee.

Clyde Seepersad (02:37)
It was good coffee. I think it got cold several times. So the refresh cycle on the coffee was good, which, you know, is important. And, It’s just been such a phenomenal ride, right? Obviously, we’re recording this, whatever, 10 days after the deep seek drop, and cool things just keep happening in collaboratively developed spaces, which is, maybe not ever was thus, but certainly ever will be thus. I think that is the new way that stuff gets done. And of course, one of our big priorities along with everybody else on planet Earth in the last few years has been the security space and trying to think about what more could and should we all be doing.

CRob (03:18)
Mm hm. So a lot of people might not be aware that the Linux Foundation has a whole group dedicated towards training and education. So maybe could you talk a little bit about your group and kind of the things that you all do for the community and our members?

Clyde Seepersad (03:33)
Technical folks like to work on technical problems, right? They like to spin up new projects. They like to work on road maps and get from beta versions to release candidates to GA to one to two to X. Some of them like to go to meetups and connect with other folks. Not terribly many like to step back and think about how will I onboard the next person who isn’t currently super excited about this. And I think that’s where this team shows up as we say, as we show up and we say, listen, we can help you with the instructional design. We can help you with the development of quizzes, with the multimedia, with the video, with the, you know, the multilingual stuff, with the production value, with the sort of mapping out of the process, with the handling of the tools that author the content.

If we, if you can work with us, because the one thing we’re not as experts in, fill in the blank, right? There’s a thousand projects at the LF. A lot of what seems scary in terms of putting education together and not just putting it together, but importantly, getting it into the hands of the right people quickly is what we can do. And so that’s what I like to brag on this team is we’re doing a lot of things that aren’t central to any one open source project or initiative, but we’re bringing a set of skills and capabilities that you typically don’t find in kind of the core maintainer community, but they’re very complimentary and we can say, we’ve got all the folks and the tools and the processes to do all the stuff that makes your, know, makes your hair hurt. Let’s work with you. Let’s work with you to get the story out. And importantly, let’s get the story out not just to the people who are already excited and way down the weeds in the GitHub repo.

Let’s get the story out to the next folks out there who, if you ask the question, and I always say to the team, the most important question we can help folks answer is what is that tech and why do I care? And that is very much about, you know, what are these technologies? What did they do that were impossible yesterday, was much easier to do, was able to do in a way that is more cost effective because it’s a shared license. Because that’s where we help, but that’s where we can really help is to bring new people into these ecosystems.

CRob (05:53)
So thinking back of your journey with the LF Education crew, what are some of the timely topics? Like what are some of the most requested things or what are you all working on? What’s your priority lately?

Clyde Seepersad (06:06)
Well, you’ll be shocked to hear that AI is on the list.

CRob (06:13)
You’re right I am shocked.

Clyde Seepersad (06:14)
Pretty much the only two topics I hear currently are security and AI. Five years ago, eight years ago, it was what are these container things and how are they going to make a difference? 15 years ago,it was what is this hypervisor and how is it going to make a difference?
And then you get the most specialized conversations and things like networking. But I think it is definitely true that we’re having a moment now where there’s this combination of security is super important in every single aspect and trying to figure out what exactly the Gen.ai future is going to look like and where we never ever have a junior software developer ever again because, quote, GitHub is pretty good at first pass stuff. You know, I think there’s a series of really active conversations around trying to envision what our future is going to look like. And both those components are front and center.

CRob (07:09)
Very nice. Well, one of the things that you and I have been collaborating on most recently is the global IT cyber skills framework. Could you maybe talk a little about where this idea came from and kind of what you’re intending to do with this project?

Clyde Seepersad (07:25)
Sure, and really appreciate all the support you’ve provided on this. It really started with a very simple observation, which is, as I listen to folks talking about cybersecurity, a lot of what the pattern we kept hearing was there are specific job functions and areas of responsibility related to cybersecurity that everybody wants to be very focused on. So whether that is intrusion detection, pen testing, there’s a lot of specialized focus on cyber. And it’s a little bit like the Sherlock Holmes story where the key clue was the dog that didn’t bark. What about all the people who aren’t cyber security specialists? They’re app developers, they’re network people, they’re database admins, getting up every morning thinking about where the latest vulnerability is going to come from. But they have not been part of the conversation.

And so I think that’s really what we’re trying to do here is to say, we have to find a way to make everybody who touches these systems part of the conversation on cybersecurity and make it easy for them to figure out what their part in the broader strategy is. security is not something you can inspect in at the end, right? It has to be there from the get-go. And that has not been…a big part of the conversation, which is not surprising when the fire is hot as you put in the water on the most immediate source of the flames, but you’re not paying as much attention yet as to where the fuel load is building up. And so think that’s really what we’re trying to, hoping to catalyze is a broader conversation around just how extensive the concept of cybersecurity is when you think about all these different roles in technology. And so it’s great that we’ve started with the specific folks that are in a CISO’s office, but we have to make sure we don’t stop there.

CRob (09:32)
Yeah, I love that kind of looking at the framework, the fact that we looked at many different job types and kind of thought about it from somebody’s career at the beginning of their career, they needed to have certain experiences. And as you evolve and kind of get more, you level up, so to speak, there’s more increasingly complex tasks that you’re asked to do with. you talk a little bit about – just give us kind of a sneak peek into the framework and kind of what went into some of this thinking.

