Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

Tag

Open Source Security

OpenSSF at UN Open Source Week 2025: Securing the Supply Chain Through Global Collaboration

By Blog

OpenSSF participated in the 2025 UN Open Source Week, a global gathering of participants hosted by the United Nations Office for Digital and Emerging Technologies, focused on harnessing open source innovation to achieve the Sustainable Development Goals (SDGs). Held in New York City, the event gathered technology leaders, policymakers, and open source advocates to address critical global challenges.

On June 20, OpenSSF joined a featured panel discussion during a community-led side event curated by RISE Research Institutes of Sweden, OpenForum Europe, and CURIOSS. The panel, titled “Securing the Supply Chain Through Global Collaboration,” explored how standardized practices and international cooperation enhance open source software security and align with emerging regulatory frameworks such as the EU Cyber Resilience Act (CRA).

Panelists included:

  • Adrianne Marcum, Chief of Staff, OpenSSF
  • Arun Gupta, Vice President Developer Programs, Intel and Organizer, UN Tech Over Hackathon
  • David A. Wheeler, Adjunct Professor, George Mason University, and Director of Open Source Supply Chain Security, The Linux Foundation
  • Scott Clinton, Co-chair, Board of Directors, OWASP Gen AI Security Project

The session highlighted the critical need for international cooperation to secure global software systems effectively. Panelists discussed the emerging role of generative AI (GenAI) and its implications for open source security. The importance of developer education in how to develop secure software was also noted; as developers must increasingly review GenAI results, they will need more, not less, education.

“It was both a great opportunity to share the work of the Gen AI Security Project and insights on the challenges and benefits generative AI brings to our discussion on securing open source and the software supply chain,” said Scott Clinton.

“The United Nations brought together a global community where nations become collaborators rather than competitors,” added Arun Gupta. “It’s thrilling to see the open source community advancing solutions for global problems.”

UN Tech Over Hackathon: Innovation and Stewardship

Earlier that week (June 16–17), the UN Tech Over Hackathon drew over 200 global innovators to address SDG-aligned challenges through open source technology. The hackathon featured three distinct tracks:

  • Ahead of the Storm: A child-focused climate emergency analytics initiative in partnership with UNICEF.
  • Wikipedia Edit-a-Thon: Collaborative enhancement of UN-related historical content.
  • Maintain-a-Thon: Emphasized sustainability and ongoing stewardship of open source infrastructure.

The Maintain-a-Thon, organized in partnership with Alpha-Omega and the Sovereign Tech Agency, engaged over 40 participants across 15 breakout sessions. Senior maintainers offered guidance on issue triage, documentation improvements, and best practices for long-term project maintenance, reinforcing open source software’s foundational role in global digital infrastructure.

🔗 Read the official UN Tech Over press release
🔗 Read Arun Gupta’s blog post on “Ahead of the Storm”

The Road Ahead

UN Open Source Week 2025 underscored the importance of collaborative innovation in securing and sustaining digital public infrastructure. Aligned with its mission, OpenSSF remains dedicated to facilitating global cooperation, promoting secure-by-design best practices, providing educational resources, and supporting innovative technical initiatives. By empowering maintainers and contributors of all skill levels, OpenSSF aims to ensure open source software remains trusted, secure, and reliable for everyone.

OpenSSF Welcomes New Members and Presents Golden Egg Award

By Blog, Press Release

Foundation furthers mission to enhance the security of open source software 

DENVER – OpenSSF Community Day North America – June 26, 2025 – The Open Source Security Foundation (OpenSSF), a cross-industry initiative of the Linux Foundation that focuses on sustainably securing open source software (OSS), welcomes six new members from leading technology and security companies. New general members include balena, Buildkite, Canonical, Trace Machina, and Triam Security and associate members include Erlang Ecosystem Foundation (EEF). The Foundation also presents the Golden Egg Award during OpenSSF Community Day NA 2025.

“We are thrilled to welcome six new member companies and honor existing contributors during our annual North America Community Day event this week,” said Steve Fernandez, General Manager at OpenSSF. “As companies expand their global footprint and depend more and more on interconnected technologies, it is vital we work together to advance open source security at every layer – from code to systems to people. With the support of our new members, we can share best practices, push for standards and ensure security is front and center in all development.”

Golden Egg Award Recipients

The OpenSSF continues to shine a light on those who go above and beyond in our community with the Golden Egg Awards. The Golden Egg symbolizes gratitude for awardees’ selfless dedication to securing open source projects through community engagement, engineering, innovation, and thoughtful leadership. This year, we celebrate:

  • Ian Dunbar-Hall (Lockheed Martin) – for contributions to the bomctl and SBOMit projects
  • Hayden Blauzvern (Google) – for leadership in the Sigstore project
  • Marcela Melara (Intel) – for contributions to SLSA and leadership in the BEAR Working Group 
  • Yesenia Yser (Microsoft) – for work as a podcast co-host and leadership in the BEAR Working Group 
  • Zach Steindler (GitHub) – for leadership on the Technical Advisory Committee (TAC) and in the Securing Software Repositories Working Group
  • Munehiro “Muuhh” Ikeda – for work as an LF Japan Evangelist and helping to put together OpenSSF Community Day Japan
  • Adolfo “Puerco” Garcia Veytia – for support on Protobom, OpenVEX and Baseline projects

Their efforts have made a lasting impact on the open source security ecosystem, and we are deeply grateful for their continued contributions.

Project Updates

OpenSSF is supported by more than 3,156 technical contributors across OpenSSF projects – providing a vendor-neutral partner to affiliated open source foundations and projects. Recent project updates include:

  • Gittuf, a platform-agnostic Git security system, has advanced to an incubating project under OpenSSF. This milestone marks the maturity and adoption of the project.
  • OpenBao, a software solution to manage, store, and distribute sensitive data including secrets, certificates, and key, joined OpenSSF as a sandbox project
  • Open Source Project Security Baseline (OSPS Baseline), which provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects, was released.
  • Model Signing released version 1.0 to secure the machine learning supply chain.
  • GUAC released version 1.0 to bring stability to the core functionality.
  • SLSA released version 1.1 RC2 to enhance the clarity and usability of the original specification.

Events and Gatherings

New and existing OpenSSF members are gathering this week in Denver at the annual OpenSSF Community Day NA 2025. Join the community at upcoming 2025 OpenSSF-hosted events, including OpenSSF Community Day India, OpenSSF Community Day Europe, OpenSSF Community Day Korea, and Open Source SecurityCon 2025.

Additional Resources

Supporting Quotes

“At balena, we understand that securing edge computing and IoT solutions is critical for all companies deploying connected devices. As developers focused on enabling reliable and secure operations with balenaCloud, we’re deeply committed to sharing our knowledge and expertise. We’re proud to join OpenSSF to contribute to open collaboration, believing that together we can build more mature security solutions that truly help companies protect their edge fleets and raise collective awareness across the open-source ecosystem.”

