Skip to main content

📣 Submit your proposal: OpenSSF Community Day Korea

Tag

Open Source Security

What’s in the SOSS? Podcast #30 – S2E07 Scaling Security: Inside the GitHub Securing Open Source Software Fund

By Podcast

Summary

In this episode of What’s in the SOSS?, CRob sits down with Kevin Crosby and Xavier René-Corail from GitHub to unpack the GitHub Secure Open Source (SOS) Fund – an innovative program that combines funding, education, and community to strengthen open source security. Learn how this unique initiative connects maintainers with training, resources, and a $10K stipend to scale security best practices. The trio also shares the origins of the fund, surprising takeaways from the first cohort, and what’s next for this rapidly growing initiative.

Conversation Highlights

00:00 – Introduction
00:58 – Meet the Guests
02:26 – Open Source Origin Stories
06:10 – The Spark Behind the SOS Fund
10:19 – What Participating in the Fund Looks Like
12:39 – Inside the Curriculum
14:50 – Unique Program Design & Outcomes
16:23 – Key Learnings from the First Cohort
19:09 – Feedback & Areas to Improve
21:50 – What’s Next for the Fund
23:00 – Rapid Fire Round
24:23 – Call to Action

Transcript

Intro Music (00:00)

Kevin Crosby (00:04)
I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (00:18)
Welcome to what’s in the sauce. The open SSF’s podcast where I talk to maintainers and developers, security researchers and experts all around the open source security ecosystem. It is my pleasure to be your host. My name is CRob. I’m the security architect for the open source security foundation and one of our co-hosts for this amazing little endeavor. And today I think we have a real treat. We have some people that have been deeply involved in upstream open source security for a very long time. And they have a pretty innovative idea that they’re going to be talking about this program we’re collaborating on together. So please let me welcome my friends, Kevin and Xavier from GitHub.

Kevin (01:04)
Thanks for having us today. It’s exciting to join the podcast and get to share this journey. And also very thankful for the partnership that you’ve brought through this program as well. Just quick background, Kevin here from GitHub. I lead our open source funding programs, specifically focused on things around GitHub sponsors that enable developers to get paid for their open source work. Think of things like hobbyists that are working on open source part-time to even full-time careers, or even folks that are starting to build companies around open source. And then programs beyond that through the secure open source fund as well as get up fund with with Microsoft’s venture fund as well

CRob (01:44)
and Xavier. Want to introduce yourself?

Xavier René-Corail (01:45)
Hey, Crob. Yes, I’m Xavier René-Corail from GitHub. I’m a Senior Director of Security Research and I lead the GitHub Security Lab. Our mission is to help secure open source. I’ve got a team of hackers who are doing security research. Another team who is in charge of creating the GitHub advisory database and managing our CNA. And, well, also, I’ve been with you, Crob, one of the…kind of initial members of the open source security foundation. We work together in the best practices working group and we are continuing to work together on securing open source.

CRob (02:26)
Yeah, I know Xavier, he and I used to be one of like 15 people that attended all the OG meetings five years ago when we got started off. I’m very glad to continue our partnership with this new evolution of kind of GitHub’s engagement with helping improve open source security.

Xavier René-Corail (02:34)
Haha right.

Xavier René-Corail (02:41)
Yes.

CRob (02:44)
So before we jump into the the SOS program, let’s talk a little bit and explore your open source origin stories. How did you get into open source and you cannot know why what drives you to keep participating here?

Kevin (02:57)
Xavier, you want to go first?

Xavier René-Corail (02:59)
Yeah, I can. So my first step in open source, let me check. So first of all, I started programming in the 80s. I think I started with Tron and I think, yes, my two first games were a snake and a pong. But then, after, you know, during high school, teenage years, I forgot a bit about that then got back to…to coding during college. And then after that, started my career as a developer. And then very quickly, I came into being in charge of development practices. And as part of that, I created the open source policy for the company I was in. And this is how I discovered open source by…um empowering the developers of my company to take advantage of open source and also of course to give back to open source and to contribute to open source. So this is how I came to work in open source.

CRob (04:11)
Awesome. What about you, Kevin?

Kevin (04:13)
Mine’s kind of an interesting story. So I’m non-technical background. Originally, I was in economics, almost did a PhD and freaked out right at the housing bust and decided to go into corporate finance. So a little bit different of an experience. But during that journey, I started working with some early stage startups and venture firms and they were building open source tools coming out of university labs and innovation. And so I got the first flavor through that and really understanding how do you leverage this technology to build innovative products, sometimes even companies around it. And then fast forward a couple of years when I was at Amazon, my next touch point was we were building products that leverage things like OpenFire and Hazelcast to build messaging applications.

One of the coolest things was because we were building with it, I wanted to make sure our engineering team was able to contribute back to that open source project. And so we were actually shipping alongside the community and making sure that they were getting some of the innovations, which was super, super cool to see. And then fast forwarding a little bit further is kind of staying within tech and venture. I was in the Alexa fund. We got to work with early stage startups investing in early stage open source AI companies got to evaluate and meet folks like Hugging Face, for example, and just kind of understanding where this ecosystem was going. And all that kind of brought this view of when I came to GitHub of how do you bolt on funding for open source, make it sustainable, drive innovation, and also create new pathways of funding for these maintainers through their journey. And so that’s what I came here to do. And it’s been super exciting over the past almost two years to think about how we can build new funding models for open source maintainers and projects. So excited for this new addition to that as well being kind of a next iteration of all of the career touch points I’ve had with open source.

CRob (06:10)
Totally didn’t arrange it, but that is an amazing transition. So let’s talk about GitHub Securing Open Source Software Fund. You know, why have you all decided to kind of organize and run this program?

Kevin (06:25)
Yeah, maybe kicking it off with an interesting insight that we had from the GitHub accelerator last year. One of the key modules that I was thinking about, and this was a brainstorm with Xavier, was do we actually know how much security education and training do people have for these emerging, fast growing projects? And even some of the ones that are becoming vital to the ecosystem.

And so I just literally threw it out to Xavier as an experiment. Like, can we try to run this content and engagement with these projects and see what the results would be? And so we did it. And maybe Xavier, if you want to talk about that initial experience, it’d be great to just kind of get your point of view from it as well.

Xavier René-Corail (07:08)
Yeah, well, it was exactly as you said, it was an experiment at first, right? And part of the accelerator and it came a bit last minute, right? But we, but I mean, at GitHub, we are ready to pivot fast and to try to think fast. And so we did some, we did some office hours, we did some one-on-one audits of this project and we did some basic training about security posture. And yes, and the results were great. mean, the engagement of the maintainers and the result, the impact that it had on them was great. So, so Kevin came again.