Clyde Seepersad (10:01)
Yeah, think we, there were two things we were trying to make sure that we use as our North Star. The first was it had to be easy to use. We have to make it easy for people to have this conversation. So how can we develop something that is not intimidating, easy to use, people can see their way to the end goal where they’re using it. And the second is, can we make something that is not a special snowflake, that is industry agnostic, that’s geography agnostic? Because what you, and to have those two things be true, and you know, we worked with hundreds of folks who volunteered their time and expertise on this. Where we ended up was saying, to make it easy, we have to have it be, simple for folks to figure out where different people in their organization might slot in. So how can we group like with like? And so we went through this exercise with a group of experts and then validated it through a large form field study survey in the field. And we ended up with 14 or 15 job categories or job families.

Clyde Seepersad (11:23)
That’s not to say that there aren’t people out there who straddle lines, and there will always be, but we felt pretty good about having these categories as sort of people who are grouped together. So things like network specialists, things like database administrators, things like software developers as distinct from app developers, so smartphones. And then from a career perspective, as you alluded to, CRob, there’s this concept that there are things you need to know when you’re just starting out.

And there’s more things you need to know when you start taking more individual responsibility and yet there are more things you need to know, especially as you take on managerial responsibility and start supervising the works of others. And so what we ended up with, if you envision sort of a two by two framework, a set of job families where we have examples, we can help people visualize, oh yeah, I’ve got folks in that box. And then this continuum of experience where newer folks, there’s topics and we’re very, you the topics are quite specific and so they’re somewhat opinionated, but we wanted it to not be a hand wavy feel good.

We wanted people to be able to look into that framework, see things they violently agreed with, maybe see some things they violently disagree with because maybe it’s not relevant and that’s okay, right? It’s very much meant to be a alaqaat, Kanban style. I like this, I want to use it. I don’t like that, I want to take it out. I think this is missing because I’m in industry X and I want to add it in. But I think we’re hoping that the concept of it’s a simple framework. You can print it on one page. It’s a way to start and then make it your own. Make it relevant to your department. Make it relevant to your industry. Move stuff left, move stuff right, blend stuff between buckets, but use it as a accelerant, right? Instead of staring at the blank white board. This is the collective wisdom of hundreds of folks who spent decades in this space – stand on their shoulders, right? Use it as a jumping off point.

CRob (13:20)
I loved the kind of practitioner perspective that the framework brought. Could you maybe talk about, I know we’ve had some conversations with other folks within the ecosystem. How does this work alongside or complement other similar efforts?

Clyde Seepersad (13:37)
Yeah, I think our view is that this is meant to be a entry point for people to think about cybersecurity for their broad audiences and not to replace. There are some very good, more specialized frameworks that already exist out there, right? So you have things like SOFIA, you have things like the NICE framework. And our take was we look around and we listen.

And those are not being as used, used as much and implemented as much as you might have thought. I think part of the reason is they’re so sophisticated and there’s so much detail that they’re a little maybe intimidating if you’re starting kind of at the, at the, at the starters pistol. And so we’re envisioning this really as a gateway exercise to say, here’s a way that you could start. It’s not saying that it’s fully comprehensive of everything you’d ever think of, but it’s saying these are the lowest common denominator pieces, right?

And so it’s a discrete, easy to wrap your head around, printed on a page starting point. And hopefully what we see is that once people start their journey, they gravitate towards some of these bigger frameworks that already exist according to what makes sense for their organization, for their industry, for their geography. And so we’re very much seeing this as complimentary of frameworks that are more specialized that exist, really as a way to get more folks far enough down the path that they start using those frameworks with confidence.

CRob (15:14)
I love the effort. I’m really looking forward to kind of unleashing this and sharing it with the broader ecosystem and then starting to the devils in the details. I want to start building my own little Kanban board and kind of mapping out my journey and seeing what I and others might want to start exploring education wise next.

Clyde Seepersad (15:33)
Yeah, and that’s exactly what we’re hoping to happen, right? This is going to be a publicly available royalty free resource sponsored by OpenSSF and the LF. We want everybody to use it. We want companies, we want education providers to use it. And importantly, we want this to be an ongoing effort. So, you we’ve had a ton of people volunteer their time and expertise to get to V1. We’re very much intending to have this be an ongoing effort where we’re constantly reviewing this, you know.

At least twice a year stepping back and saying, is this still right? Because the one thing that we know is true is yesterday’s threats are not tomorrow’s threats, right? So we cannot have these be static. We have to constantly be asking ourselves, is this still relevant? Is there something else that we need to add? Because that’s the only way that you can really, if we’re trying to get people to think holistically about the security implications up and down the food chain, we have to help them keep track of stuff as it evolves. And so I think one of the beauties of doing this collaboratively is we do have the ability and the intention to continue revving, right? Just like any release schedule, right? That the 2026 version is gonna go look different and the second half of 2025 version might look different.

CRob (16:50)
Excellent. Well, let’s move on to the rapid fire part of the conversation. All right. I got a couple of wacky questions. I just want your first answer right out of the gate. What’s your favorite open source mascot?

Clyde Seepersad (17:06)
You know, it’s still Tux. It’s just, you know, I’ve got a dozen of them on my desk and it’s an oldie but a goodie.

CRob (17:19)
Excellent. Good, good, Spicier mild food.

Clyde Seepersad (17:23)
I grew up in the Caribbean, so definitely spicy.

CRob (17:30)
Ooh, that’s spicy. Excellent. What’s your favorite adult beverage?

Clyde Seepersad (17:34)
Rum and Coke.

CRob (17:35)
Classic. I love that as well. So as we wrap up here, what advice might you offer someone that’s just getting into, whether it’s open source development or cybersecurity, how can you help them start their journeys?

