Open Source Security

Mar 14

OpenSSF Policy Summit DC 2025 Recap

By OpenSSF Blog, Global Cyber Policy

The OpenSSF Policy Summit DC 2025 brought together open source, government, and industry leaders to tackle pressing security challenges. The event fostered open dialogue under the Chatham House Rule, emphasizing shared responsibility and commitment to strengthening the open source ecosystem.

A Message from Steve Fernandez, OpenSSF General Manager,

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond. Our recent Policy Summit highlighted the shared responsibility, common goals, and commitment to strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.” – Steve Fernandez, General Manager, OpenSSF

Keynotes & Panels

The summit opened with remarks from OpenSSF General Manager Steve Fernandez emphasizing the importance of collaboration between industry, government, and the broader open source community to tackle security challenges. Jim Zemlin, Executive Director of The Linux Foundation, delivered a keynote on the importance of securing open source in modern infrastructure, followed by Robin Bender Ginn of the OpenJS Foundation, who provided insights into systemic security challenges. Panels covered key topics such as integrating security into the software lifecycle, regulatory harmonization, AI security risks, and the adoption of open source in government.

🔗 Event Agenda

Breakout Sessions

The policy summit included various breakout sessions; below are some key takeaways from each.

AI & Open Source Security

AI security is at a crossroads, with many of the same supply chain risks seen in traditional software. Unlike past security crises, AI has not yet had its “Heartbleed moment”, making this the time to proactively address risks.

Discussion Highlights

AI presents both new challenges and an urgent need to reinforce existing security efforts led by OpenSSF and The Linux Foundation. If the origins of AI models are unclear, how can we truly trust them? Understanding and measuring the risks associated with AI is critical, especially as AI frameworks and libraries integrate with other tools, potentially introducing new vulnerabilities. Yet, security in this space is often left as an afterthought—an exercise for the user rather than a built-in safeguard. As AI intersects with open source software, traditional cybersecurity risks remain relevant, raising key questions: What are the existing guardrails, and how can we strengthen them to ensure a more secure AI ecosystem?

Key Takeaways

AI is software, and software security principles still apply – a fact that many AI practitioners may not yet fully understand.
There is a need for new OpenSSF personas: AI Scientist and Data Engineer.
There is a need for basic software security education tailored to AI practitioners.

🔗 Link to breakout notes

Open Source Best Practices

The conversation centered on improving how open source components are updated, ensuring clear maintenance statuses, and reducing dependencies on U.S.centric platforms.

Discussion Highlights

Improving component updates is a critical challenge, especially when backward-incompatible changes prevent seamless upgrades. The industry needs clear guidance on enabling and streamlining updates, ensuring that software remains secure without unnecessary friction. Best practices for downstream consumers should be more widely established—such as evaluating whether a project is actively maintained before adopting it and identifying major backward-incompatible API changes as potential risks.

A structured approach to declaring an open source project’s maintenance or production status is also essential. There should be a formal, machine-ready way to indicate when a project is no longer maintained, making it easy to see and act upon. Additionally, as organizations strive to avoid being U.S.centric, requirements should be designed to be platform-agnostic rather than tied to specific tools.

Transparency is another key consideration. There needs to be a way to self-attest disagreements in security scans—allowing individuals to provide justification with supporting URLs when a requirement is met or missed. While knowing who maintainers are can be useful, it should not be the sole security measure.

Finally, ensuring that executables match their claimed source code is fundamental to software integrity. Protecting the build process through frameworks like SLSA and enabling verified reproducible builds can help mitigate risks, preventing attacks like those seen with xz utils.

Key Takeaways

There’s still a lot to do (and opportunities) for identifying & encouraging best practices in OSS to improve security.
This list is being shared with the OpenSSF Best Practices Working Group to determine which of these would be a fruitful item to work on this year.

🔗 Link to breakout notes

Regulatory Harmonization

As open source software faces increasing regulatory scrutiny, the need for cross-compliance agreements and clear policies has become a priority.

Discussion Highlights

There are many open questions surrounding the EU’s Cyber Resilience Act (CRA)s definition of an open source steward. Clarity on what qualifies as stewardship is essential, as it impacts compliance responsibilities and obligations under the regulation.