– Harald Fischer, Security Aspect Lead, balena

“Joining OpenSSF is a natural extension of Buildkite’s mission to empower teams with secure, scalable, and resilient software delivery. With Buildkite Package Registries, our customers get SLSA-compliant software provenance built in. There’s no complex setup or extra tooling required. We’ve done the heavy lifting so teams can securely publish trusted artifacts from Buildkite Pipelines with minimal effort. We’re excited to collaborate with the OpenSSF community to raise the bar for open source software supply chain security.”

– Ken Thompson, Vice President of Product Management, Buildkite

“Protecting the security of the open source ecosystem is not an easy feat, nor one that can be tackled by any single industry player. OpenSSF leads projects that are shaping this vast landscape. Canonical is proud to join OpenSSF on its mission to spearhead open source security across the entire market. For over 20 years we have delivered security-focused products and services across a broad spectrum of open source technologies. In today’s world, software security, reliability, and provenance is more important than ever. Together we will write the next chapter for open source security frameworks, processes and tools for the benefit of all users.”

– Luci Stanescu, Security Engineering Manager, Canonical

“Starting in 2024, the EEF’s Security WG focused community resources on improving our supply chain infrastructure and tooling to enable us to comply with present and upcoming cybersecurity laws and directives. This year we achieved OpenChain Certification (ISO/IEC 5230) for the core Erlang and Elixir libraries and tooling, and also became the default CVE Numbering Authority (CNA) for all open-source Erlang, Elixir and Gleam language packages. Joining the OpenSSF has been instrumental in connecting us to experts in the field and facilitating relationships with security practitioners in other open-source projects.” 

– Alistair Woodman, Board Chair, Erlang Ecosystem Foundation

“Trace Machina is a technology company, founded in September 2023, that builds infrastructure software for developers to go faster. Our current core product, NativeLink, is a build caching and remote execution platform that speeds up compute-heavy work. As a company we believe both in building our products open source whenever possible, and in supporting the open source ecosystem and community. We believe open source software is a crucial philosophy in technology, especially in the security space. We’re thrilled to join the OpenSSF as a member organization and to continue being active in this wonderful community.” 

– Tyrone Greenfield, Chief of Staff, Trace Machina

“Triam Security is proud to join the Open-Source Security Foundation to support its mission of strengthening the security posture of critical open source software. As container security vulnerabilities continue to pose significant risks to the software supply chain, our expertise in implementing SLSA Level 3/4 controls and building near-zero CVE solutions through CleanStart aligns perfectly with OpenSSF’s supply chain security initiatives. We look forward to collaborating with the community on advancing SLSA adoption, developing security best practices, improving vulnerability management processes, and promoting standards that enhance the security, transparency, and trust in the open-source ecosystem.”

– Biswajit De, CTO, Triam Security

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry organization at the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org

Media Contact
Natasha Woods
The Linux Foundation

PR@linuxfoundation.org 

OpenSSF Newsletter – June 2025

By Newsletter

Welcome to the June 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Tech Talk: CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations

The recent Tech Talk, “CRA-Ready: How to Prepare Your Open Source Project for EU Cybersecurity Regulations,” brought together open source leaders to explore the practical impact of the EU’s Cyber Resilience Act (CRA). With growing pressure on OSS developers, maintainers, and vendors to meet new security requirements, the session provided a clear, jargon-free overview of what CRA compliance involves. 

Speakers included CRob (OpenSSF), Adrienn Lawson (Linux Foundation), Dave Russo (Red Hat), and David A. Wheeler (OpenSSF), who shared real-world examples of how organizations are preparing for the regulation, even with limited resources. The discussion also highlighted the LFEL1001 CRA course, designed to help OSS contributors move from confusion to clarity with actionable guidance. 

Watch the session here.

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

The Open Source Technology Improvement Fund (OSTIF) addresses a critical gap in open source security by conducting tailored audits for high-impact OSS projects often maintained by small, under-resourced teams. Through its active role in OpenSSF initiatives and strategic partnerships, OSTIF delivers structured, effective security engagements that strengthen project resilience. By leveraging tools like the OpenSSF Scorecard and prioritizing context-specific approaches, OSTIF enhances audit outcomes and fosters a collaborative security community. Read the full case study to explore how OSTIF is scaling impact, overcoming funding hurdles, and shaping the future of OSS security.

Blogs:

✨GUAC 1.0 is Now Available

Discover how GUAC 1.0 transforms the way you manage SBOMs and secure your software supply chain. This first stable release of the “Graph for Understanding Artifact Composition” platform moves beyond isolated bills of materials to aggregate and enrich data from file systems, registries, and repositories into a powerful graph database. Instantly tap into vulnerability insights, license checks, end-of-life notifications, OpenSSF Scorecard metrics, and more. Read the blog to learn more.

✨Maintainers’ Guide: Securing CI/CD Pipelines After the tj-actions and reviewdog Supply Chain Attacks

CI/CD pipelines are now prime targets for supply chain attacks. Just look at the recent breaches of reviewdog and tj-actions, where chained compromises and log-based exfiltration let attackers harvest secrets without raising alarms. In this Maintainers’ Guide, Ashish Kurmi breaks down exactly how those exploits happened and offers a defense-in-depth blueprint from pinning actions to full commit SHAs and enforcing MFA, to monitoring for tag tampering and isolating sensitive secrets that every open source project needs today. Read the full blog to learn practical steps for locking down your workflows before attackers do.

✨From Sandbox to Incubating: gittuf’s Next Step in Open Source Security

gittuf, a platform-agnostic Git security framework, has officially progressed to the Incubating Project stage under the OpenSSF marking a major milestone in its development, community growth, and mission to strengthen the open source software supply chain. By adding cryptographic access controls, tamper-evident logging, and enforceable policies directly into Git repositories without requiring developers to abandon familiar workflows, gittuf secures version control at its core. Read the full post to see how this incubation will accelerate gittuf’s impact and how you can get involved.

✨Choosing an SBOM Generation Tool

With so many tools to build SBOMs, single-language tools like npm-sbom and CycloneDX’s language-specific generators or multi‐language options such as cdxgen, syft, and Tern, how do you know which one to pick? Nathan Naveen helps you decide by comparing each tool’s dependency analysis, ecosystem support, and CI/CD integration, and reminds us that “imperfect SBOMs are better than no SBOMs.” Read the blog to learn more.

✨OSS and the CRA: Am I a Manufacturer or a Steward?

The EU Cyber Resilience Act (CRA) introduces critical distinctions for those involved in open source software particularly between manufacturers and a newly defined role: open source software stewards. In this blog, Mike Bursell of OpenSSF breaks down what these terms mean, why most open source contributors won’t fall under either category, and how the CRA acknowledges the unique structure of open source ecosystems. If you’re wondering whether the CRA applies to your project or your role this post offers clear insights and guidance. Read the full blog to understand your position in the new regulatory landscape.

What’s in the SOSS? An OpenSSF Podcast:

#33 – S2E10 “Bridging DevOps and Security: Tracy Ragan on the Future of Open Source”: In this episode of What’s in the SOSS, host CRob sits down with longtime open source leader and DevOps champion Tracy Ragan to trace her journey from the Eclipse Foundation to her work with Ortelius, the Continuous Delivery Foundation, and the OpenSSF. CRob and Tracy dig into the importance of configuration management, DevSecOps, and projects like the OpenSSF Scorecard and Ortelius in making software supply chains more transparent and secure, plus strategies to bridge the education gap between security professionals and DevOps engineers.