Clyde Seepersad (17:50)
You know, the key thing I say to folks anymore is that the world has really changed. Even when I started my career, you could pick a spot and say, I wanted to be an X. I wanted to be a database person. I wanted to be a Cisco switch person. I wanted to be an Oracle person. Because we used to have these long runways of technology staying pretty stable.

And that’s just not true anymore. I think everybody should be coming into tech and even those of us who’ve been in it should be thinking about it as an ongoing journey of lifelong learning. You’ve got to stay on your toes. The thing that made you successful three years ago probably is not going to be the thing that makes you successful this year. And so committing to this idea that it’s your responsibility to figure out the things you’re passionate about and learn them and implement them and stay on this sort of continuous journey.

That’s going to be what the foreseeable future looks like, is all of us just cross-skilling, up-skilling, feeling like we’re always slightly behind, but making that commitment to our own learning and development.

CRob (18:58)
I like to learn something new every day. And finally, what call to action do you want to give the community right now? What actions can people take to help make the world a little bit better place?

Clyde Seepersad (19:09)
Yeah, I would say for everybody who touches a tech stack, step back and start inventorying where do you think in your day-to-day job you could do one thing better that would narrow or close a security gap. We all have goals and the targets we’re trying to meet and we’re on the treadmill. Take a moment to step back.

Get off the goals treadmill. Try to find one thing, one thing that you can do better that helps narrow the surface, the attack surface, and find a way to make that happen.

CRob (19:52)
Excellent. Well, thank you. Sage advice learned over your journey. Thank you, Clyde, for coming today and sharing about the IT skills matrix and about LF education.

Clyde Seepersad (20:03)
Thanks so much for having me, CRob

CRob (20: 05)
Cheers

Outro Music (20:05)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

By Blog, Press Release

New Customizable Global Framework Aligns IT Job Roles with Practical Cybersecurity Skills

SAN FRANCISCO, CA – May 14, 2025 – The Linux Foundation, the nonprofit organization enabling mass innovation through open source, today announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists. Produced in collaboration with the Open Source Security Foundation (OpenSSF) and Linux Foundation Education, the framework delivers actionable guidance to enterprise leaders looking to systematically reduce cyber risk.

As cybersecurity threats grow in both scale and complexity, enterprise leaders are struggling to align job roles with the practical skills needed to mount an effective defense. Despite cybersecurity being one of the top three most in-demand tech roles for enterprises, major talent readiness gaps remain. According to the Linux Foundation’s 2024 State of Tech Talent Report,  64 percent of organizations report candidates lack essential skills and it now takes an average of 10.2 months to hire and onboard new technical staff. Additional research from the Linux Foundation found that 62 percent of open source project stewards lacked dedicated personnel for security incident response, despite 74 percent maintaining formal cybersecurity reporting mechanisms.

These trends reflect a broader industry dilemma—growing awareness of cybersecurity needs without the personnel to tackle them—driven by unclear role expectations and fragmented training pathways. The Cybersecurity Skills Framework addresses these issues with a practical, globally relevant onramp that organizations can use to assess and build internal security capabilities. The framework provides leaders with an easy way to understand the cybersecurity skills needed, quickly identify knowledge gaps, and incorporate critical skills into all of their IT roles. By establishing a shared language for cybersecurity readiness, the framework prepares everyone who touches a system to take responsibility for security, not just the cybersecurity specialists: from app developers to web developers, network engineers to database engineers, solutions architects to enterprise architects.

The framework defines practical cybersecurity expectations across foundational, intermediate, and advanced proficiency levels, while mapping those skills to recognized standards such as the DoD 8140, CISA NICE Framework, and the ICT e-CF. By aligning with widely adopted standards and allowing for customization, the framework can be easily adopted across industries, regions, and organizational sizes. The framework is available in a free, easy to use web interface which allows users to select relevant job families, move skills between categories, delete any that don’t apply and add custom items they require. 

The framework was produced as a result of a global research effort, with contributions and feedback from cybersecurity educators, government advisors, framework stewards, and technical training experts, who together brought comprehensive expertise in workforce development, national defense, professional certification, and open source security.

“Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based on role and responsibility—not just checklists. It’s about building real-world resilience.”

The Cybersecurity Skills Framework provides guidance for key roles, including web and software developers, DevOps engineers, IT project managers, platform architects, GRC managers and more. Each job role is defined by its primary cybersecurity responsibilities and aligned with practical skills in areas like secure design, compliance, vulnerability management, and incident response. 

“This framework is a valuable tool for CIOs, CISOs, and enterprise learning teams,” said Clyde Seepersad, SVP and General Manager of Linux Foundation Education. “In an era of accelerating threats, leaders need clear pathways for strengthening security culture across technical teams. This resource helps organizations take a proactive approach to employee development and risk reduction.”

The Linux Foundation and OpenSSF will update the framework annually and welcome community feedback from adopters. Organizations are encouraged to adapt and extend the model to align with their specific needs, security posture, and product portfolios.

To access the full Cybersecurity Skills Framework and explore how your organization can adopt it, visit: http://cybersecurityframework.io

Join us on Wednesday, June 11 at 11:00 am EDT for a webinar discussing the Cybersecurity Skills Framework. Visit here to register.

Supporting Quotes

“As cloud native adoption grows, so does the complexity of managing security across distributed systems. The Cybersecurity Skills Framework offers a clear, actionable resource for teams working in modern environments to assess skills, reduce risk, and embed security into every stage of the software lifecycle.”