Kevin (07:58)
I came asking again, like, can we make this bigger? you know, I think the learning that we had is when you connect funding with time training and expertise, you’re able to maximize the impact of the training and education. so, and it also kind of dovetailed with a lot of the needs around security within the open source supply chain. So you kind of had this serendipitous moment of

high need, both in terms of like a macro level, but also high need from a developer level to make this work. And also lining that up with the incentive structure of funding and education that make it really special for these maintainers. so that actually is what kind of seeded this idea of let’s build a programmatic open source fund targeting security that links the funding to the outcomes of security specifically. And so we tested that hypothesis.

Honestly, I’ll say it took us, I think, 30 days round trip from like the seed to actually getting the program previewed at GitHub universe, bringing folks along, getting funders to commit to the program, lining up what a scaffolding curriculum might look like. And so we had that in like 27 days to preview it at GitHub universe. And I actually think that was the first time you and I spoke about it too, because we were like, hey, what do you think?

CRob (09:26)
Great, that was exactly.

Xavier René-Corail (09:27)
Yeah. I mean, it was great because so my team, the security lab, you know, we’re already doing these trainings, these free training, these additional content, this office hours. It was already part of what we do for open source. But with this program, we had the opportunity, you know, to have the, yeah, the programmatic power, know, and the marketing and the partnership and the funding, et cetera. So when Kevin came to me with that, said, yes, please, yes, let’s do that. And I must say that, yes, the turnaround was impressive. And in particular, thanks to partners like OpenSSF, who, I mean, CoreView, immediately said, yes, let’s do it. And yes, it went pretty fast indeed.

CRob (10:19)
So for our audience that may not be familiar, could you just broadly describe if a project is participating in the fund? How does that? What does that look like? What do they do?

Kevin (10:30)
Yeah, that’s a great question. Maybe I’ll tee this up really quickly by saying the overall architecture of the fund brings together funders, organizations, community partners like OpenSSF and some others that actually bring resource expertise and kind of shape the program and then GitHub as well as our maintainers. And so we kind of have this ecosystem surrounding this. And so what we’ve done as a program, as a maintainer that gets brought in,

You go through a standard application process, highlighting things around what your project is, what you do with your project, what your project does for the ecosystem, level of security awareness and education, the benefit of the funding specifically, what it can do to unlock resourcing, et cetera. And that’s kind of the process to bring them in. And once we’ve done that, we architected what I would consider a really unique structure. And I’m excited to talk about it for variety of reasons, but…

It’s effectively a three-week boot camp focused on security fundamentals, thinking about things that you need to have at day zero of building a project, all the way up to the lifespan of your project, thinking about implementing some of these techniques within the project itself, and then also some of the frontier stuff around AI. And so this three-week boot camp is around security fundamentals, best practices, but then we bolt on things like six months check-ins, 12 months check-ins.

community engagement with experts throughout the program to make sure that we actually line up all the resources that a maintainer would need, not just to learn it, but to actually embed it and embody it in their culture, make it scale out to their contributors, their communities, and even their consumers of their software. So I’m really excited about how the program’s been shaped. And a big kudos to Xavi, and I want him to talk about this in depth.

the security lab team is what bolts this together. And so I want to make sure like the impact of like how this all comes together is really focused on the security lab and the work they do. So Xavier, I would love you to kind of like jump in on the curriculum and education.

Xavier René-Corail (12:39)
Yeah, thank you, Kevin. Well, again, I mean, this is things that we were doing, but this program really brought the opportunity to amplify it. So it’s not only, it’s really together that we that we are, that we managed to put that up. So, so in terms of curriculum, yes, we, are trying during this free week bootcamp to, to, to, to have a mix of, you know, basic security posture and some advanced training on, for example, on fuzzing, on static analysis, things like that.

So you really have to mix because you have a mixed audience first. you need to, I mean, not everyone is at the same moment of their security journey, right? So you have to mix of that. We are trying to address all aspects from coding to incident response to vulnerability management.

So again, a mix of that. And of course, the important thing is that we are in continuous improvement mode. from the feedback from the first cohort, we will get to add more content. We have some people who are coming to us and proposing new content. And we’re like, yes, please come in.

So yeah, that’s in a nutshell, yes, that’s how we built this program. We are trying to get experts giving these training. So from us, but also from our partners, from the great David Wheeler, for example, from OpenSSF. So this is adding…

This is adding something to the learners, to maintainers, to have these great presenters who know what they’re talking about, giving them these presentations and answering the questions. So yes, that’s it.

Kevin (14:53)
I was gonna say, and just to double click on that a little bit, I mean, I think the uniqueness of it, to Xavier’s point, is how we framed and packaged it. So if we zoom out and say, what does a maintainer get? It’s three weeks security bootcamp with all of the education and expertise with these topics really focused on the programming. They get access to the security lab. They get access to the maintainer community.

They get access to the ecosystem partners that we’ve brought in and the funding partners as well. And then on top of that, they get embedded with like the data of like, how are we progressing in our own security journey? Like, we making progress? Are we embedding it in our community? How are we collaborating with other projects and maintainers through that as well? And so that’s kind of what the maintainers get. And the last thing that I think, you we didn’t really touch on, but the funding is really, you know, aligning the maintainers to spend the time commitment on it. So we provide a $10,000 stipend to the projects.

CRob (15:52)
Wow.

Kevin (15:52)
Most of that comes upfront, you know, the $6,000 upfront of the program to really solidify the three week boot camp. And then the others are to align onto the reporting and kind of the touch points and making sure they’re continuing on their security journey. so by aligning the funding and linking it to the outcomes that we’re trying to get with security, it becomes a really great model that is helpful for maintainers and for the projects that are being improved with security throughout the program.

CRob (16:20)
That’s awesome. So Xavier touched on it. We are just coming towards the end of the first cohort. Could maybe you share what’s been some of the most surprising things you’ve learned so far in interacting with both the funders and the maintainers and projects?

Kevin (16:41)
Maybe Xavier, do you want to go first?

Xavier René-Corail (16:44)
Well, yeah, my big surprise was the enthusiasm of everyone. I mean, I know this is something that is a passion for me, but I was, I mean, I don’t know, I wasn’t expecting that level of enthusiasm and of engagement from everyone. Really, you know, I was expecting some of the projects to be already quite advanced on the…you know, in their journey and then to be, to react a bit like, okay, there is content that is interesting for me, but some of the content is too basic. I was expecting that, right? No, everyone was really, really super engaged and super enthusiastic. So that was the big positive surprise for me. What about you, Kevin?