 

#32 – S2E09 “Yoda, Inclusive Strategies, and the Jedi Council: A Conversation with Dr. Eden-Reneé Hayes”: In this episode of What’s in the SOSS, host Yesenia Yser sits down with DEI strategist, social psychologist, and Star Wars superfan Dr. Eden-Reneé Hayes to discuss the myths around DEIA and why unlearning old beliefs is key to progress. Plus, stay for the rapid-fire questions and discover if Dr. Hayes is more Marvel or DC.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

In the News:

  • ITOpsTimes – “Linux Foundation and OpenSSF launch Cybersecurity Skills Framework”
  • HelpNetSecurity – “Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed”
  • SiliconAngle“Linux Foundation debuts Cybersecurity Skills Framework to address enterprise talent gaps”
  • Security Boulevard – Linux Foundation Shares Framework for Building Effective Cybersecurity Teams
  • IT Daily – “Linux Foundation Launches Global Cybersecurity Skills Framework”
  • SC World – “New Cybersecurity Skills Framework seeks to bolster enterprise talent readiness”

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

An Introduction to the OpenSSF Model Signing (OMS) Specification: Model Signing for Secure and Trusted AI Supply Chains

By Blog, Guest Blog

By Mihai Maruseac (Google), Eoin Wickens (HiddenLayer), Daniel Major (NVIDIA), Martin Sablotny (NVIDIA)

As AI adoption continues to accelerate, so does the need to secure the AI supply chain. Organizations want to be able to verify that the models they build, deploy, or consume are authentic, untampered, and compliant with internal policies and external regulations. From tampered models to poisoned datasets, the risks facing production AI systems are growing — and the industry is responding.

In collaboration with industry partners, the Open Source Security Foundation (OpenSSF)’s AI/ML Working Group recently delivered a model signing solution. Today, we are formalizing the signature format as OpenSSF Model Signing (OMS): a flexible and implementation-agnostic standard for model signing, purpose-built for the unique requirements of AI workflows.

What is Model Signing

Model signing is a cryptographic process that creates a verifiable record of the origin and integrity of machine learning models.  Recipients can verify that a model was published by the expected source, and has not subsequently been tampered with.  

Signing AI artifacts is an essential step in building trust and accountability across the AI supply chain.  For projects that depend on open source foundational models, project teams can verify the models they are building upon are the ones they trust.  Organizations can trace the integrity of models — whether models are developed in-house, shared between teams, or deployed into production.  

Key stakeholders that benefit from model signing:

  • End users gain confidence that the models they are running are legitimate and unmodified.
  • Compliance and governance teams benefit from traceable metadata that supports audits and regulatory reporting.
  • Developers and MLOps teams are equipped to trace issues, improve incident response, and ensure reproducibility across experiments and deployments.

How does Model Signing Work

Model signing uses cryptographic keys to ensure the integrity and authenticity of an AI model. A signing program uses a private key to generate a digital signature for the model. This signature can then be verified by anyone using the corresponding public key. These keys can be generated a-priori, obtained from signing certificates, or generated transparently during the Sigstore signing flow.If verification succeeds, the model is confirmed as untampered and authentic; if it fails, the model may have been altered or is untrusted.

Figure 1:  Model Signing Diagram

How Does OMS Work

OMS Signature Format

OMS is designed to handle the complexity of modern AI systems, supporting any type of model format and models of any size. Instead of treating each file independently, OMS uses a detached OMS Signature Format that can represent multiple related artifacts—such as model weights, configuration files, tokenizers, and datasets—in a single, verifiable unit.

The OMS Signature Format includes: 

  • A list of all files in the bundle, each referenced by its cryptographic hash (e.g., SHA256)
  • An optional annotations section for custom, domain-specific fields (future support coming)
  • A digital signature that covers the entire manifest, ensuring tamper-evidence

The OMS Signature File follows the Sigstore Bundle Format, ensuring maximum compatibility with existing Sigstore (a graduated OpenSSF project) ecosystem tooling.  This detached format allows verification without modifying or repackaging the original content, making it easier to integrate into existing workflows and distribution systems.

OMS is PKI-agnostic, supporting a wide range of signing options, including:

  • Private or enterprise PKI systems
  • Self-signed certificates
  • Bare keys
  • Keyless signing with public or private Sigstore instances 

This flexibility enables organizations to adopt OMS without changing their existing key management or trust models.

Figure 1. OMS Signature Format

Signing and Verifying with OMS

As reference implementations to speed adoption, OMS offers both a command-line interface (CLI) for lightweight operational use and a Python library for deep integration into CI/CD pipelines, automated publishing flows, and model hubs. Other library integrations are planned.

Signing and Verifying with Sigstore

Shell
# install model-signing package
$ pip install model-signing

# signing the model with Sigstore
$ model_signing sign <MODEL_PATH>

# verification if the model is signed with Sigstore
$ model_signing verify \
  <MODEL_PATH> \
  --signature <OMS_SIG_FILE> \
  --identity "<IDENTITY>" \
  --identity_provider "<OIDC_PROVIDER>"

 

Signing and Verifying with PKI Certificates

Shell
# install model-signing package
$ pip install model-signing

# signing the model with a PKI certificate
$ model_signing sign  \
  --certificate_chain  \
  --private_key 

# verification if the model is signed with a PKI certificate
$ model_signing verify \
 <MODEL_PATH> \
  --signature <OMS_SIG_FILE> \
  --certificate_chain <ROOT_CERT> 


 

Other examples, including signing using PKCS#11, can be found in the model-signing documentation.

This design enables better interoperability across tools and vendors, reduces manual steps in model validation, and helps establish a consistent trust foundation across the AI lifecycle.

Looking Ahead

The release of OMS marks a major step forward in securing the AI supply chain. By enabling organizations to verify the integrity, provenance, and trustworthiness of machine learning artifacts, OMS lays the foundation for safer, more transparent AI development and deployment.

Backed by broad industry collaboration and designed with real-world workflows in mind, OMS is ready for adoption today. Whether integrating model signing into CI/CD pipelines, enforcing provenance policies, or distributing models at scale, OMS provides the tools and flexibility to meet enterprise needs.

This is just the first step towards a future of secure AI supply chains. The OpenSSF AI/ML Working Group is engaging with the Coalition for Secure AI to incorporate other AI metadata into the OMS Signature Format, such as embedding rich metadata such as training data sources, model version, hardware used, and compliance attributes.  

To get started, explore the OMS specification, try the CLI and library, and join the OpenSSF AI/ML Working Group to help shape the future of trusted AI.

Special thanks to the contributors driving this effort forward, including Laurent Simon, Rich Harang, and the many others at Google, HiddenLayer, NVIDIA, Red Hat, Intel, Meta, IBM, Microsoft, and in the Sigstore, Coalition for Secure AI, and OpenSSF communities.