– Chris Aniszczyk, CTO, CNCF

“As the cybersecurity landscape grows more complex, particularly with the rapid rise in AI technologies, security can no longer be siloed. Businesses must champion a culture of security awareness, education, and preparedness across functions. The new framework contributes to a stronger security posture by ensuring every teamfrom developers to IT leadersunderstands the specific security skills they need.”

Jamie Thomas, IBM Enterprise Security Executive

“Cybersecurity is a shared responsibility, and closing the skills gap is essential to building secure systems at scale. The OpenSSF Cybersecurity Skills Framework provides a clear, actionable roadmap for equipping technical teams with the right knowledge to protect our digital infrastructure, thus raising the bar for security readiness across the industry.”

– Arun Gupta, VP of Developer Programs, Intel / Governing Board Chair for CNCF & OpenSSF

“Cybersecurity today seems more complicated than ever. It can be difficult to keep up with the evolving cyber risk landscape and what skills internal teams need to approach and mitigate those risks. The Cybersecurity Skills Framework is a much needed blueprint for how developers should approach career development, teams plan for adapting to new risks, and organizations build training governance for the continuous evolution of their cybersecurity programs.”

–  Michael Lieberman, CTO and Co-Founder, Kusari

“The Cybersecurity Skills Framework is grounded in extensive global research and community collaboration. By surfacing practical, role-specific insights, the framework helps enterprise leaders understand where their cybersecurity capabilities stand—and where they need to grow. It’s a meaningful step toward bridging the persistent skills gap we’ve seen across sectors.”

– Hilary Carter, SVP Research at the Linux Foundation

“Security is a shared responsibility across the open source ecosystem. This framework is a powerful tool to help developers, project leaders, and enterprise teams better understand how their roles contribute to a secure software supply chain. It supports the kind of continuous learning culture that is essential to sustainable open source development.”

– Robin Bender Ginn, Executive Director, OpenJS Foundation

“The need for experienced cybersecurity practitioners continues to increase, and a clear understanding of cybersecurity roles, responsibilities, and required skills is not just beneficial – it is the foundation for a resilient and secure organization. The Linux Foundation’s Cybersecurity Skills Framework provides guidance to help leaders and practitioners understand the baseline skills needed for various roles. It serves as an excellent starting point for cybersecurity practitioners looking to enter the field or plan their career progression. Additionally, it helps leaders identify the necessary roles and skills to meet their cybersecurity demands.”

 Dave Russo, Senior Principal Program Manager, Secure Development, Red Hat

###

About the Linux Foundation 

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, LF Decentralized Trust, Node.js, ONAP, OpenChain, OpenSSF, PyTorch, RISC-V, SPDX, Zephyr, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

What’s in the SOSS? Podcast #29 – S2E06 Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter

By Podcast

Summary

In this special episode of What’s in the SOSS?, we welcome Stacey Potter, the new Community Manager at the Open Source Security Foundation (OpenSSF). Stacey shares her winding journey from managing operations at a vitamin company to becoming a powerful advocate and connector in the open source world. We explore her community-first mindset, her work with CNCF and Platform Engineering Day, and her passion for inclusion and authenticity. Whether you’re curious about how to get started in open source or want insight into how community shapes security, this episode is for you.

Conversation Highlights

00:00 – Welcome + Introduction
01:34 – Stacey’s Origin Story in Open Source
03:18 – Discovering Community Management at Weaveworks
04:19 – Projects and Evolution Across CNCF and Beyond
06:13 – Co-Chairing Platform Engineering Day
10:15 – Being Openly Queer in Open Source
13:38 – What Stacey Hopes to Bring to OpenSSF
16:23 – Rapid Fire Round
17:53 – Final Thoughts

Transcript

Intro music (00:00)

Stacey (00:02): “It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community – I have always felt embraced here, these spaces have empowered me to show up fully as myself”

Yesenia (00:021)
Hello and welcome to What’s in the SoSS? Open SSF’s podcast where we talk to interesting people throughout the open source ecosystem, sharing their journey, experiences and wisdom. So Yessenia, I’m one of our hosts and today we have a special announcement and introduction. I am talking to OpenSSF’s Community Manager, Stacey Potter. Welcome to the open source community. Stacey, please introduce yourself to the audience.

Stacey Potter (00:48)
Hey, everyone. Thanks, Yesenia. So I’m super happy to be here. I just joined and think this is week four that we’re recording this right now. So by the time this gets posted, I might have been here for a little bit longer. But I am the new community manager here at OpenSSF. So I am here to facilitate events. I’ll be managing budgets in the background. And in general, just promoting the foundation and all of our technical initiatives. So super stoked to be here. Can’t wait to meet everybody either in person, online, in Slack, et cetera. So super happy.

Yesenia (01:25)
Super, super happy to have you and we’ll kick it off with our first question. Tell us about your journey in the open source world and just what sparked your curiosity.

Stacey Potter (01:34)
Yeah, so honestly, my path into software was more a result of circumstance than intention. I transitioned into the industry a little bit later in my career. Before that, I was working as an operations manager at a small family-run vitamin company based out of Oakland, California. And after I left that role, I applied for an office manager position at a San Francisco startup focused on what we now call Software Composition Analysis or SCA. Though I don’t even know if it was called that back then in 2009. And at the time, our tagline was something like open source software security for enterprises or something like that. I think a lot of people will know our main competitor, which was Black Duck Software. But we were just a tiny little startup having fun in San Francisco.

And that role was really like my first exposure to the world of open source, but not in a really direct way because I wasn’t working with it. And I almost felt like we were kind of pulling open source out of enterprises or making it more restrictive in certain ways. Cause it was like we were bringing to light all the open source licenses and if you should or shouldn’t use them in an enterprise, right? So it felt a little ambiguous, right?