Kevin (17:41)
Yeah, I echo that. I kind of bucket them in three different functions. One is I think there was a very strong level of trust from the outset because they were all shared alignment on security within their project. And so I think everyone walked in and this kind of drove the enthusiasm of like, we’re all here for the same thing and having the same impact. So that was great. Two, I think the community lens was very fascinating to me just to see folks across different sizes of projects, stages of their growth or in kind of like distribution, as well as their own maturity journey within security, and like just seeing that community fuse really well together to cut across different frameworks, languages, et cetera, was really powerful. And I think the last thing that I’d say on this is the outcomes that we see is meaningful. Like not just from like, did the…things go red to green or anything like that, but really like you see them embody this change of what it means to be a steward of security with an open source. And that’s really unique. don’t think, and we kind of saw glimmers of that within the accelerator, but I didn’t think we’d, I didn’t know if we’d see it at this scope and scale. And I think that that was one of the most impressive things is just seeing these maintainers emerge out of a program and say, wow, you know, we live security now, you know, I think that that was pretty cool.

CRob (19:09)
Awesome. So on top of this, sounds like you’ve gotten a lot of great feedback. Is there anything that kind of stands out that you’ve got a maintainer or project kind of shared something really valuable to you all back from this experience?

Kevin (19:23)
I have a lot. I think one of the things that stands out in feedback is kind of going to the point of maturity curve is that it’s a very meaty subject. And so being able to scale content and education appropriately to meet maintainers where they are in their own journey is like one of the most critical things. And I think we’re we’re, you know, adjusting to that is like one one thing to think about. And then to Being able to touch upstream and downstream projects within their own Ecosystems is another area where I think that that’s a big opportunity for us to engage and kind of think about securing through the program as well. So those are just two immediate ones that I’m pretty excited about Xavi, what about you?

Xavier René-Corail (20:17)
Yeah, will double down on what you said Kevin: scaling to more projects, this will be the big challenge. And one other thing that I will add that I want to focus on also, because that was a positive feedback from participants, is adding some fun to the training. All of the training that were interactive and fun and with quizzes, et cetera. worked very well. so, yeah, you know, I used to say that boring is the arch enemy of learning. And so, yeah, I, I think that I want to add a bit more fun to the to the curriculum. So..

CRob (20:58)
I for one, totally agree with that. I think security is a lot of fun.

Xavier René-Corail (21:02)
It is.

Kevin (21:02)
The security is a lot of fun. You know, it was super interesting to see the modules I’d say that had interactive coding engagement. Like people really love just diving into it. And the other thing that was kind of unique that I don’t think it’s super surprising, but this concept of like see one, do one, teach one. Like it’s people coming through this journey and like, as you emerge, the first time you see it, like, my gosh, like this is overwhelming. The next time you do it, like I can actually do a coding exercise on this and actually implement some changes.

And then you see people a day later that are teaching like, this is how I did it, or this is how I’m thinking about it. It’s really cool to see that like, transpire throughout the program. And people loved it. Like to your point on fun, that made it fun, you know, to be able to teach people and engage is really unique.

CRob (21:50)
So let’s gaze out over the horizon, kind of what’s coming down the pipe for the GitHub Securing Open Source Software Fund. What do you have in your bag of tricks next?

Kevin (22:00)
Bag of tricks, that’s always a great question. As Xavier said, I mean, we have to scale. So we did the first session. Our objective is to do 125 projects this year. So we have multiple sessions that will be going on throughout the back half of the year. Session two will be kicking up in the next couple of months. And so we’re rapidly preparing for that. Yeah, I think that that’s where we’re looking forward to just in the back half of the year.

CRob (22:28)
Mm-hmm.

Xavier René-Corail (22:30)
Yeah. And in terms of curriculum, as I said, I’m receiving a lot of proposals to add content. going through that, going to add this content, I’m in particular interested if I have some ecosystem partners who are listening, I’m interested in language specific training for security. So if anyone has them, please reach out.

CRob (22:56)
Patches welcome, right?

Xavier René-Corail (22:58)
Yes, always.

CRob (23:00)
Nice. Well, let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I have some wacky questions I’m going to ask you. Just give me the first thing that comes out of your on top of mind. First question and potentially controversial, VI or Emacs.

Xavier René-Corail (23:04)
Ha

Kevin (23:04)
Love it.

Xavier René-Corail (23:24)
Emacs.

Kevin (23:25)
I’m going to go the opposite just to say VI

CRob (23:29)
There are no wrong answers. Some are better than others, though. Also equally contentious, tabs or spaces.

Xavier René-Corail (23:30)
spaces.

Kevin (23:31)
I like tabs.

CRob (23:45)
You guys are balancing each other out very well.

Xavier René-Corail (23:45)
Right?

Kevin (23:45)
Yeah.

CRob (23:47)
Ice or neat?

Xavier René-Corail (23:50)
Neat.

Kevin (23:51)
Neat.

CRob (23:52)
excellent, excellent answer. Who’s your favorite open source mascot?

Xavier René-Corail (23:58)
Mona, of course.

Kevin (24:00)
Yeah, you can’t go wrong with Mona.

CRob (24:04)
That is perfectly fine. And finally, the most important question, mild or spicy food?

Kevin (24:12)
I’m all about spicy food.

Xavier René-Corail (24:12)
Spicy for me. Yeah, good, spicy. I’m from the Caribbean and yeah.

CRob (24:22)
Ohhhhhh….that’s spicy. Nice. Excellent. Well, thank you all for playing along. And as we wrap up, do you have any call to action or anything you want to ask our audience to potentially think about in regards to your program?

Kevin (24:33)
Certainly, I mean, right now, any maintainers that are interested in joining to up level their security, we’re welcoming applications. They’re rolling on going throughout the year. As you know, we have a robust pipeline of projects to go through in multiple sessions. So always feel free to apply. And then for funders, if they’re interested in helping secure their own dependencies, welcome those conversations. I think it allows us to unlock more opportunities and projects with with funders. They also bring unique insights and resources from their own ecosystems and Xavier said it too, and ecosystem partners that are ready for the journey to provide education, curriculum, engagement with maintainers. Some of them are even unlocking referrals for their maintainers that are coming through the program, things like that. So we would certainly welcome those opportunities throughout the year. It’s not just today, it’s not just tomorrow, but it’s an ongoing journey.

CRob (25:18)
Very nice.

CRob (25:27)
Xavi any advice for the audience to have or a call to action?

Xavier René-Corail (25:30)
No, honestly, nothing to add. I already made my cultivation. I need some language specific training for security. So if you want to help open source projects, please reach out to me.

CRob (25:48)
love it. Thank you gentlemen for helping shepherd this amazing project program together to help the ecosystem. And I really am excited to see the results as you are engaging directly with these maintainers. So thank you all for coming and I will wish everybody a happy open source and out there. Thanks all.

Xavier René-Corail (26:08)
Thank you, Crob.

Kevin (26:08)
Thanks for having us.