Mihai Maruseac is a member of the Google Open Source Security Team (GOSST), working on Supply Chain Security for ML. He is a co-lead on a Secure AI Framework (SAIF) workstream from Google. Under OpenSSF, Mihai chairs the AI/ML working group and the model signing project. Mihai is also a GUAC maintainer. Before joining GOSST, Mihai created the TensorFlow Security team and prior to Google, he worked on adding Differential Privacy to Machine Learning algorithms. Mihai has a PhD in Differential Privacy from UMass Boston.

Eoin Wickens, Director of Threat Intelligence at HiddenLayer, specializes in AI security, threat research, and malware reverse engineering. He has authored numerous articles on AI security, co-authored a book on cyber threat intelligence, and spoken at conferences such as SANS AI Cybersecurity Summit, BSides SF, LABSCON, and 44CON, and delivered the 2024 ACM SCORED opening keynote.

Daniel Major is a Distinguished Security Architect at NVIDIA, where he provides security leadership in areas such as code signing, device PKI, ML deployments and mobile operating systems. Previously, as Principal Security Architect at BlackBerry, he played a key role in leading the mobile phone division’s transition from BlackBerry 10 OS to Android. When not working, Daniel can be found planning his next travel adventure.

Martin Sablotny is a security architect for AI/ML at NVIDIA working on identifying existing gaps in AI security and researching solutions. He received his Ph.D. in computing science from the University of Glasgow in 2023. Before joining NVIDIA, he worked as a security researcher in the German military and conducted research in using AI for security at Google.

Member Spotlight: Datadog – Powering Open Source Security with Tools, Standards, and Community Leadership

By Blog

Datadog, a leading cloud-scale observability and security platform, joined the Open Source Security Foundation (OpenSSF) as a Premier Member in July, 2024. With both executive leadership and deep technical involvement, Datadog has rapidly become a force in advancing secure open source practices across the industry.

Key Contributions

GuardDog: Open Source Threat Detection

In early 2025, Datadog launched GuardDog, a Python-based open source tool that scans package ecosystems like npm, PyPI, and Go for signs of malicious behavior. GuardDog is backed by a publicly available threat dataset, giving developers and organizations real-time visibility into emerging supply chain risks.

This contribution directly supports OpenSSF’s mission to provide practical tools that harden open source ecosystems against common attack vectors—while promoting transparency and shared defense.

Datadog actively supports the open source security ecosystem through its engineering efforts, tooling contributions, and participation in the OpenSSF community:

  • SBOM Generation and Runtime Insights
    Datadog enhances the usability and value of Software Bills of Materials (SBOMs) through tools and educational content. Their blog, Enhance SBOMs with runtime security context, outlines how they combine SBOM data with runtime intelligence to identify real-world risks and vulnerabilities more effectively.
  • Open Source Tools Supporting SBOM Adoption
    Datadog maintains the SBOM Generator, an open source tool based on CycloneDX, which scans codebases to produce high-quality SBOMs. They also released the datadog-sca-github-action, a GitHub Action that automates SBOM generation and integrates results into the Datadog platform for improved visibility.
  • Sigstore and Software Signing
    As part of the OpenSSF ecosystem, Datadog supports efforts like Sigstore to bring cryptographic signing and verification to the software supply chain. These efforts align with Datadog’s broader commitment to improving software provenance and integrity, especially as part of secure build and deployment practices.
  • OpenSSF Membership
    As a Premier Member of OpenSSF, Datadog collaborates with industry leaders to advance best practices, contribute to strategic initiatives, and help shape the future of secure open source software.

These collaborations demonstrate Datadog’s investment in long-term, community-driven approaches to open source security.

What’s Next

Datadog takes the stage at OpenSSF Community Day North America on Thursday, June 26, 2025, in Denver, CO, co-located with Open Source Summit North America.

They’ll be presenting alongside Intel Labs in the session:

Talk Title: Harnessing In-toto Attestations for Security and Compliance With Next-gen Policies
Time: 3:10–3:30 PM MDT
Location: Bluebird Ballroom 3A
Speakers:

  • Trishank Karthik Kuppusamy, Staff Engineer, Datadog
  • Marcela Melara, Research Scientist, Intel Labs

This session dives into the evolution of the in-toto Attestation Framework, spotlighting new policy standards that make it easier for consumers and auditors to derive meaningful insights from authenticated metadata—such as SBOMs and SLSA Build Provenance. Attendees will see how the latest policy framework bridges gaps in compatibility and usability with a flexible, real-world-ready approach to securing complex software supply chains.

Register now and connect with Datadog, Intel Labs, and fellow open source security leaders in Denver.

Why It Matters

By contributing to secure development frameworks, creating open source tooling, and educating the broader community, Datadog exemplifies what it means to be an OpenSSF Premier Member. Their work is hands-on, standards-driven, and deeply collaborative—helping make open source safer for everyone.

Learn More

Case Study: OSTIF Improves Security Posture of Critical Open Source Projects Through OpenSSF Membership

By Blog, Case Studies

Organization: Open Source Technology Improvement Fund, Inc. (OSTIF)
Contributor: Amir Montazery, Managing Director
Website: ostif.org

Problem

Critical open source software (OSS) projects—especially those that are long-standing and widely adopted—often lack the resources and systematic support needed to regularly review and improve their security posture. Many of these projects are maintained by small teams with limited bandwidth, making it challenging to conduct comprehensive security audits and implement best practices. The risk of undetected vulnerabilities in these projects presents a growing concern for the broader software ecosystem.

Action

To address this gap, OSTIF leverages its OpenSSF membership to conduct rigorous security audits of critical OSS projects. Using a curated process rooted in industry best practices, OSTIF delivers structured security engagements that improve real-world outcomes for maintainers and users alike.

Through active participation in OpenSSF’s Securing Critical Projects working group and Alpha-Omega initiatives since their inception, and through strategic partnership with organizations like Eclipse Foundation, OSTIF receives targeted funding and support to carry out its mission. These collaborations help prioritize high-impact projects and streamline audit administration—despite the inherent complexity of managing funding approvals and coordination. 

It’s pivotal that these important projects receive customized work. Each open source project is unique and so are its security needs, making standardization of audits difficult. OSTIF is able to invest time and expertise in scoping and organizing engagements to be tailored to the project’s best interests, necessities, and budget to generate effective investment in open source security.

OSTIF also incorporates other OpenSSF tools and services such as the OpenSSF Scorecard and the broader Securing Critical Projects Set, which complement its robust audit methodology and offer additional layers of insight into project health. In an ecosystem that is varied and complex, having security resources that can be applied to all projects contextually to generate impactful and sustainable security outcomes is incredibly valuable to all stakeholders, especially OSTIF.

Results

OSTIF’s work has demonstrated the effectiveness of formal security audits in strengthening OSS project resilience. As a member of OpenSSF, OSTIF has been able to expand its reach, increase audit throughput, and reinforce the security practices of some of the open source community’s most essential projects. Since 2021, OSTIF has facilitated numerous engagements funded by OpenSSF. In March of 2025, OSTIF published the results of the audit of RSTUF with OpenSSF’s funding and support. Additionally, 2 more Alpha-Omega funded engagements will be published later this year.