A key concern for organizations navigating the CRA is the lack of a Mutual Recognition Agreement (MRA)—a framework that would allow compliance with one regulation to satisfy the requirements of another. Without this reciprocity, manufacturers must meet CRA standards separately to sell in Europe, adding complexity for global companies. Many U.S.based organizations are now grappling with whether and how to align these requirements domestically to avoid maintaining multiple sets of policies.

One proposal to strengthen open source sustainability is requiring government contracts to include provisions mandating that any changes to open source software made as part of the contract be contributed upstream. This would ensure that improvements benefit the broader ecosystem rather than remaining siloed.

Another growing concern is the financial sustainability of open source projects. Large organizations often look to cut costs, and open source funding is frequently among the first areas to be reduced. Regulation could help prevent this by recognizing the critical role open source plays in security and innovation.

Finally, organizations need better ways to quantify the impact of their open source contributions across distributed teams and departments. Some efforts are underway to address this challenge, but it remains difficult to track how contributions tie back to business value. While The Linux Foundation’s LFX provides some insight, similar visibility is lacking across other foundations, leaving a gap in industry-wide solutions.

Key Takeaways

The group wants to educate policymakers on how their regulations impact open source communities and industry.
The group suggested crafting a one-pager which describes, at a policy-maker (high) level, how open source fits into security and its importance. It should also explain how regulations impact open source and how regulation and policy can be designed to help support open source while still accomplishing security goals.
There was a lot of positive sentiment around encouraging policy makers to require contribution of changes and ongoing support for open source that is modified as part of software delivered in government contracts.

🔗 Link to breakout notes

Repository & Package Supply Chain Security

Discussions focused on improving how package repositories handle security and lifecycle management.

Discussion Highlights

The group explored how to effectively track when open source projects reach end-of-life or end-of-support, recognizing the need for clearer visibility into project status. One proposal discussed was the Global Cyber Policy Working Group’s idea to introduce a “steward.md” file, which would explicitly indicate whether a project is maintained by an OSS Steward. A key question raised was how package repositories should track and surface Steward information. Ensuring that repositories can reliably display this data would help users make informed decisions about software adoption and maintenance. Security was another focus of discussion, particularly the importance of isolating components of the build pipeline to minimize attack surfaces. One suggestion was to remove pre-install scripts, which can introduce vulnerabilities if not properly managed. Finally, the group considered next steps for the Principles of Package Repository Security document. Identifying priority areas for improvement will be crucial in strengthening repository security and ensuring alignment with broader security best practices.

Key Takeaways

How can we better communicate to consumers the lifecycle risk associated with a package?
- PyPI supports archiving projects for when the whole project is no longer active; should we publish guidance to make this more common across ecosystems?
- Specifying a per-package-version lifecycle isn’t really supported (e.g. “the last N releases will get security fixes backported”), although the Securing Repos Working Group is working on package yanking guidance.
- Should package repositories actively stop people from using known-vulnerable, very out-of-date packages? This could be a slippery slope; today repositories stay away from “curation.”
- Package repositories could serve vulnerability information alongside packages (some already do).

🔗 Link to breakout notes

Looking Ahead

The Policy Summit reinforced OpenSSF’s commitment to improving open source security through collaboration and actionable insights. We encourage the community to stay engaged and contribute to ongoing efforts in these key areas.

OpenSSF Vision Brief | Event Agenda

Mar 11

Love0

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

By OpenSSF Blog, Global Cyber Policy, Press Release

WASHINGTON, D.C. – March 11, 2025 – The Open Source Security Foundation (OpenSSF) successfully hosted its 2025 Policy Summit in Washington, D.C., on Tuesday, March 4. The summit brought together industry leaders and open source security experts to address key challenges in securing the software supply chain, with a focus on fostering harmonization for open source software (OSS) development and consumption in critical infrastructure sectors.

The event featured keynotes from OpenSSF leadership and industry experts, along with panel discussions and breakout sessions covering the latest policy developments, security frameworks, and industry best practices for open source software security.

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond,” said Steve Fernandez, General Manager, OpenSSF. “Our recent Policy Summit highlighted the shared responsibility, common goals, and interest in strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.”