Outro (26:10)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

OpenSSF Newsletter – April 2025

By Newsletter

Welcome to the April 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR

This month, the OpenSSF highlights a new free training course, “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001),” designed to help organizations prepare for the CRA’s full application by December 2027. The course covers essential requirements, roles, and compliance processes to help teams reduce risk and meet regulatory standards. The OpenSSF also invites you to join upcoming Community Day events in Japan, North America, India, and Europe to help drive collaboration in open source security. Don’t forget—submit your proposal to speak at OpenSSF Community Day Japan by April 27 and check out the live agenda for Community Day NA 2025. Explore key takeaways from VulnCon 2025, learn about the launch of Model Signing v1.0 to secure the ML supply chain, and preview our latest tech talk on global policy and the Open Source Project Security Baseline. Dive into IDC’s new research on software supply chains, enroll in the free course on the EU Cyber Resilience Act.Stay connected with OpenSSF community updates, upcoming events, and working group news!

Tech Talk Preview: Strengthening Open Source Through Security Standards and Global Policy

TechTalkApr2025

Open source is the backbone of today’s digital infrastructure – but with great power comes great responsibility. As cybersecurity threats grow and global policies evolve, open source projects must meet increasing security expectations. Join Christopher “CRob” Robinson (OpenSSF) (Moderator), Ben Cotton (Kusari), Emily Fox (Red Hat) and Megan Knight (ARM) for a tech talk that dives into these challenges and highlights the OpenSSF community’s solution: the Open Source Project Security Baseline. Learn how this framework helps projects align with key standards and prepare for compliance. 

Don’t miss out – register now and join the conversation to strengthen open source through community-driven security and global policy engagement.

NEW FREE COURSE: Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)

Enroll in LFEL 1001

With the Cyber Resilience Act (CRA) officially published as Regulation (EU) 2024/2847 and entering into force on December 10, 2024, the countdown is on for organizations to understand and prepare for its full application by December 11, 2027. The CRA introduces broad obligations for products with digital elements, aiming to reduce cybersecurity risks and increase trust in the European digital market.

To help organizations prepare, LF Education and the Open Source Security Foundation (OpenSSF) launched a free training course: “Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)” – now available online.

This course covers the key requirements of the EU’s Cyber Resilience Act (CRA), including terms, roles, obligations, essential cybersecurity requirements, product markings, compliance processes, and penalties for non-compliance. It prepares decision-makers, software developers, OSS developers, and OSS stewards to navigate CRA compliance, mitigate risks, and meet regulatory standards. 

Enroll in the free course!

Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community

In “Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community”, Christopher Robinson (CRob), Chief Security Architect at OpenSSF, reflects on the power of collaboration and innovation that defined this year’s VulnCon. Held in Raleigh, NC, the event brought together global security professionals to tackle pressing challenges in vulnerability management. CRob shares firsthand insights from OpenSSF’s active involvement throughout the conference, highlights the importance of metadata, open source supply chain security, and evolving global regulations like the EU’s Cyber Resilience Act. If you’re passionate about strengthening the open source ecosystem and want to hear how the OpenSSF community is leading the charge, check out this blog.

Last chance to speak at OpenSSF Community Day Japan!

Call for Proposals closes Sunday, April 27 at 23:59 JST.

Join us in Tokyo and share your insights on open source security, tooling, education, AI, and more. Whether it’s a 5-minute lightning talk or a 20-minute session, we welcome diverse voices from across the ecosystem.

👉 Submit your proposal today

OpenSSF Community Day NA 2025 Agenda Live!

1200x628 AgendaLive

We are excited to share that the agenda for OpenSSF Community Day North America 2025 is now live! Join us on June 26 in Denver, Colorado, for a day filled with collaboration, technical insights, and future-focused conversations on securing the open source ecosystem.

Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain

In Launch of Model Signing v1.0: OpenSSF AI/ML Working Group Secures the Machine Learning Supply Chain, authors Mihai Maruseac (Google), Martin Sablotny (NVIDIA), Eoin Wickens (HiddenLayer), and Daniel Major (NVIDIA) introduce the first stable release of the model-signing project from the OpenSSF AI/ML Working Group. This blog presents the motivation, features, and broader goals of the project, including how model signing helps secure the integrity and provenance of machine learning artifacts across the supply chain. Read the full blog to learn how this initiative marks a key milestone toward a secure AI future and how you can get involved.

Community Member Updates:

Google Cloud and Canonical recently sponsored a new report by IDC on the State of Software Supply Chains. According to the report, which surveyed over 500 decision-makers in IT and Information Security roles, 7 in 10 responsible teams spend more than 6 hours per week on security patching. The report also reveals that compliance with regulations remains a challenge for most organizations, with more than a third of respondents reporting that they struggle to understand how regulations apply to specific systems and software components. The adoption of artificial intelligence is increasing compliance burdens with 60% of organizations reporting that they have only basic or no security controls to safeguard their AI/ML systems.

Download the report on Canonical’s website for other interesting stats and learnings on open source supply chains.

News from OpenSSF Community Meetings and Projects:

In the News:

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day Events in North America, India, Japan, and Europe!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

Connect with the OpenSSF Community at these key events:

You’re invited to…

See You Next Month! 

We want to get you the information you most want to see in your inbox. Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team

What’s in the SOSS? Podcast #27 – S2E04 Enterprise to Open Source: Steve Fernandez’s Journey to the OpenSSF

By Podcast

Summary

In this episode of What’s in the SOSS, we sit down with the OpenSSF’s new General Manager, Steve Fernandez — a seasoned enterprise tech leader whose resumé spans giants like L’Oréal, Coca-Cola, AIG, and Ford. Steve shares his “origin story,” what drew him into the world of open source, and how his decades of experience as a consumer of open source software are shaping his vision for the Foundation.

Conversation Highlights

00:21 Welcome & Introductions
00:57 Steve’s Tech Journey
03:13 Why OpenSSF?
05:02 The Role of Security & Strategic Vision
08:17 Rapid Fire & Final Thoughts

Transcript

CRob (00:21)
Welcome, welcome, welcome. This is What’s in the SOSS, the OpenSSF’s podcast where we talk to developers, industry experts, and assorted amazing people within our open source ecosystem. I’m CRob, one of your co-hosts for this little event. I do security stuff on the internet, and today we have a new friend to introduce the world to, Steve Fernandez, who just recently joined the foundation.

And Steve, maybe you could talk a little bit about, introduce yourself and maybe talk about your technology origin story.

Steve Fernandez (00:57)
Thanks a lot and great introduction, by the way. So pleasure to meet everybody. My name is Steve Fernandez and as CRob mentioned, I’m the new general manager for the OpenSSF. And I come to this place through a long IT journey. For the last 30 years, I’ve been mainly on the enterprise side of the IT game.

I’ve done various roles as CIO and CTO in many different industries as well as many different companies. Most recently, before I came to the OpenSSF, I was the CIO for NCR Voyix, and previous to that, I was Chief Technology Officer for L’Oreal in Paris, Chief Technology Officer for AIG in the insurance industry.