“OSTIF is grateful for the support from OpenSSF, particularly for funding security audits both directly and via Project Alpha-Omega, to help improve the security of critical OSS projects.”
— Amir Montazery, Managing Director, OSTIF

In addition to the technical improvements achieved through audits, OSTIF’s OpenSSF membership has fostered valuable connections with project maintainers, security experts, and funders—creating a collaborative ecosystem dedicated to open source security. Building a community around security audits is a goal of OSTIFs; by sharing resources and providing a platform for researchers to present audit findings through meetups, their goal is to grow expertise and access to security knowledge of the average open source user. 

Key Benefits

  • Enhanced security posture of widely-used OSS projects.
  • Strategic collaboration with OpenSSF working groups.
  • Access to funding and expert networks.
  • Improved audit administration through community support.

Biggest Challenge

  • Navigating administrative processes and funding approval cycles for new audit projects.
  • Funding multi-year programs and engagements. 

To learn more about OSTIF’s work, visit their 2024 Annual Report. Visit their website at ostif.org or follow them on LinkedIn to stay up to date with audit releases.

Member Spotlight: Trail of Bits – Driving Open Source Security Through Standards, Prototypes, and Policy

By Blog

Trail of Bits is a leading cybersecurity research, engineering, and consulting firm that works with some of the most security-conscious organizations in the world—including Facebook, government agencies like DARPA, and prominent cryptocurrency protocols. Founded in 2012, each part of the company focused on open sourcing their work- tools,research, and audits wherever possible. Trail of Bits also maintains a dedicated research division focused on advancing industry-wide security practices, with specialized teams focused on securing open source infrastructure that both their clients and the broader technology ecosystem depend upon.

Key Contributions

Trail of Bits’ work spans both policy and practice, often bridging emerging security needs with real-world implementation. Here are a few of the ways they’ve made an impact:

  1. PEP 740 – Index-Hosted Attestations for PyPI
    In 2023, Trail of Bits authored and implemented PEP 740, which introduced support for digitally signed attestations for Python packaging. This new security feature helps developers verify the integrity and origin of packages—an important step toward a more secure and trustworthy software supply chain, and already more than 270,000 package distributions have already been uploaded with attestations. 
  2. Drafting Project Lifecycle Metadata Standards
    More recently, Trail of Bits drafted a new Python Enhancement Proposal that introduces lifecycle metadata—markers like “active,” “archived,” or “maintenance only”—that could be surfaced through PyPI’s API. While still under discussion, this draft shows their continued push to improve transparency and project health visibility for the broader Python ecosystem.
  3. OpenSSF Scorecard Dashboard Prototype
    In collaboration with OpenSSF, Trail of Bits built a prototype dashboard to help visualize OpenSSF Scorecard metrics across projects and over time. While the dashboard is not yet in public use, it provided valuable insights during development—including identification of a non-functioning Scorecard check—and helped shape conversations about visibility tooling and adoption patterns.
  4. Tooling and Publications
    Trail of Bits builds and open sources custom security tools across multiple domains—including static and dynamic analysis, AI/ML security, and fuzzing capabilities—maintaining them for public use and community benefit. This dedication to open source resources extends to their publication practices, where Trail of Bits regularly shares client audits, testing methodologies, and research through detailed blog posts and comprehensive handbooks that have become essential references in the security community. 
  5. Contributions to Secure Standards
    Their work spans other critical areas of open source security, including contributions to Sigstore, Homebrew build provenance (via Alpha-Omega), and other OpenSSF working groups. They continue to advocate for secure defaults and verifiable development practices across the OSS ecosystem.

Why It Matters

As open source continues to serve as the backbone of digital infrastructure, organizations like Trail of Bits play a vital role in making it more secure, reliable, and transparent. Their ability to influence both upstream policy (like PEPs) and downstream implementation (like OpenSSF Scorecard and Sigstore) helps move the entire ecosystem forward.

Looking Ahead

Trail of Bits remains actively engaged in exploring new opportunities for impact—whether that’s contributing technical guidance, launching prototypes, or leading standards discussions. Their work reflects the spirit of OpenSSF collaboration: practical, community-oriented, and always evolving.

Learn More

Visit trailofbits.com to explore their research and tooling.
To get involved in OpenSSF projects or working groups, visit openssf.org.

OpenSSF Newsletter – May 2025

By Newsletter

Welcome to the May 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

Here’s a quick summary of this month’s highlights: the OpenSSF Tech Talk showed how the Security Baseline helps projects enhance compliance and resilience; the Best Practices WG released the guide “Simplifying Software Component Updates” to prevent API‐compatibility vulnerabilities; the CFP for Community Day Europe (Amsterdam, August 28) closes May 26; the Cybersecurity Skills Framework offers a free, customizable way to align job roles with practical security skills (webinar June 11); Ericsson’s C/C++ Compiler Hardening Guide, now jointly maintained with OpenSSF, demonstrates the power of community-driven security practices; three fresh podcast episodes are live (#29 Stacey Potter, #30 GitHub’s SOS Fund, and #31 Cybersecurity Framework Launch); and our community continues to buzz with WG updates, upcoming Community Days in Tokyo, Denver, Hyderabad, Amsterdam and Seoul, and CFP for Open Source SecurityCon

Linux Foundation and OpenSSF Release Cybersecurity Skills Framework to Strengthen Enterprise Readiness

The Linux Foundation and OpenSSF have released the Cybersecurity Skills Framework, a customizable global reference guide that aligns IT job roles with practical cybersecurity competencies. The framework defines foundational, intermediate, and advanced proficiency levels mapped to standards like DoD 8140, CISA NICE, and ICT e-CF, enabling organizations to assess and build security capabilities across job roles. 

Developed through global research and community feedback, the framework empowers enterprise leaders to close skills gaps, strengthen security culture, and systematically reduce cyber risk. Listen to the podcast, attend the webinar on Wednesday, June 11 at 11:00 am EDT. Learn more.

OpenSSF Tech Talk Recap: Using Security Baseline to Navigate Standards and Regulations

OSPSTechTalkRecap

The Open Source Security Foundation (OpenSSF) hosted a Tech Talk titled “How to Use the OSPS Baseline to Better Navigate Standards and Regulations” to help maintainers, contributors, and organizations apply the OSPS Baseline in real-world projects. This session offered practical guidance on enhancing compliance, reducing risk, and building more resilient open source software. Learn more.

New Guide on Simplifying Software Component Updates

NewGuideonSimplifyingSoftwareComponent Updates

The Open Source Security Foundation (OpenSSF) Best Practices Working Group has released the new guide Simplifying Software Component Updates. This guide by David A. Wheeler (The Linux Foundation) and Georg Kunz (Ericsson) gives software producers and consumers practical steps to simplify component compatibility. Applying the principles in this guide will eliminate many vulnerabilities in software. Backward-incompatible changes to an application programmer interface (API) often lead to unaddressed security vulnerabilities. Read the blog.

Call for Proposals for OpenSSF Community Day Europe Open Through 26 May, 2025

CFP

OpenSSF Community Day Europe takes place on Thursday, 28 August in Amsterdam, Netherlands, co-located with Open Source Summit EU. This event brings together contributors, maintainers, practitioners, and researchers to collaborate on securing the open source software we all rely on. Submit your proposals by 26 May 2025 on topics such as AI and ML in security, cyber resilience and supply chain security, OSS signatures and verification, real-world case studies, regulatory compliance, and enhanced security tooling. Learn more.