Key Themes and Discussions from the Summit

AI, Open Source, and Security

AI security remains an emerging challenge: Unlike traditional software, AI has yet to experience a major security crisis akin to Heartbleed, leading to slower regulatory responses.
Avoid premature regulation: Experts advised policymakers to allow industry-led security improvements before introducing regulation.
Security guidance for AI developers: There is an increasing need for dedicated security frameworks for AI systems, akin to SLSA (Supply Chain Levels for Software Artifacts) in traditional software.

Software Supply Chain Security and OSS Consumption

Balancing software repository governance: The summit explored whether package repositories should actively limit the use of outdated or vulnerable software, recognizing both the risks and ethical concerns of software curation.
Improving package security transparency: Participants discussed ways to provide better lifecycle risk information to software consumers and whether a standardized framework for package deprecation and security backports should be introduced.
Policy recommendations for secure OSS consumption: OpenSSF emphasized the need for cross-sector collaboration to align software security policies with global regulatory frameworks, such as the EU Cyber Resilience Act (CRA) and U.S. federal cybersecurity initiatives.

“The OpenSSF Policy Summit reaffirmed the importance of industry-led security initiatives,” said Jim Zemlin, Executive Director of the Linux Foundation. “By bringing together experts from across industries and open source communities, we are ensuring that open source security remains a collaborative effort, shaping development practices that drive both innovation and security.”

Following the summit, OpenSSF will continue to refine security guidance, best practices, and policy recommendations to enhance the security of open source software globally. The discussions from this event will inform ongoing initiatives, including the OSS Security Baseline, software repository security principles, and AI security frameworks.

For more information on OpenSSF’s policy initiatives and how to get involved, visit openssf.org.

Supporting Quotes

“The 2025 Policy Summit was an amazing day of mind share and collaboration across different teams, from security, to DevOps, and policy makers. By uniting these critical voices, the day resulted in meaningful progress toward a more secure and resilient software supply chain that supports innovation across IT Teams.” – Tracy Ragan, CEO and Co-Founder DeployHub

“I was pleased to join the Linux Foundation OpenSSF Policy Summit “Secure by Design” panel and share insights on improving the open source ecosystem via IBM’s history of creating secure technology solutions for our clients,” said Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive. “Open source has become an essential driver of innovation for artificial intelligence, hybrid cloud and quantum computing technologies, and we are pleased to see more regulators recognizing that the global open source community has become an essential digital public good.” – Jamie Thomas, General Manager, Software Defined Systems, IBM Systems and Technology Group

“I was delighted to join this year’s OpenSSF Summit on behalf of JFrog as I believe strongly in the critical role public/private partnerships and collaboration plays in securing the future of open source innovation. Building trust in open source software requires a dedicated focus on security and software maturity. Teams must be equipped with tools to understand and vet open source packages, ensuring we address potential vulnerabilities while recognizing the need for ongoing updates. As the value of open source grows, securing proper funding for these efforts becomes essential to mitigate risks effectively.” – Paul Davis, U.S. Field CISO, JFrog

“Great event. I really enjoyed the discussions and the idea exchange between speakers, panelists and the audience. I especially liked the afternoon breakout discussion on AI, open source, and security.” – Bob Martin, Senior Software and Supply Chain Assurance Principal Engineer at the MITRE Corporation

“The Internet is plagued by chronic security risks, with a majority of companies relying on outdated and unsupported open source software, putting consumer privacy and national security at risk. As explored at the OpenSSF Policy Summit, we are at an inflection point for open source security and sustainability, and it’s time to prioritize and invest in the open source projects that underpin our digital public infrastructure.” – Robin Bender Ginn, Executive Director, OpenJS Foundation

“It is always a privilege to speak at the OpenSSF Policy Summit in D.C. and converse with some of the brightest minds in security, government, and open source. The discussions we had about the evolving threat landscape, software supply chain security, and the policies needed to protect critical infrastructure were timely and essential. As the open source ecosystem expands with skyrocketing open source AI adoption, it’s vital that we work collaboratively across sectors to ensure the tools and frameworks developers rely on are secure and resilient. I look forward to continuing these important conversations and furthering our collective mission of keeping open source safe and secure.” – Brian Fox, CTO and Co-Founder, Sonatype