I was chief technology officer at Coca-Cola and then I worked many years inside of GE and Ford Motor Company in different technology roles. So I really come to this job, I think, with a different and unique perspective than many who’ve been in the open source world for forever. I’m coming as a user of the open source and it’s been a user of the software and the technology inside of all the platforms that I’ve run and managed over the last 30 years. So I’m very excited to take a little different view of technology in this role and hoping a lot of my experience from running enterprise and running large scale platforms and running things day to day is going to translate into growth for the organization and further stability as we move forward.

CRob (02:43)
And, we’ve cited here and at other events, just the penetration of open source in normal operations and just how critical open source is to a lot of enterprises. So I’m very excited to kind of benefit from the experiences you’ve had in your long and successful career and trying to help bring that more business focus to us. But I’m curious, what drew you to the OpenSSF? Was it the goose?

Steve Fernandez (03:13)
I think it could have been the goose, which is quite the great icon. You know, it was a, it’s really interesting for me personally. I was getting to a point in my life where I’ve done many, many operational roles throughout my life and my career. And I was taking a little break and trying to figure out what I wanted to do when I grow up and what I wanted to do next on the journey. And, you know, it’s one of those small things, a friend of a friend talked to me about this position and I said, hmm being general manager of a foundation. Well, I can at least take a look and see what it’s about. And, and, uh, I don’t know, it’s something I’ve never done before, but I think it might make sense. So I sat down with, uh, Jim Zemlin, uh, head of the Linux foundation. And we just had a great conversation and being an open source user throughout my career and knowing the importance of open source and security you know, to every company’s platform, to every company’s install base. It really was a job that I was looking for where I thought I could do some good for the community. I thought I could, like I said earlier, take a different perspective on things, add a little bit of my corporate background to the organization and merge the two together.

Steve Fernandez (04:31)
So for me, it was really about trying something new, experimenting – bring a little bit of your old experience into a new environment. And I have to say, in just the last month that I’ve been here, it’s been an exceptional experience and working with absolutely great people, working with a great community. So, so far it’s been a really, really positive experience and a bit different from my enterprise days, but at the same time, very exciting and it’s great to be involved in real technology.

CRob (05:02)
So it’s interesting you have a long history of kind of helping lead technology organizations. From your perspective, how have you seen security kind of help the business and how does security help developers and other consumers?

Steve Fernandez (05:18)
Yeah, so I’ve always called security kind of the hidden greatness. It’s one of those things that you don’t know you need security until you know you need security.

CRob (05:30) Yeah.

Steve Fernandez (05:31)
And on the enterprise side of the game, it’s your constant worry about security and risk. And you’re always worrying about your platforms. You’re always worried about your products. You’re always worried about making sure that things that you’re presenting to the consumer or to the employee or to, you know, the different install bases, you have an inherent need to make sure your products and your technology are secure. So I’ve always had a love hate with it because you hate to spend incredible amounts of time and investment in security, but you absolutely love it because it keeps you safe and, and, and makes sure that your products and your technology are going to…with it – you know, there are bad actors out there and people do want to get into your products. They do want to find out, you know, personal information. So security is that thing that makes us feel a little bit better. And it lowers your risk profile. And, you know, it’s really the glue that’s needed inside of a technology base.

CRob (06:37)
Mm-hmm.

And thinking about your experiences in your past roles, what do you see, kind of, the additional value and capabilities you’re going to bring to the foundation to help us further our mission?

Steve Fernandez (06:51)
Well, I’m thinking, you what I found in the foundation last month and working with people is we have an incredible set of people and we have an incredible set of technical sales and also have like a really unique community that works together in, you know, in a matrix like organization, but it really works and people are all, you know, moving forward to do what they think is the right thing.

I think what I’m going to try to bring to the foundation from my past is a little bit of strategic vision, a little bit of process, a little bit of thought process at a methodical level so that we best utilize the people that we have and the capabilities that we have. One of the great things I felt as I came into the organization and I’ve been doing my original first month assessment is, you know, we don’t have to reinvent the wheel. We just got to get efficient. We got to make sure our priorities are in line. We need to make sure we work with our enterprise partners. We need to make sure we work with our development community. And I think my job is going to be bringing those different pieces together and working a little bit more seamlessly.

So, that’s really, think, where I’ll add value and a little bit of my past will help out the organization.

CRob (08:17)
Excellent. Well, I can say personally, I’m very excited to be collaborating with you on this mission. And I know our community is very excited to be working with you. But let’s move on to the rapid fire part of our session. Are you ready for rapid, rapid, rapid fire? I got a couple of wacky questions I’m going to ask you just off the cuff answers. What’s your favorite vegetable?

Steve Fernandez (08:40)
Broccoli

CRob (08:42)
Okay, that is a perfectly fine vegetable. Thinking about the amazing open source ecosystem, what’s your favorite open source mascot?

Steve Fernandez (08:51)
The Goose.

CRob (08:53)
The goose, that’s an excellent answer. And mild or spicy food?

Steve Fernandez (08:59)
Spicy as it can get.

CRob (09:00)
Ohhhh, that’s spicy. Nice. And final and probably most important question. Star Trek or Star Wars?

Steve Fernandez (09:11)
Gotta go Trek.

CRob (09:12)
Excellent. Both answers are great, but that’s a fine, fine answer. Thank you, thank you. Well, Steve, as we wind down, do you have any kind of parting thoughts, any words of wisdom that you want to share with our community?

Steve Fernandez (09:29)
You know, I just say to the community, mostly keep the passion alive that you have for the work you’re doing. It’s very apparent when somebody new to the community sees it, you know, especially like myself. I see the passion. I see the intelligence. I see the hard work. And I think you should all feel very proud about that work that you’re doing. It really shows and it’s really transparent to everybody.

So, you know, I’m here to work with you. I’m here to collaborate. I’m here to help drive whatever I can do to better the community. So in that spirit, just please be open with everybody. Feel free to contact me at any time if you have ideas or thoughts about how we can improve the community or how we can move forward. That’s very important to me and I want to work in this know, great environment and, you know, and really help it grow and really foster that security community that we built and continue to do so. So I just say keep working hard and it’s going great.

CRob (10:35)
Thank you very much Steve Fernandez. Thank you for joining us and thank you for spending your time today with what’s in the SOSS and to our audience Happy open sourcing. We’ll talk to you soon

(10:47)
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

Key Takeaways from VulnCon 2025: Insights from the OpenSSF Community

By Blog

By Christopher Robinson (CRob), Chief Security Architect, OpenSSF

VulnCon 2025 has once again proven to be an essential gathering for security professionals, fostering collaboration, innovation, and progress in vulnerability management. This matches well with the OpenSSF continued championing for transparency and best practices in open source security. Practitioners from around the world gathered in Raleigh, NC, the week of April 7-10, 2025 to share knowledge, collaborate, and raise awareness of key issues within the global vulnerability management ecosystem.  We wanted to share my key takeaways from this year’s conference and highlight some of the insightful contributions from our community members.