But I spent seven years there working with the CEO and gradually kind of moved through different roles at that company. I was great about working at a startup. I was the sales operations manager. And then later I transitioned into marketing. And then that company got acquired and I stayed on for a couple more years doing marketing things. And then I transitioned out of there in 2019 and went to Weaveworks where I feel like my true journey with open source really began. I started working at Weaveworks and as a community manager at that point, transition from marketing went into community management. Thanks to general good faith in my boss at the time, which was Tama Nakahara. She’s amazing and an amazing mentor. And she was like, I have marketing, you’re fine. You’re personable. You’ll be great as a community manager and really took me under her wing and taught me everything I needed to know. And learning all about Flux and Flagger in that CNCF ecosystem and really being embraced within those communities was where I feel like it really truly began.

Yesenia (04:09)
Nice. It’s nice little journey to start and then just what brought you here now to OpenSSF? Did you come from there or have you explored other open source projects that you would like to mention?

Stacey Potter (04:19)
Yeah. So Flux and Flyer were my true introduction. Been in and around the CNCF for a while. After Weaveworks, I went to Dynatrace and worked on the Open Feature project and the Kept project, which are both CNCF projects as well. Super great communities there as well. And then after Dynatrace, I went to Stacklok, which is another startup. And they had a project called Minder, which we donated to the OpenSSF. And I had kind of heard musings of the OpenSSF when I was kind of in that CNCF ecosystem before, but didn’t really know a whole lot about it. And when I worked at StackLock, kind of became more familiar with the community. We donated that project. I went through the entire process of like what donating a project looks like within the OpenSSF ecosystem. So that was fun and interesting.

Yesenia (05:11)
Interesting.

Stacey Potter (05:18)
And yeah, that’s StackLock like switched positions. It kind of is going a different route now. And so I came to OpenSSF just almost a month ago, not quite a month ago, so three weeks ago now. And yeah, that’s how I got here.

Yesenia (05:31)
That’s amazing. Here you are. Perfect. Yeah, it sounds like a good experience exposure with community building and open source projects for CNCF and OpenSSF, which are big, big organizations when it comes to open source. So very interesting, very interesting indeed. So we’ll move on to the next question. This is during my online recon, we’ll say, consented recon. I discovered you are the co-chair of Platform Engineering Day. Can you share with the audience what this is, what the event is, and what excites you the most about working with this community?

Stacey Potter (06:13)
Yeah, absolutely. So Platform Engineering Day, mean, well, as internal developer platforms, IDPs, really help dev teams move faster by giving them tools and frameworks that they need, right? So Platform Engineering Day is all about sharing real world tips on building great internal platforms, not just the tech, but the people and the processes as well, right? So it’s a chance for platform folks from all different job titles and job roles to trade stories, lessons, and ideas on making the dev experience awesome. So what excites me about working in this community? I think there’s just so many passionate people involved in this space. I know Platform Engineering Day has become kind of this buzzy word of late, right?

Yesenia (07:11)
Marketing.

Stacey (07:13)
Exactly. But I mean, to the people who are in it, they, from my perspective, as I’ve gotten involved in it, they’re super passionate folks, right? And they really want to make this experience, you know, as good as they can. But after chatting with Paula Kennedy, who is my co chair, and Abby Bangser, whom I got to know through an old Weavework’s colleague, we felt the need for not just a bunch of tech talks on the topic. But really, we wanted to provide, as I said before, a place where platform engineers, product managers, solutions architects, and other folks could come together and share lessons learned in building and managing internal platforms, measuring platform maturity and improving these golden paths and the developer experience as a whole.

Yesenia (08:04)
Nice, do you want to do a quick plug on when the next platform engineering day is?

Stacey Potter (08:08)
Well, it’s a colo with KubeCons. So if you’re going to the next KubeCon, which I believe is North America in Atlanta, Georgia, for all those folks who are outside of the States, I’m sorry, that you may or may not be able to come here based on a number of different things. But we’re trying to do it co-located in general with KubeCons, because it kind of fits there and makes sense. And we’ve had a great response so far, right? The first one, we got more CFPs than any other co-located event had ever gotten at any KubeCon, colo event before. And I think we had hundreds and hundreds of folks in the seats listening to all these great talks. And I’ll also just highlight the platform’s working group within the CNCF too. This is a great team of people working on all things platform related. And if you’re interested in learning more about platform engineering in general, the platforms working group within the CNC app is really a great place to go.

Yesenia (09:15)
Yeah, I didn’t know that it was in KubeCon. I’m hoping to go my first year this year in Atlanta.

Stacey Potter (09:21)
Yeah. Yeah. I think Paris was our debut. Yeah. Yeah. Right. Not bad. And we just had our last one in London. Yeah.

Yesenia (09:24)
Hmm, that’s a good debut. Fashion debuted there. there you go.

Stacey Potter (9:31)
We’re so fashionable. Who knew?

Yesenia (09:36)
Talking about fashionable. During my cyber roots, I found your GitHub profile, which I loved and made me giggle and smile in several locations. But you noted you’re queer and for recording purposes, AF. I’d love to hear your perspective on how this has transformed your journey and influenced you being involved in these open source communities and anything you want to share with the audience.

Stacey Potter (10:15)
Sure. So being openly queer in tech and the open source space has been a pretty powerful part of my journey, I guess, in retrospect. It’s given me a deep understanding and appreciation for inclusiveness and being a welcoming community, regardless of what the, I guess, we’re going to call it difference is for whomever is coming into your community.