“The OpenSSF Policy Summit highlighted the critical intersection of policy, technical innovation, and collaborative security efforts needed to protect our software supply chains and address emerging AI security challenges. By bringing together policy makers and technical practitioners, we’re collectively building a more resilient open source ecosystem that benefits everyone, we look forward to future events and opportunities to collaborate with the OpenSSF to help strengthen this ecosystem.” – Jim Miller, Engineering Director of Blockchain and Cryptography, Trail of Bits

***

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Feb 25

Love0

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

By OpenSSF Blog, Press Release

New Initiative Aims to Enhance Open Source Software Security Through Tiered Best Practices

SAN FRANCISCO – February 25, 2025 – The Open Source Security Foundation (OpenSSF) is pleased to announce the initial release of the Open Source Project Security Baseline (OSPS Baseline). The Baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects.

“The OSPS Baseline release is a significant milestone in advancing security initiatives within the open source ecosystem,” said Christopher Robinson, Chief Security Architect at OpenSSF. “We’re excited to roll out OSPS Baseline following community testing and validation — we are confident that these security best practices are both practical and impactful across open source projects.”

The OSPS Baseline offers a tiered framework of security practices that evolve with project maturity. It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security. By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).

“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts. “We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project. Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone!”

“I’m excited to see the release of OSPS Baseline,” said Ben Cotton, Open Source Community Lead at Kusari & OSPS Baseline co-maintainer. “This effort provides actionable, practical guidance to help developers achieve appropriate security levels for their projects. Too often, security advice is vague or impractical, but Baseline aims to change that. Every improvement to open source security strengthens the modern software ecosystem, making it safer for everyone.”

OpenSSF invites open source developers, maintainers, and organizations to make use of the OSPS Baseline. Through engaging with this initiative, stakeholders can also contribute to refining the framework and promoting widespread adoption of security best practices in the open source community.

For more information and to get involved, please visit the OSPS Baseline website or GitHub.

Supporting Quotes:

“The OSPS Baseline release is an important step toward efficiently addressing the security and resilience of open source projects. Open source stewards, manufacturers who rely on open source, and end users will all benefit long-term as this community-defined criteria shines light on project security best practices.”

– Eddie Knight, Open Source Program Office Lead at Sonatype and OSPS Baseline Project Lead

“We applaud the launch of the OSPS Baseline as a crucial initiative in bolstering the security landscape of open source projects. At TestifySec, we recognize the importance of robust security frameworks like the OSPS Baseline in safeguarding software integrity and enhancing resilience against evolving cyber threats. We look forward to leveraging these guidelines to further fortify our commitment to delivering secure solutions for our clients and the broader open source community.”

– Cole Kennedy, Co-Founder and CEO of TestifySec

“Security is a fundamental priority for the cloud native ecosystem, and the OSPS Baseline represents a major step forward in providing clear, actionable guidance for projects of all sizes. By establishing a tiered framework that evolves with project maturity, OSPS Baseline empowers maintainers and contributors to adopt security best practices that are scalable and sustainable. The CNCF is proud to support efforts like this that strengthen open source software at every level of development and we look forward to collaborating with the OpenSSF on adoption.”

– Chris Aniszczyk, Chief Technology Officer, Cloud Native Computing Foundation

“As open source has become integral in most of our technology stacks, it has become increasingly critical to streamline and standardize the security expectations between open source maintainers and consumers. By synthesizing the requirements and controls from a variety of laws, regulations, and standards, the OpenSSF Baseline provides a clear roadmap for open source consumers to understand their security foundations.”

– Evan Anderson, Principal Software Engineer at Stacklok and Open Source Maintainer

“The Open Source Project Security Baseline is a vital tool for enhancing the security of open source projects. By offering a comprehensive set of actionable measures, the Security Baseline provides effective guidance for all stakeholders in the open source ecosystem – manufacturers, stewards, and projects alike – to collaboratively assume responsibility and take meaningful steps to secure the open source supply chain on which we all rely.”