OpenSSF’s Engagement in Cybersecurity 

The Open Source Security Foundation (OpenSSF) seeks to make it easier to sustainably secure the development, maintenance, and consumption of the open source software (OSS) we all depend on. We work on this by fostering collaboration with fellow industry groups like the CVE Program and FIRST, establishing best practices like our recently released Principles for Package Repository Security guide, and developing innovative solutions like Open Source Project Security Baseline, or engaging in global cybersecurity legislation and public policy conversations with our Global Cyber Policy Working Group. Cross-industry collaboration and knowledge sharing is crucial to properly address major challenges by fostering innovation, knowledge sharing, driving sustainable growth, and maximizing the impacts of our collective efforts.

The OpenSSF was thrilled to have a notable presence at VulnCon with significant representation from our Vulnerability Disclosures Working Group and other projects throughout the week. Our engagement in this event illustrates our commitment to community engagement and further supports our strategy to actively engage with the community and facilitate collaboration across industry stakeholders to sustainably address open source software security challenges effectively with transparent operations and governance.

The partnership between the OpenSSF and the FIRST PSIRT SIG showcases how industry and upstream effectively work together on these issues that have global impacts and how we’re better collectively collaborating to solve these complex and far-reaching challenges. Through our co-work on industry standards, and frameworks, or an event like VulnCon – we’re better together!

By the Numbers

The inaugural VulnCon was a cross-industry effort that was held in March 2024. There were 360 security professionals in attendance, with an additional 239 participating virtually (599 total) with nearly 40 sessions given. 2025 saw a dramatic increase in the participants and volume of content shared! This year there were 448 in person attendees with 179 global friends watching and participating virtually (627 total). 294 organizations attended from 36 countries. The program itself almost doubled, adding a 4th full day of sessions and expanding the number of tracks provided up to 100 sessions. Of this, I am proud to say that the OpenSSF members provided over 16 sessions about our community’s work and 46 total sessions given by member representatives.

The Power of Collaboration in Vulnerability Management

This year’s VulnCon featured an amazing docket of talks and workshops spanning the broad spectrum of vulnerability management, disclosure, and coordination. Open Source Software was discussed throughout the four day event, driving home to me how much influence and exposure upstream has on industry and public policy.

Here are a few of my key takeaways:

  1. The Importance of Vulnerability Metadata
    • Vulnerability metadata is crucial for the ecosystem, and OpenSSF’s needs and contributions in this area were front and center. There were numerous talks about OSV and how gaining deeper insights into upstream metadata helps everyone involved. Our members also helped lead and participate in discussions around SBOM, VEX, Vulnerability identifiers like CVE, and helping align software identifiers and finding paths forward around things like CPE and PURL.
  2. Understanding the Open Source Supply Chain
    • The talk from Apache Airflow and Alpha-Omega was a great example of how projects are working with their critical dependencies. They shared how downstream users can do similar work for better security outcomes. Downstream is slowly waking to the notion that more attention, due-diligence, and participation is needed to help make the upstream open source projects they consume continue to be successful.
  3. EU’s Cyber Resilience Act (CRA) Takes Center Stage
    • April 8 featured a dedicated track on the CRA. This law has major implications for vendors and how they assess risk and conduct due diligence across their supply chains. Open source stewards like the Linux Foundation will be essential partners as manufacturers work to meet their CRA obligations by December 2027. Our Global Cyber Policy Working Group is collaborating with key open source peers, industry partners, and the European Commission to assist open source developers, Open Source Stewards, and Manufacturers prepare for the quickly approaching 2026 and final 2027 deadlines.
  4. OSS Security Day: A Focused Deep Dive
    • April 9 was designated as “OSS Security Day,” with 20 sessions focused on various aspects of securing open source software. One key focus was on OpenSSF’s Security Baseline. The Baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects.

What’s Next? Get Involved with OpenSSF

At the end of the day, security is about effectively managing risk and preparing for the inevitable threats that loom on the horizon. Events such as VulnCon or the forthcoming CNCF-OpenSSF SecurityCon allow experts to come together, share their hard-won wisdom, raise awareness of issues of concern, and collaborate on solutions to address security issues around the world.

The conversations at VulnCon reaffirm the importance of continued engagement in the security community. If you’re interested in contributing to the advancement of open source security, I encourage you to join the OpenSSF community.

Join the OpenSSF mailing list to stay informed about upcoming events, working groups, and initiatives.

For those who couldn’t make it, you can check out recorded content from VulnCon 2024 on YouTube and look out for the VulCon 2025 playlist to get a sense of the discussions shaping the future of vulnerability management. Thank you to all of our amazing community members who were able to come out and demonstrate the power of collaboration of our open source security community and partner with our peers and downstreams within industry, security research, and global governments.

What’s in the SOSS? Podcast #26 – S2E03 JavaScript’s Big Footprint: Robin Bender Ginn on Leading OpenJS and Open Source at Scale

By Podcast

Summary

Robin Bender Ginn, Executive Director of the OpenJS Foundation, joins us to talk about JavaScript’s massive footprint, the challenges of sustaining critical open source projects, and the importance of security in the web ecosystem. She shares her journey, insights on community-led development, and how OpenJS is building a healthier future for the JavaScript ecosystem.

Learn more and register for JSConf North America: https://events.linuxfoundation.org/jsconf-north-america/register/

Conversation Highlights

0:00 JavaScript’s Critical Web Presence
0:51 Robin Bender Ginn Introduces OpenJS Foundation
2:01 Core Challenges Facing JavaScript Ecosystem
4:12 Managing Older Projects and Outdated Software
8:23 Solutions and Security Improvements
12:12 Individual Impact and Community Involvement
14:35 Wrap-Up and Call to Action

Transcript

Robin Bender Ginn: 0:02
Anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do.

CRob: 0:17
Welcome, welcome, welcome to What’s in the SOSS, the OpenSSS podcast where we talk to amazing people and technologists within the space of open source, open source supply chain and software security. We have a real treat today. We have a friend of the foundation, Robin Ginn, and we are going to hear some amazing stuff about her little corner of this amazing world called open source. So, Robin, why don’t you introduce yourself and maybe share what’s your open source origin story for our audience?