I think something I’ve been lucky to experience in the Kubernetes and cloud native and broader open source ecosystems is that welcomeness, that feeling of belonging. I’ve never felt like I didn’t belong here, right?

Yesenia (10:45)
Yeah.

Stacey Potter (10:48)
Which I think is pretty special. I mean, it’s a privileged place to be, I think in certain ways too, right? Like I am a cis white woman, right? But I present as butch and I’m you know, that’s my that’s what I call myself, right? That’s how I identify. And some people could be put off by that. But I have always felt embraced here. And, you know, like these spaces have empowered me to show up fully as myself, which has not only boosted my confidence, but also allowed me to connect with and, you know, mentor, I guess, others navigating similar paths, whether that’s being queer or being a woman or whatever.

I think visibility matters and I found that authenticity can be a bridge, right? Whether it’s in a code review, which I don’t do by the way, community calls or just, you know, contributing to projects that reflect shared values that you have, right?

Yesenia (11:48)
Yeah, it’s great because that’s the underlying foundation of open source. It’s just a community of anyone that can come in and contribute and make a project, move a project and make it successful and gave me a little bit of goosebumps there as you were speaking on that one. But because I feel the same when it comes to like the open source space is just they’re very welcoming. Every time folks are like, I’m just so scared. I’m like, trust me, don’t just go ask the questions. Like this is the place to ask the technical quote unquote “this is a dumb question…”

Stacey Potter (12:15)
Yeah, and I mean, they’re just so happy. What I have found is everyone in these communities is just so happy for people to notice them to want to get involved in the first place, right? Like they’re so stoked that you’re there. Like whatever your skill set is, they’re willing to bring you into the fold, right? They’ll make it work.

Yesenia (12:22)
Yeah.

Yesenia (12:41)
We’ll figure it out.

Stacey Potter (12:41)
You don’t need to know how to code, right? Work on docs, work on…community management, promote our events, like make us a poster or a cool logo or I mean, there’s so many different ways you can contribute if you don’t write code. I don’t write code and this is my job now. I would have never thought, right? Yeah.

Yesenia (13:00)
Yeah. Who would have thunk it? Yeah, I haven’t written code in such a long time. I write for my own like fun, so I don’t lose the skill. You know, it’s like riding a bike. I’m hoping it’s like riding a bike that you never forget, but I forgot because once again, short term memory issues.

Stacey Potter (13:12)
Yeah, right, right.

Yesenia (13:17)
Ah, this is great. Moving on to the next. You are the newest member of OpenSSF. I’m sure other folks have been hired, so I’m sorry if there’s anybody that’s newer, but as far as his recording, this is what I know. And now the Community Manager, what would you like to see in the upcoming months with the impact you plan to ripple through this ecosystem?

Stacey Potter (13:38)
Wow, that’s a big question. So as the newest member of the OpenSSF team and like you said, the community manager here, I’m really excited to help grow and connect this vibrant ecosystem. In the coming months, I think I want to focus on making it easier and more inviting for people to get involved. Whether you’re seasoned security pro or just a curious first timer, I think a lot of people don’t even know that we exist maybe – the OpenSSF. So I think just awareness in general is also something that I’d like to help promote. But know, like smoothing out the onboarding journey, launching programs like the Ambassador Initiative. I think there’s been a lot of talk internally about trying to ramp that up and get that going and supporting mentorships that help contributors thrive. I’d love to see more stories, more collaboration across projects within the OpenSSF and externally within other communities like maybe CNCF, since that’s where my prior history is, right? And more representation from folks who may not traditionally see themselves in the security space. OpenSSF already has amazing technical initiatives. My goal is to amplify the voices behind them, create inclusive pathways into our work and build bridges to other communities who share our mission. So whether it’s through meetups, events, or even just a warm welcome in Slack, I want everyone to feel like there’s a place for them here.

Yesenia (15:15)
I love it. You’re full of the goose bumps today. I love that warm welcome on Slack. You had mentioned the ambassador program. I personally haven’t heard of it. Is there any, I know you guys are just, it’s in the works. Anything you want to share about it.

Stacey Potter (15:29)
Well, it’s gonna be a top priority for me as soon as I sort of get my feet, find my feet here, right? It’s only week four. But it’s definitely a priority that we want to get this out as soon as possible. And there’s already been so much work done before I came. So it’s getting me up to speed and then, yeah, I’m just super excited. think it encourages more people to join sort of.

Yesenia (15:37)
Yeah

Stacey Potter (15:56)
Also celebrating those who have made us who we are so far as well. But then, you know, lots of people would love to become an ambassador that don’t know how to get started or things like that, right? And bringing more people into the fold.

Yesenia (16:09)
Love it, love it. Well, I look forward to seeing the announcement news and learning more about that. So for those folks listening, hopefully it’s released. Hopefully it’s in the works by the time you listen to this. All right, cool. We’re going to move over to the rapid fire. I just make noises because I don’t get, Krobe’s a fancy noise maker. So we’ll go with the flow with whatever my ADHD brain decides to do. And our first question, Disney or Pixar?

Stacey Potter (16:40)
Pixar for sure. I used to live like around the corner from Pixar, so, and I’ve always been a huge Pixar fan, but this is an acquired Pixar, so they’re one and the same now,

Yesenia (16:52)
In my heart, are they really?

Stacey Potter (16:55)
Yeah, no, in our hearts we know the truth, but Pixar, yeah.

Yesenia (17:02)
Dark or light mode?

Stacey Potter (17:05)
Dark.