– Per Beming, Chief Standardization Officer at Ericsson

***

About the OpenSSF

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

Feb 06

Love0

Securing Public Sector Supply Chains is a Team Sport

By OpenSSF Blog, Global Cyber Policy, Guest Blog

By Daniel Moch, Lockheed Martin

Everyone—from private companies to governments—is aware (or is quickly becoming aware) that the security of their software supply chain is critical to their broader security and continued success. The OpenSSF exists in part to help organizations grapple with the complexity of their supply chains, promoting standards and technologies that help organizations faced with a newly disclosed security vulnerability in a popular open source library answer the question, “Where do we use this library so we can go update it?”

In my work in the public sector, I have an additional layer of complexity: the labyrinth of policies and procedures that I am required to follow to comply with security requirements imposed by my government customers. Don’t get me wrong, this is good complexity, put in place to protect critical infrastructure from advanced and evolving adversaries.

In this post I will describe some of the challenges public sector organizations face as they try to manage their supply chain and how the OpenSSF, with the broader open source community, can help address them. My hope is that meeting these challenges together, head-on will make us all more secure.

Public Sector Challenges

Exposure

Even in the public sector, open source software is being used everywhere. According to Black Duck Auditing Services’ Open Source Security and Risk Analysis (OSSRA) report, as of 2024 open source software comprises at least part of 96% of commercial code bases, with the average code base containing more than 500 open source components. A vulnerability in any one of those components might present significant risk if left unpatched and unmitigated.

Assuming the figures in the public sector are in-line with this report this represents a significant amount of exposure. Unique to the public sector are the risks that come along with this exposure, which don’t just include lost opportunities or productivity, but may put lives in jeopardy. For example, if part of a nation’s power grid is brought down by a cyberattack in mid-winter, people might freeze to death. The added risks, particularly where critical infrastructure is concerned, heighten the need for effective supply chain security.

Identification

Another area where public sector organizations face increased scrutiny is around identification, or what NIST SP 800-63A calls identity proofing. That document describes the requirements the US government imposes on itself when answering the question, “How do we know a person is who they claim to be?”

To provide a satisfactory answer to that question, a person needs to do a lot more than demonstrate ownership of an email address. It is a safe bet that organizations working in the public sector are going to follow a more rigorous identification standard for employees operating on their behalf, even if they do not follow NIST’s guidance to the letter.

It should be obvious that systems supporting the development of open source software do not adhere to this kind of a standard. GitHub, for example, does not ask to see your government-issued ID before allowing you to open an account. As a result, public sector actors must live with a double standard—proving to the government they are who they claim to be on the government’s terms but judging the identities of open source contributors by a different standard.

All that may not be a problem outright. Indeed, there are good reasons to allow open source development to happen without rigorous identification standards. It does, however, introduce some tensions that public sector organizations will need to deal with. For example, if a contractor is required to ensure none of the code in her product originated in a foreign country, how does she ensure that is true for any open source component she is using?

Approval Timelines

When I speak to others in aerospace and defense (part of the public sector, since our customers are governments), the conversation often turns to approval timelines to get software packages onto various, closed networks. The security teams responsible for these approvals have an important job, protecting the critical information on these networks from malicious software. How do they go about this work? Beats me. And even if I could tell you how it worked for one classified network, it would likely be quite different for another. What we have today is a patchwork system, an archipelago of isolated networks protected by security teams doing the best they can with the tools available to them. Historically this has meant manually curated spreadsheets, and lots of them.

This problem is not limited to networks used within aerospace and defense, but keeping the plight of these security groups in mind puts into sharp relief the basic problem faced by every group charged with protecting a network. There might be sufficient information available to make an informed decision, but there has historically been little available in the way of tooling to help bring greater confidence, ease and speed to the decision-making process.

How The Open Source Community Can Help

I have outlined three basic problems that the public sector faces: the risks associated with security vulnerabilities, the limits of identifying where open source software originates, and the timelines associated with getting software approved for use on isolated networks. Now let’s consider some of the ways in which the open source community can help alleviate these problems.

While there’s clearly nothing the open source community can do to directly reduce the risk posed to public infrastructure by vulnerabilities, there are ways maintainers can help the public sector make more informed decisions. Providing a SLSA Provenance alongside build artifacts is a great way to give public sector organizations confidence that what they’re using is what maintainers actually released. What’s more, a Level 3 Provenance gives a high level of assurance that the build process wasn’t interfered with at all. It is possible to achieve SLSA Level 3 by using GitHub Actions.