Robin Bender Ginn: 0:51
Super cool. Well, hey, thanks for having me. I’m just super psyched to be here. We kind of have a little I would say we have a little corner for JavaScript. We have a big sort of footprint in the world. If you think about the web, JavaScript’s in 98% of the world’s websites. And I have the honor of being the executive director of the OpenJS Foundation. I’ve been there since the beginning and OpenJS was the merger of the Node.js Foundation with the JS, the JavaScript Foundation, a little over five years ago. So, I came on after a long career at Microsoft doing open source to lead up this wonderful organization. So super psyched to be here.

CRob: 1:39
That’s cool and we’re very glad for all the amazing work that comes out of your community super used around the web. From your perspective, having done this for a while, what do you see are some of the core challenges facing the world of JavaScript and the web ecosystem that impacts security?

Robin Bender Ginn: 2:01
Well, you know, I think we have the coolest developers around. Again, anything you do requires JavaScript, whether it’s AI or in the metaverse. People forget that JavaScript is a critical part of delivering almost everything you do. But unfortunately, one of the key challenges is the world of tech suffers from this shiny penny we call it the shiny penny syndrome.

Robin Bender Ginn: 2:26
People love the latest and greatest things and, you know, sometimes JavaScript and the web may not be seen as strategic as it truly is. That sort of creates a kind of a ripple effect on some other challenges we face. So whether that is raising money, you know, sustainability is very important. We have a lot of volunteers running our open source projects. As opposed to some company led projects, we have a lot of community led projects. So if you think about Node.js, it was downloaded 2 billion times last year, wow, wow. And that’s a lot of volunteers and, unfortunately, a lot of companies who all rely on, for example, Node.js, treat our really hardworking, passionate volunteers like they are their paid support staff and create a lot of demands on these folks. So those, you know, leads to burnout and all these other things.

CRob: 3:33
And that’s something that many of the communities we talk with and interact with feel similarly. They have similar challenges.

Robin Bender Ginn: 3:39
Yeah.

CRob: 3:42
Yeah, I think you probably touched on this a bit with your statement of being kind of a seminal foundation for the web. It’s hard to be a little older speaking as someone that has a little more gray in their hair than they used to, and OpenJS holds some really interesting kind of oldies but goodie type projects like Node.js and jQuery. You know how that impacts your maintainers and end users, where it seems like there are so many people that are using outdated or unsupported open source software?

Robin Bender Ginn: 4:22
Yeah, I mean, it does you know? Sometimes it sucks to be old, but in our case I would say that we have broad adoption. So Node.js, again 15 years old, it’s basically everywhere. Node is everywhere. Express.js, you know, 30 plus million. You know weekly downloads. Jquery, 18 years old. It’s in 92% of the world’s websites. So you know, what’s great is the adoption, the stability. The maintainers, many of them have been with the project for 10 plus years. It’s awesome.

Robin Bender Ginn: 4:59
And yeah, so we have this beautiful culture around these projects. You know, some of the challenges are a couple of things that we fixed. One is that our infrastructure got to be a little messy.

Robin Bender Ginn: 5:17
Let’s just put it that way, not quite like wobbly servers in people’s closets, but you know we had to do like an archaeological dig over the last couple of years to find out who in the years past, you know, had a handshake deal with this IT infrastructure company, who had access. So we’ve, you know we’ve done a lot on the infrastructure front to kind of clean that up. But, as you mentioned, a core challenge with older projects is that a lot of people are still using old versions that are unsupported and outdated.

Robin Bender Ginn: 5:55
We did some research with IDC Research Al Gillen, a pretty prominent open source developer analyst, and found that three quarters of a billion websites are using out of date jQuery, and of those people we surveyed which is pretty consistent with some other data we’ve seen a third of those reported having security and privacy incidents in the last two years. Yes, the Node project has done some other research to find that three quarters of users on Node.js are using old and outdated versions. Again, with 2 billion downloads, that’s pretty significant too. So we have created a couple of tools for people to see if they’re using current versions, and for us, it may not be our projects that could create a vulnerability, but it’s really a canary in the coal mine. So, for example, if you’re using old jQuery, if you’re using old Node, probably everything else under the hood is old too.

CRob: 7:03
It’s a really good guess.

Robin Bender Ginn: 7:05
Yeah, so if you want to kind of check your website, you can go to healthyweb.org to see if your jQuery is out of date and then the Node project. If you go on GitHub on Node.js, it’s /is-my-node-vulnerable and you can find out if you’re using an outdated version or not.

CRob: 7:29
This is a really kind of a systemic problem. I’ve talked a lot about this with Brian Fox from Sonotype and others in the ecosystem, and this is something that is again another very common problem. We have a lot of different language ecosystems, and, while the nuances of how to work in that particular space is a little different, a lot of the core challenges are identical.

Robin Bender Ginn: 7:52
Yeah, that’s why we wanted to sort of create this sort of idea of a health check. Like you know, you get your health check once a year, make sure you know everything’s spot on with your physical. We want people to like, maybe yearly, like you change your batteries and your smoke alarm, why don’t you take a look at what versions you’re using?

CRob: 8:13
That’s awesome advice. Yeah, so, but it can’t be all doom and gloom. What do you see as some kind of pathways to move us forward to a better future on the web?

Robin Bender Ginn: 8:23
Yeah, we have had a lot of industry support, government support and support from folks like you at OpenSSF and our friends Alpha Omega. So if you think about, you know, the IT infrastructure, we really solved that problem through funding from the Sovereign Tech Agency oh, excellent, which was wonderful. They provided funding for us to do, you know, kind of that archaeological dig, so to speak, and we essentially modernized all of our OpenJS hosted projects onto just a few handful of software companies, whether it’s CDNs or clouds, and that has all been consolidated, migrated, and now we have some great partnerships in place for people who are sponsoring that work. So, for example, like CloudFlare, DigitalOcean, fastly, Microsoft Azure and others. So we know that six months from now, two years from now, that they’re going to be supporting our infrastructure. And what else was your other question? Oh, on how you know.

CRob: 9:37
What else do we do to move it forward? What do you do to move it forward?

Robin Bender Ginn: 9:39
Yeah, I mean really, I think one of the inherent problems with relying on volunteers is the one missing component to our maintainers is having people with security expertise. That is kind of a secret sauce for talking, you know.

CRob: 9:57
Yeah, it is so.

Robin Bender Ginn: 10:00
Through grants, through Alpha-Omega, we’ve been able to fund security engineers.

CRob: 10:05
Yes, oh, that’s awesome.

Robin Bender Ginn: 10:06
Which we couldn’t have done it otherwise. I mean, I think this is maybe the fourth year we’ve had a Node grant from Alpha-Omega. Four years ago the Node project did not have an active security working group. Today it’s a very robust working group. Back in the day four years ago it was very difficult to put out security releases for Node. It was 26 steps for every release.

Robin Bender Ginn: 10:33
Imagine with someone without expertise who wants to sign up for that in their free time nobody right, yeah, so, um, as part of the work um, that security working group now has fully automated their security uh releases, so it’s been like a game changer for the Node project.