Yesenia (17:06)
Dark as my soul.

Stacey Potter (17:09)
Black is the night.

Yesenia (17:11)
Cats or dogs? as she takes a sip of coffee.

Stacey Potter (17:15)
Both. I have two cats and a dog, and they’re all amazing. I love them both for very different reasons.

Yesenia (17:22)
Yeah, I can’t choose between my five, so.

Stacey Potter (17:26)
Oh wow. That’s a lot.

Yesenia (17:29)
Alright, this next question and it may cause chaos to our listeners, alright? Linux Mac or Windows?

Stacey Potter (17:38)
Well, I’m a non-coder, so, and I’m a Mac gal.

Yesenia (17:44)
Mac, there it is. Well, there you have it folks. It’s another rapid fire. Any last minute advice or thoughts for the audience you’d like to share?

Stacey Potter (17:53)
Well, I’ll do some shameless plugging of our upcoming events because I’d love to connect with you all in real life and these events are great places for our community to get together and share ideas and progress on the capabilities that make it easier to sustainably secure the open source software on which we all depend. You can find all of these listed on our website at openssf.org/events

So, we’re going to be hosting some upcoming events:

  • We’ve got Community Day Japan (in Tokyo) on June 18 – which is a colo event after KubeCon’s main event
  • CD North America will be in Denver on June 26 (as a colo event after Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • CD India is August 4 in Hyderabad Co-located with KubeCon + CloudNativeCon India
  • CD Europe will be in Amsterdam on August 28 (Open Source Summit, which we are sponsoring so we’ll also have a booth at Open Source Summit)
  • And Open Source SecurityCon is November 10 (colo event pre-KubeCon NA) which is a new event that fosters collaboration and shares innovation in cloud native security and open source software security. The Call for Proposals for this one opens mid May – so be on the lookout for that.

We’ll also be attending & sponsoring events for the remainder of the year as well:

  • We’re sponsoring, and thus have a booth at Open Source Summit North America in June (Colorado) Europe August 25-27
  • Blackhat & DefCon in Vegas in early August
  • We’re sponsoring, and thus have a booth at Open Source Summit Europe August 25-27
  • Sponsoring Open Source in Finance Forum in NYC October 21-22

I can’t wait to meet you all. I’m super excited to be here. And if you join us in Slack, please say hi. If you have any interest in any of our projects, I just encourage you to just jump in, right? Say hello. And usually that’s all it takes to get a really warm welcome from anyone in this community. And I look forward to working with all of you.

Yesenia (20:16)
There you have it from Stacey Potter. Thank you for your impact and contributions to our open source communities. I’m looking forward to the impact that you’ll have and how your ripple effects the open SSF being a part of it. Stacey, I appreciate your time and thank you.

Securing Public Sector Supply Chains is a Team Sport

By Blog, Global Cyber Policy, Guest Blog

By Daniel Moch, Lockheed Martin

Everyone—from private companies to governments—is aware (or is quickly becoming aware) that the security of their software supply chain is critical to their broader security and continued success. The OpenSSF exists in part to help organizations grapple with the complexity of their supply chains, promoting standards and technologies that help organizations faced with a newly disclosed security vulnerability in a popular open source library answer the question, “Where do we use this library so we can go update it?”

In my work in the public sector, I have an additional layer of complexity: the labyrinth of policies and procedures that I am required to follow to comply with security requirements imposed by my government customers. Don’t get me wrong, this is good complexity, put in place to protect critical infrastructure from advanced and evolving adversaries.

In this post I will describe some of the challenges public sector organizations face as they try to manage their supply chain and how the OpenSSF, with the broader open source community, can help address them. My hope is that meeting these challenges together, head-on will make us all more secure.

Public Sector Challenges

Exposure

Even in the public sector, open source software is being used everywhere. According to Black Duck Auditing Services’ Open Source Security and Risk Analysis (OSSRA) report, as of 2024 open source software comprises at least part of 96% of commercial code bases, with the average code base containing more than 500 open source components. A vulnerability in any one of those components might present significant risk if left unpatched and unmitigated.

Assuming the figures in the public sector are in-line with this report this represents a significant amount of exposure. Unique to the public sector are the risks that come along with this exposure, which don’t just include lost opportunities or productivity, but may put lives in jeopardy. For example, if part of a nation’s power grid is brought down by a cyberattack in mid-winter, people might freeze to death. The added risks, particularly where critical infrastructure is concerned, heighten the need for effective supply chain security.

Identification

Another area where public sector organizations face increased scrutiny is around identification, or what NIST SP 800-63A calls identity proofing. That document describes the requirements the US government imposes on itself when answering the question, “How do we know a person is who they claim to be?”

To provide a satisfactory answer to that question, a person needs to do a lot more than demonstrate ownership of an email address. It is a safe bet that organizations working in the public sector are going to follow a more rigorous identification standard for employees operating on their behalf, even if they do not follow NIST’s guidance to the letter.

It should be obvious that systems supporting the development of open source software do not adhere to this kind of a standard. GitHub, for example, does not ask to see your government-issued ID before allowing you to open an account. As a result, public sector actors must live with a double standard—proving to the government they are who they claim to be on the government’s terms but judging the identities of open source contributors by a different standard.

All that may not be a problem outright. Indeed, there are good reasons to allow open source development to happen without rigorous identification standards. It does, however, introduce some tensions that public sector organizations will need to deal with. For example, if a contractor is required to ensure none of the code in her product originated in a foreign country, how does she ensure that is true for any open source component she is using?