SLSA Provenance also provides useful information to the groups charged with securing networks (our third problem above). Going further, maintainers can also provide VEX documents with their releases to describe the known vulnerabilities and their status. One interesting use case that VEX supports is the ability to declare a vulnerability in an upstream dependency and assert that the vulnerability does not affect your project. That is useful information for a security group to have, even if they take it with a grain of salt.

That second problem—the impossibility of confidently identifying origin—is one that public sector groups will need to learn to live with. We cannot expect every open source contributor to identify themselves and the country where they reside. In light of this, perhaps the best path forward is for the open source community to develop reputation-based ways to score individual contributors. One could imagine ways of doing this that would both respect individual privacy and provide on-ramps for new contributors to begin building trust. This is almost certainly being done informally and piecemeal already. Systematizing it would only bring more transparency to the process, something that everyone would benefit from.

These kinds of third-party systems would be beneficial beyond contributor reputation as well. There are a variety of data sets useful to supply chain security that are likely being collected by organizations already. When possible, these should be made publicly available so the entire ecosystem can contribute to, help curate and benefit from them. But we cannot stop there. These data sets should be supported by easy-to-use interfaces that help security teams build confidence in the software they are being asked to allow on privileged networks. In short, we should welcome ways to make supply chain security and transparency a team sport.

Conclusion

To sum up, we have considered three challenges that public sector organizations face when securing their supply chains: The high potential impact of supply chain risks, the lack of ability to identify country of origin for open source software, and the long approval times to get new software onto closed networks. We also discussed how the open source community can work to close these gaps. It is worth repeating that doing so would make all of us—not just the public sector—more secure.

It is also gratifying to see the ways the OpenSSF is already contributing to this work, primarily by laying the foundation upon which this work can proceed. SLSA and VEX (in the form of OpenVEX) are both OpenSSF projects. Getting projects to adopt these technologies will take time and should be a priority.

About the Author

For nearly 20 years, Daniel has worked as a software engineer in the Defense and Aerospace industry. His experience ranges from embedded device drivers to large logistics and information systems. In recent years, he has focused on helping legacy programs adopt modern DevOps practices. Daniel works with the open source community as part of Lockheed Martin’s Open Source Program Office.

Jan 29

Love0

OpenSSF Community Day NA 2025: Call for Proposals Now Open!

By OpenSSF Blog

The Call for Proposals (CFP) for OpenSSF Community Day North America is officially open through March 23, 2025! Co-located with Open Source Summit North America, this event will bring the open source community together in Denver, Colorado, on June 26, 2025, for a full day of engaging discussions and presentations focused on securing the open source software (OSS) supply chain.

Submit your proposal now!

Event Details:

When: June 26, 2025
Where: Denver, Colorado
CFP Deadline: Sunday, March 23, 2025 at 11:59 PM MDT/10:59 PM PDT
CFP Notifications: Tuesday, April 1, 2025
Types of Presentations: 5, 10, 15, or 20-minute presentations

This is your opportunity to share your expertise and innovative ideas with the community! We’re looking for sessions on topics like:

AI & ML in Security
Regulatory Compliance
Enhancing Security Tools
Cyber Resilience
Securing the Software Supply Chain
Case Studies & Real-World Experiences

*No product/vendor sales pitches — it’s a community-focused event!

For more information on the CFP, visit here. Submit your proposal today!

Interested in Sponsorship?

We have exciting opportunities available to showcase your support for securing the open source ecosystem. By sponsoring OpenSSF Community Day NA, you’ll gain visibility among key industry leaders, security experts, and the open source community. Join us in driving forward the mission to strengthen the OSS supply chain. Email us at openssfevents@linuxfoundation.org to reserve your sponsorship.

Join Us in Denver!

Don’t miss out on the opportunity to be part of this vital conversation. Whether you’re submitting a proposal, attending as a participant, or showcasing your support through sponsorship, OpenSSF Community Day NA is the place to connect, collaborate, and contribute to securing the open source software supply chain. We can’t wait to see you in Denver and work together to advance the future of OSS security!

OpenSSF Policy Summit DC 2025 Recap

A Message from Steve Fernandez, OpenSSF General Manager,

Keynotes & Panels