Case Study: Ericsson’s C/C++ Compiler Options Hardening Guide and OpenSSF Collaboration

This case study highlights Ericsson’s collaboration with the OpenSSF on the C/C++ Compiler Options Hardening Guide, a pragmatic resource that maps compiler hardening flags to their performance and security impacts. Originally drafted by Ericsson’s product security team and donated to the OpenSSF, the guide is now maintained in the OpenSSF Best Practices Working Group. Community feedback from compiler maintainers, Linux distribution contributors, and projects like Wireshark, Chainguard, and CPython has refined its recommendations, leading to internal adoption at Ericsson and broader ecosystem uptake.

Ericsson’s work demonstrates how open sourcing practical security guidance and engaging the community can drive real improvements in C/C++ code hardening across the industry. Read the case study.

What’s in the SOSS? An OpenSSF Podcast:

#29 – S2E06Showing Up Fully: Meet OpenSSF’s new Community Manager, Stacey Potter”: Meet Stacey Potter, OpenSSF’s new Community Manager, as she shares her journey into open source and her community first mindset.

#30 S2E07Scaling Security: Inside the GitHub Securing Open Source Software Fund”: Kevin Crosby and Xavier René-Corail from GitHub discuss the Securing Open Source SOS Fund, its $10K stipends, lessons from cohort 1, and maintainer month.

#31 – S2E08Cybersecurity Framework Launch”: Delve into the development of the Cybersecurity Skills Framework, emphasizing the need for continuous learning and community engagement in the tech industry.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, Korea and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

What’s in the SOSS? Podcast #30 – S2E07 Scaling Security: Inside the GitHub Securing Open Source Software Fund

By Podcast

Summary

In this episode of What’s in the SOSS?, CRob sits down with Kevin Crosby and Xavier René-Corail from GitHub to unpack the GitHub Secure Open Source (SOS) Fund – an innovative program that combines funding, education, and community to strengthen open source security. Learn how this unique initiative connects maintainers with training, resources, and a $10K stipend to scale security best practices. The trio also shares the origins of the fund, surprising takeaways from the first cohort, and what’s next for this rapidly growing initiative.

Conversation Highlights

00:00 – Introduction
00:58 – Meet the Guests
02:26 – Open Source Origin Stories
06:10 – The Spark Behind the SOS Fund
10:19 – What Participating in the Fund Looks Like
12:39 – Inside the Curriculum
14:50 – Unique Program Design & Outcomes
16:23 – Key Learnings from the First Cohort
19:09 – Feedback & Areas to Improve
21:50 – What’s Next for the Fund
23:00 – Rapid Fire Round
24:23 – Call to Action

Transcript

Intro Music (00:00)

Kevin Crosby (00:04)
I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (00:18)
Welcome to what’s in the sauce. The open SSF’s podcast where I talk to maintainers and developers, security researchers and experts all around the open source security ecosystem. It is my pleasure to be your host. My name is CRob. I’m the security architect for the open source security foundation and one of our co-hosts for this amazing little endeavor. And today I think we have a real treat. We have some people that have been deeply involved in upstream open source security for a very long time. And they have a pretty innovative idea that they’re going to be talking about this program we’re collaborating on together. So please let me welcome my friends, Kevin and Xavier from GitHub.

Kevin (01:04)
Thanks for having us today. It’s exciting to join the podcast and get to share this journey. And also very thankful for the partnership that you’ve brought through this program as well. Just quick background, Kevin here from GitHub. I lead our open source funding programs, specifically focused on things around GitHub sponsors that enable developers to get paid for their open source work. Think of things like hobbyists that are working on open source part-time to even full-time careers, or even folks that are starting to build companies around open source. And then programs beyond that through the secure open source fund as well as get up fund with with Microsoft’s venture fund as well

CRob (01:44)
and Xavier. Want to introduce yourself?

Xavier René-Corail (01:45)
Hey, Crob. Yes, I’m Xavier René-Corail from GitHub. I’m a Senior Director of Security Research and I lead the GitHub Security Lab. Our mission is to help secure open source. I’ve got a team of hackers who are doing security research. Another team who is in charge of creating the GitHub advisory database and managing our CNA. And, well, also, I’ve been with you, Crob, one of the…kind of initial members of the open source security foundation. We work together in the best practices working group and we are continuing to work together on securing open source.

CRob (02:26)
Yeah, I know Xavier, he and I used to be one of like 15 people that attended all the OG meetings five years ago when we got started off. I’m very glad to continue our partnership with this new evolution of kind of GitHub’s engagement with helping improve open source security.

Xavier René-Corail (02:34)
Haha right.

Xavier René-Corail (02:41)
Yes.

CRob (02:44)
So before we jump into the the SOS program, let’s talk a little bit and explore your open source origin stories. How did you get into open source and you cannot know why what drives you to keep participating here?

Kevin (02:57)
Xavier, you want to go first?

Xavier René-Corail (02:59)
Yeah, I can. So my first step in open source, let me check. So first of all, I started programming in the 80s. I think I started with Tron and I think, yes, my two first games were a snake and a pong. But then, after, you know, during high school, teenage years, I forgot a bit about that then got back to…to coding during college. And then after that, started my career as a developer. And then very quickly, I came into being in charge of development practices. And as part of that, I created the open source policy for the company I was in. And this is how I discovered open source by…um empowering the developers of my company to take advantage of open source and also of course to give back to open source and to contribute to open source. So this is how I came to work in open source.

CRob (04:11)
Awesome. What about you, Kevin?

Kevin (04:13)
Mine’s kind of an interesting story. So I’m non-technical background. Originally, I was in economics, almost did a PhD and freaked out right at the housing bust and decided to go into corporate finance. So a little bit different of an experience. But during that journey, I started working with some early stage startups and venture firms and they were building open source tools coming out of university labs and innovation. And so I got the first flavor through that and really understanding how do you leverage this technology to build innovative products, sometimes even companies around it. And then fast forward a couple of years when I was at Amazon, my next touch point was we were building products that leverage things like OpenFire and Hazelcast to build messaging applications.

One of the coolest things was because we were building with it, I wanted to make sure our engineering team was able to contribute back to that open source project. And so we were actually shipping alongside the community and making sure that they were getting some of the innovations, which was super, super cool to see. And then fast forwarding a little bit further is kind of staying within tech and venture. I was in the Alexa fund. We got to work with early stage startups investing in early stage open source AI companies got to evaluate and meet folks like Hugging Face, for example, and just kind of understanding where this ecosystem was going. And all that kind of brought this view of when I came to GitHub of how do you bolt on funding for open source, make it sustainable, drive innovation, and also create new pathways of funding for these maintainers through their journey. And so that’s what I came here to do. And it’s been super exciting over the past almost two years to think about how we can build new funding models for open source maintainers and projects. So excited for this new addition to that as well being kind of a next iteration of all of the career touch points I’ve had with open source.

CRob (06:10)
Totally didn’t arrange it, but that is an amazing transition. So let’s talk about GitHub Securing Open Source Software Fund. You know, why have you all decided to kind of organize and run this program?