Approval Timelines

When I speak to others in aerospace and defense (part of the public sector, since our customers are governments), the conversation often turns to approval timelines to get software packages onto various, closed networks. The security teams responsible for these approvals have an important job, protecting the critical information on these networks from malicious software. How do they go about this work? Beats me. And even if I could tell you how it worked for one classified network, it would likely be quite different for another. What we have today is a patchwork system, an archipelago of isolated networks protected by security teams doing the best they can with the tools available to them. Historically this has meant manually curated spreadsheets, and lots of them.

This problem is not limited to networks used within aerospace and defense, but keeping the plight of these security groups in mind puts into sharp relief the basic problem faced by every group charged with protecting a network. There might be sufficient information available to make an informed decision, but there has historically been little available in the way of tooling to help bring greater confidence, ease and speed to the decision-making process.

How The Open Source Community Can Help

I have outlined three basic problems that the public sector faces: the risks associated with security vulnerabilities, the limits of identifying where open source software originates, and the timelines associated with getting software approved for use on isolated networks. Now let’s consider some of the ways in which the open source community can help alleviate these problems.

While there’s clearly nothing the open source community can do to directly reduce the risk posed to public infrastructure by vulnerabilities, there are ways maintainers can help the public sector make more informed decisions. Providing a SLSA Provenance alongside build artifacts is a great way to give public sector organizations confidence that what they’re using is what maintainers actually released. What’s more, a Level 3 Provenance gives a high level of assurance that the build process wasn’t interfered with at all. It is possible to achieve SLSA Level 3 by using GitHub Actions.

SLSA Provenance also provides useful information to the groups charged with securing networks (our third problem above). Going further, maintainers can also provide VEX documents with their releases to describe the known vulnerabilities and their status. One interesting use case that VEX supports is the ability to declare a vulnerability in an upstream dependency and assert that the vulnerability does not affect your project. That is useful information for a security group to have, even if they take it with a grain of salt.

That second problem—the impossibility of confidently identifying origin—is one that public sector groups will need to learn to live with. We cannot expect every open source contributor to identify themselves and the country where they reside. In light of this, perhaps the best path forward is for the open source community to develop reputation-based ways to score individual contributors. One could imagine ways of doing this that would both respect individual privacy and provide on-ramps for new contributors to begin building trust. This is almost certainly being done informally and piecemeal already. Systematizing it would only bring more transparency to the process, something that everyone would benefit from.

These kinds of third-party systems would be beneficial beyond contributor reputation as well. There are a variety of data sets useful to supply chain security that are likely being collected by organizations already. When possible, these should be made publicly available so the entire ecosystem can contribute to, help curate and benefit from them. But we cannot stop there. These data sets should be supported by easy-to-use interfaces that help security teams build confidence in the software they are being asked to allow on privileged networks. In short, we should welcome ways to make supply chain security and transparency a team sport.

Conclusion

To sum up, we have considered three challenges that public sector organizations face when securing their supply chains: The high potential impact of supply chain risks, the lack of ability to identify country of origin for open source software, and the long approval times to get new software onto closed networks. We also discussed how the open source community can work to close these gaps. It is worth repeating that doing so would make all of us—not just the public sector—more secure.

It is also gratifying to see the ways the OpenSSF is already contributing to this work, primarily by laying the foundation upon which this work can proceed. SLSA and VEX (in the form of OpenVEX) are both OpenSSF projects. Getting projects to adopt these technologies will take time and should be a priority.

About the Author

For nearly 20 years, Daniel has worked as a software engineer in the Defense and Aerospace industry. His experience ranges from embedded device drivers to large logistics and information systems. In recent years, he has focused on helping legacy programs adopt modern DevOps practices. Daniel works with the open source community as part of Lockheed Martin’s Open Source Program Office.

OpenSSF Community Day NA 2025: Call for Proposals Now Open!

By Blog

The Call for Proposals (CFP) for OpenSSF Community Day North America is officially open through March 23, 2025! Co-located with Open Source Summit North America, this event will bring the open source community together in Denver, Colorado, on June 26, 2025, for a full day of engaging discussions and presentations focused on securing the open source software (OSS) supply chain.

Submit your proposal now!

Event Details:

  • When: June 26, 2025
  • Where: Denver, Colorado
  • CFP Deadline: Sunday, March 23, 2025 at 11:59 PM MDT/10:59 PM PDT
  • CFP Notifications: Tuesday, April 1, 2025
  • Types of Presentations: 5, 10, 15, or 20-minute presentations

This is your opportunity to share your expertise and innovative ideas with the community! We’re looking for sessions on topics like:

  • AI & ML in Security
  • Regulatory Compliance
  • Enhancing Security Tools
  • Cyber Resilience
  • Securing the Software Supply Chain
  • Case Studies & Real-World Experiences

*No product/vendor sales pitches — it’s a community-focused event!

For more information on the CFP, visit here. Submit your proposal today!

Interested in Sponsorship? 

We have exciting opportunities available to showcase your support for securing the open source ecosystem. By sponsoring OpenSSF Community Day NA, you’ll gain visibility among key industry leaders, security experts, and the open source community. Join us in driving forward the mission to strengthen the OSS supply chain. Email us at openssfevents@linuxfoundation.org to reserve your sponsorship.

Join Us in Denver! 

Don’t miss out on the opportunity to be part of this vital conversation. Whether you’re submitting a proposal, attending as a participant, or showcasing your support through sponsorship, OpenSSF Community Day NA is the place to connect, collaborate, and contribute to securing the open source software supply chain. We can’t wait to see you in Denver and work together to advance the future of OSS security!