Kevin (06:25)
Yeah, maybe kicking it off with an interesting insight that we had from the GitHub accelerator last year. One of the key modules that I was thinking about, and this was a brainstorm with Xavier, was do we actually know how much security education and training do people have for these emerging, fast growing projects? And even some of the ones that are becoming vital to the ecosystem.

And so I just literally threw it out to Xavier as an experiment. Like, can we try to run this content and engagement with these projects and see what the results would be? And so we did it. And maybe Xavier, if you want to talk about that initial experience, it’d be great to just kind of get your point of view from it as well.

Xavier René-Corail (07:08)
Yeah, well, it was exactly as you said, it was an experiment at first, right? And part of the accelerator and it came a bit last minute, right? But we, but I mean, at GitHub, we are ready to pivot fast and to try to think fast. And so we did some, we did some office hours, we did some one-on-one audits of this project and we did some basic training about security posture. And yes, and the results were great. mean, the engagement of the maintainers and the result, the impact that it had on them was great. So, so Kevin came again.

Kevin (07:58)
I came asking again, like, can we make this bigger? you know, I think the learning that we had is when you connect funding with time training and expertise, you’re able to maximize the impact of the training and education. so, and it also kind of dovetailed with a lot of the needs around security within the open source supply chain. So you kind of had this serendipitous moment of

high need, both in terms of like a macro level, but also high need from a developer level to make this work. And also lining that up with the incentive structure of funding and education that make it really special for these maintainers. so that actually is what kind of seeded this idea of let’s build a programmatic open source fund targeting security that links the funding to the outcomes of security specifically. And so we tested that hypothesis.

Honestly, I’ll say it took us, I think, 30 days round trip from like the seed to actually getting the program previewed at GitHub universe, bringing folks along, getting funders to commit to the program, lining up what a scaffolding curriculum might look like. And so we had that in like 27 days to preview it at GitHub universe. And I actually think that was the first time you and I spoke about it too, because we were like, hey, what do you think?

CRob (09:26)
Great, that was exactly.

Xavier René-Corail (09:27)
Yeah. I mean, it was great because so my team, the security lab, you know, we’re already doing these trainings, these free training, these additional content, this office hours. It was already part of what we do for open source. But with this program, we had the opportunity, you know, to have the, yeah, the programmatic power, know, and the marketing and the partnership and the funding, et cetera. So when Kevin came to me with that, said, yes, please, yes, let’s do that. And I must say that, yes, the turnaround was impressive. And in particular, thanks to partners like OpenSSF, who, I mean, CoreView, immediately said, yes, let’s do it. And yes, it went pretty fast indeed.

CRob (10:19)
So for our audience that may not be familiar, could you just broadly describe if a project is participating in the fund? How does that? What does that look like? What do they do?

Kevin (10:30)
Yeah, that’s a great question. Maybe I’ll tee this up really quickly by saying the overall architecture of the fund brings together funders, organizations, community partners like OpenSSF and some others that actually bring resource expertise and kind of shape the program and then GitHub as well as our maintainers. And so we kind of have this ecosystem surrounding this. And so what we’ve done as a program, as a maintainer that gets brought in,

You go through a standard application process, highlighting things around what your project is, what you do with your project, what your project does for the ecosystem, level of security awareness and education, the benefit of the funding specifically, what it can do to unlock resourcing, et cetera. And that’s kind of the process to bring them in. And once we’ve done that, we architected what I would consider a really unique structure. And I’m excited to talk about it for variety of reasons, but…

It’s effectively a three-week boot camp focused on security fundamentals, thinking about things that you need to have at day zero of building a project, all the way up to the lifespan of your project, thinking about implementing some of these techniques within the project itself, and then also some of the frontier stuff around AI. And so this three-week boot camp is around security fundamentals, best practices, but then we bolt on things like six months check-ins, 12 months check-ins.

community engagement with experts throughout the program to make sure that we actually line up all the resources that a maintainer would need, not just to learn it, but to actually embed it and embody it in their culture, make it scale out to their contributors, their communities, and even their consumers of their software. So I’m really excited about how the program’s been shaped. And a big kudos to Xavi, and I want him to talk about this in depth.

the security lab team is what bolts this together. And so I want to make sure like the impact of like how this all comes together is really focused on the security lab and the work they do. So Xavier, I would love you to kind of like jump in on the curriculum and education.

Xavier René-Corail (12:39)
Yeah, thank you, Kevin. Well, again, I mean, this is things that we were doing, but this program really brought the opportunity to amplify it. So it’s not only, it’s really together that we that we are, that we managed to put that up. So, so in terms of curriculum, yes, we, are trying during this free week bootcamp to, to, to, to have a mix of, you know, basic security posture and some advanced training on, for example, on fuzzing, on static analysis, things like that.

So you really have to mix because you have a mixed audience first. you need to, I mean, not everyone is at the same moment of their security journey, right? So you have to mix of that. We are trying to address all aspects from coding to incident response to vulnerability management.

So again, a mix of that. And of course, the important thing is that we are in continuous improvement mode. from the feedback from the first cohort, we will get to add more content. We have some people who are coming to us and proposing new content. And we’re like, yes, please come in.

So yeah, that’s in a nutshell, yes, that’s how we built this program. We are trying to get experts giving these training. So from us, but also from our partners, from the great David Wheeler, for example, from OpenSSF. So this is adding…

This is adding something to the learners, to maintainers, to have these great presenters who know what they’re talking about, giving them these presentations and answering the questions. So yes, that’s it.

Kevin (14:53)
I was gonna say, and just to double click on that a little bit, I mean, I think the uniqueness of it, to Xavier’s point, is how we framed and packaged it. So if we zoom out and say, what does a maintainer get? It’s three weeks security bootcamp with all of the education and expertise with these topics really focused on the programming. They get access to the security lab. They get access to the maintainer community.

They get access to the ecosystem partners that we’ve brought in and the funding partners as well. And then on top of that, they get embedded with like the data of like, how are we progressing in our own security journey? Like, we making progress? Are we embedding it in our community? How are we collaborating with other projects and maintainers through that as well? And so that’s kind of what the maintainers get. And the last thing that I think, you we didn’t really touch on, but the funding is really, you know, aligning the maintainers to spend the time commitment on it. So we provide a $10,000 stipend to the projects.

CRob (15:52)
Wow.

Kevin (15:52)
Most of that comes upfront, you know, the $6,000 upfront of the program to really solidify the three week boot camp. And then the others are to align onto the reporting and kind of the touch points and making sure they’re continuing on their security journey. so by aligning the funding and linking it to the outcomes that we’re trying to get with security, it becomes a really great model that is helpful for maintainers and for the projects that are being improved with security throughout the program.

CRob (16:20)
That’s awesome. So Xavier touched on it. We are just coming towards the end of the first cohort. Could maybe you share what’s been some of the most surprising things you’ve learned so far in interacting with both the funders and the maintainers and projects?

Kevin (16:41)
Maybe Xavier, do you want to go first?

Xavier René-Corail (16:44)
Well, yeah, my big surprise was the enthusiasm of everyone. I mean, I know this is something that is a passion for me, but I was, I mean, I don’t know, I wasn’t expecting that level of enthusiasm and of engagement from everyone. Really, you know, I was expecting some of the projects to be already quite advanced on the…you know, in their journey and then to be, to react a bit like, okay, there is content that is interesting for me, but some of the content is too basic. I was expecting that, right? No, everyone was really, really super engaged and super enthusiastic. So that was the big positive surprise for me. What about you, Kevin?

Kevin (17:41)
Yeah, I echo that. I kind of bucket them in three different functions. One is I think there was a very strong level of trust from the outset because they were all shared alignment on security within their project. And so I think everyone walked in and this kind of drove the enthusiasm of like, we’re all here for the same thing and having the same impact. So that was great. Two, I think the community lens was very fascinating to me just to see folks across different sizes of projects, stages of their growth or in kind of like distribution, as well as their own maturity journey within security, and like just seeing that community fuse really well together to cut across different frameworks, languages, et cetera, was really powerful. And I think the last thing that I’d say on this is the outcomes that we see is meaningful. Like not just from like, did the…things go red to green or anything like that, but really like you see them embody this change of what it means to be a steward of security with an open source. And that’s really unique. don’t think, and we kind of saw glimmers of that within the accelerator, but I didn’t think we’d, I didn’t know if we’d see it at this scope and scale. And I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (19:09)
Awesome. So on top of this, sounds like you’ve gotten a lot of great feedback. Is there anything that kind of stands out that you’ve got a maintainer or project kind of shared something really valuable to you all back from this experience?

Kevin (19:23)
I have a lot. I think one of the things that stands out in feedback is kind of going to the point of maturity curve is that it’s a very meaty subject. And so being able to scale content and education appropriately to meet maintainers where they are in their own journey is like one of the most critical things. And I think we’re we’re, you know, adjusting to that is like one one thing to think about. And then to Being able to touch upstream and downstream projects within their own Ecosystems is another area where I think that that’s a big opportunity for us to engage and kind of think about securing through the program as well. So those are just two immediate ones that I’m pretty excited about Xavi, what about you?

Xavier René-Corail (20:17)
Yeah, will double down on what you said Kevin: scaling to more projects, this will be the big challenge. And one other thing that I will add that I want to focus on also, because that was a positive feedback from participants, is adding some fun to the training. All of the training that were interactive and fun and with quizzes, et cetera. worked very well. so, yeah, you know, I used to say that boring is the arch enemy of learning. And so, yeah, I, I think that I want to add a bit more fun to the to the curriculum. So..

CRob (20:58)
I for one, totally agree with that. I think security is a lot of fun.

Xavier René-Corail (21:02)
It is.

Kevin (21:02)
The security is a lot of fun. You know, it was super interesting to see the modules I’d say that had interactive coding engagement. Like people really love just diving into it. And the other thing that was kind of unique that I don’t think it’s super surprising, but this concept of like see one, do one, teach one. Like it’s people coming through this journey and like, as you emerge, the first time you see it, like, my gosh, like this is overwhelming. The next time you do it, like I can actually do a coding exercise on this and actually implement some changes.

And then you see people a day later that are teaching like, this is how I did it, or this is how I’m thinking about it. It’s really cool to see that like, transpire throughout the program. And people loved it. Like to your point on fun, that made it fun, you know, to be able to teach people and engage is really unique.

CRob (21:50)
So let’s gaze out over the horizon, kind of what’s coming down the pipe for the GitHub Securing Open Source Software Fund. What do you have in your bag of tricks next?

Kevin (22:00)
Bag of tricks, that’s always a great question. As Xavier said, I mean, we have to scale. So we did the first session. Our objective is to do 125 projects this year. So we have multiple sessions that will be going on throughout the back half of the year. Session two will be kicking up in the next couple of months. And so we’re rapidly preparing for that. Yeah, I think that that’s where we’re looking forward to just in the back half of the year.

CRob (22:28)
Mm-hmm.

Xavier René-Corail (22:30)
Yeah. And in terms of curriculum, as I said, I’m receiving a lot of proposals to add content. going through that, going to add this content, I’m in particular interested if I have some ecosystem partners who are listening, I’m interested in language specific training for security. So if anyone has them, please reach out.

CRob (22:56)
Patches welcome, right?

Xavier René-Corail (22:58)
Yes, always.

CRob (23:00)
Nice. Well, let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I have some wacky questions I’m going to ask you. Just give me the first thing that comes out of your on top of mind. First question and potentially controversial, VI or Emacs.

Xavier René-Corail (23:04)
Ha

Kevin (23:04)
Love it.

Xavier René-Corail (23:24)
Emacs.

Kevin (23:25)
I’m going to go the opposite just to say VI

CRob (23:29)
There are no wrong answers. Some are better than others, though. Also equally contentious, tabs or spaces.

Xavier René-Corail (23:30)
spaces.

Kevin (23:31)
I like tabs.

CRob (23:45)
You guys are balancing each other out very well.

Xavier René-Corail (23:45)
Right?

Kevin (23:45)
Yeah.

CRob (23:47)
Ice or neat?

Xavier René-Corail (23:50)
Neat.

Kevin (23:51)
Neat.

CRob (23:52)
excellent, excellent answer. Who’s your favorite open source mascot?

Xavier René-Corail (23:58)
Mona, of course.

Kevin (24:00)
Yeah, you can’t go wrong with Mona.

CRob (24:04)
That is perfectly fine. And finally, the most important question, mild or spicy food?

Kevin (24:12)
I’m all about spicy food.

Xavier René-Corail (24:12)
Spicy for me. Yeah, good, spicy. I’m from the Caribbean and yeah.

CRob (24:22)
Ohhhhhh….that’s spicy. Nice. Excellent. Well, thank you all for playing along. And as we wrap up, do you have any call to action or anything you want to ask our audience to potentially think about in regards to your program?

Kevin (24:33)
Certainly, I mean, right now, any maintainers that are interested in joining to up level their security, we’re welcoming applications. They’re rolling on going throughout the year. As you know, we have a robust pipeline of projects to go through in multiple sessions. So always feel free to apply. And then for funders, if they’re interested in helping secure their own dependencies, welcome those conversations. I think it allows us to unlock more opportunities and projects with with funders. They also bring unique insights and resources from their own ecosystems and Xavier said it too, and ecosystem partners that are ready for the journey to provide education, curriculum, engagement with maintainers. Some of them are even unlocking referrals for their maintainers that are coming through the program, things like that. So we would certainly welcome those opportunities throughout the year. It’s not just today, it’s not just tomorrow, but it’s an ongoing journey.

CRob (25:18)
Very nice.

CRob (25:27)
Xavi any advice for the audience to have or a call to action?

Xavier René-Corail (25:30)
No, honestly, nothing to add. I already made my cultivation. I need some language specific training for security. So if you want to help open source projects, please reach out to me.

CRob (25:48)
love it. Thank you gentlemen for helping shepherd this amazing project program together to help the ecosystem. And I really am excited to see the results as you are engaging directly with these maintainers. So thank you all for coming and I will wish everybody a happy open source and out there. Thanks all.

Xavier René-Corail (26:08)
Thank you, Crob.

Kevin (26:08)
Thanks for having us.

Outro (26:10)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.