CRob: 10:51
I bet Well. It also relieves a lot of the burden from the regular maintainers as well, right?

Robin Bender Ginn: 11:02
Absolutely. They’ve also put out some permissions, guides and policies on what defines a vulnerability and what doesn’t. Our OpenJS Foundation Security Working Group, which we call it LabSpace security working group, which we call it Lab Space. We’re opening up our own CNA, which is pretty cool, so we’ll be communicating more about that. The thing about JavaScript is that I think security vulnerability reports, probably like others, have become like car alarms Ignore, ignore, ignore. So hopefully, with some new policies and kind of having a little more control with this with our own CNA, we’ll kind of alleviate some burden for our folks.

CRob: 11:40
Oh, that’s excellent. That’s so exciting to hear about those amazing changes. I’m so happy for you all.

Robin Bender Ginn: 11:47
Yes, I know, honestly, we couldn’t have done it without the grants that we’ve received from you all and the membership support and the government grants, which we hopefully will go after some more Excellent.

CRob: 12:02
And thinking about can an individual make a difference in the space of web security or are they totally at the mercy of big tech in the space of web security.

Robin Bender Ginn: 12:12
Are they totally at the mercy of big tech? No, I think one of the flip sides of having these community-led projects is that if you want something, if you want to influence an open source project, we kind of have a doers, not a talkers policy. Excellent. So if you’re a doer, if you want a feature, if you want to help, all you have to do is show up. I think, again, we have the most warm and welcoming and fun group of community members. So, as you know, with open source, you can just come to any of our meetings. We have a radical transparency policy at OpenJS in our projects. So our meetings are almost all streamed live on YouTube and on our YouTube channel. So if you want to just lurk, if you want to participate, if there’s something especially you want, you can just be a doer, just show up and do the work. Also, there’s so many ways that you can make a difference. If coding is not your thing, but you want to make a difference, I like to say content is queen.

CRob: 13:17
I love that I’m going to open source that.

Robin Bender Ginn: 13:20
Absolutely so. You know we do a lot with training, documentation, uh, community organizing, um, and so that’s again brought new, brought new community members to our projects that’s amazing.

CRob: 13:35
Well, let’s move on to the rapid fire part of our session here. Right on, let’s do it fire, rapid fire. A couple quick and crazy questions for you. We’ll start off with a controversial one vi or emacs, neither. Oh, what’s your editor of choice?

Robin Bender Ginn: 13:57
I am a writer, I write about code the same.

CRob: 14:03
That’s awesome, cool cool, we’re neutral.

Robin Bender Ginn: 14:05
I’m neutral at Open.js well said, there you go.

CRob: 14:11
Who’s your favorite open source mascot?

Robin Bender Ginn: 14:15
Well, the rocket turtle probably. We had a mascot contest for the Node project 15 years ago. When it was created. We had a turtle icon and a rocket icon and you can see the rocket turtle is our new mascot, that’s awesome. Yeah.

CRob: 14:34
What’s your favorite adult beverage? Water, water flavored water, water, water flavored water, water flavored water well, that is a responsible choice, yes, adult beverage, so I don’t know I had a person just tell me coffee, which I was like you know, you’re right, I love coffee. That is my favorite adult beverage too.

Robin Bender Ginn: 14:55
Yeah, I, yeah, I don’t know.

CRob: 14:58
And then uh kind of uh as we wrap up here thinking about, uh, what call to action would you have for our audience or what advice would you like to share to a newcomer trying to break into this amazing space?

Robin Bender Ginn: 15:13
Um, yeah, I think the one thing I would say is you know, if we had one, I would encourage folks to join our Slack channel. That might be kind of an easy entry way, maybe even a little easier than trying to figure out what’s going on in GitHub. We have so many different channels. We have an icon right on the homepage of our website, so whether you’re interested in security or package metadata, interoperability or standards, we’ve got like an all-star group working on TC39 and some W3C projects. An easy way to get to know folks perhaps is our Slack channel and then you can see what’s going on. We also have a book club and events and other fun things, so you can get to know us. But yeah, it’s a very friendly group. You can always reach out to me too if you’re just not sure where to go, and I’m happy to introduce you to folks in each of these areas.

CRob: 16:08
Well, excellent. Thank you so much for showing up and sharing a little bit about this amazing space that, as you shared, runs a lot of our world today, and especially how we interact with software and services and applications. So thank you for all the work that your foundation does and thank you for the amazing things you do for the community.

Robin Bender Ginn: 16:28
And thanks, CRob, and for all of your folks. You provide a lot of guidance. I know we sometimes bend the rules a little bit to customize things for JavaScript, but you know You’ve got to make things for JavaScript, but you know You’ve got to make it work for the environment you live in. We do. We take all of what the OpenSSF creates and then we maybe tweak it a little bit for what works for our maintainers and end users. And we’ve been working on and we’ll be publishing on our website some new guidelines as well.

CRob: 16:56
Well, I look forward to reading it. Thank you for joining us. Have a great day.

CRob: 17:09
Like what you’re hearing. Be sure to subscribe to What’s in the SOSS on Spotify, Apple Podcasts, antennapod, pocketcast or wherever you get your podcasts. There’s a lot going on with the OpenSSF and many ways to stay on top of it all. Check out the newsletter for open source news, upcoming events and other happenings. Go to openssf.org/newsletter to subscribe. Connect with us on LinkedIn for the most up-to-date OpenSSF news and insight and be a part of the OpenSSF community at openssf.org/getinvolved. Thanks for listening and we’ll talk to you next time on What’s in the SOSS.

OpenSSF Policy Summit DC 2025 Recap

By Blog, Global Cyber Policy

The OpenSSF Policy Summit DC 2025 brought together open source, government, and industry leaders to tackle pressing security challenges. The event fostered open dialogue under the Chatham House Rule, emphasizing shared responsibility and commitment to strengthening the open source ecosystem.

A Message from Steve Fernandez, OpenSSF General Manager, 

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond. Our recent Policy Summit highlighted the shared responsibility, common goals, and commitment to strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.”Steve Fernandez, General Manager, OpenSSF

Keynotes & Panels 

The summit opened with remarks from OpenSSF General Manager Steve Fernandez emphasizing the importance of collaboration between industry, government, and the broader open source community to tackle security challenges. Jim Zemlin, Executive Director of The Linux Foundation, delivered a keynote on the importance of securing open source in modern infrastructure, followed by Robin Bender Ginn of the OpenJS Foundation, who provided insights into systemic security challenges. Panels covered key topics such as integrating security into the software lifecycle, regulatory harmonization, AI security risks, and the adoption of open source in government.

🔗 Event Agenda

Breakout Sessions

The policy summit included various breakout sessions; below are some key takeaways from each.

AI & Open Source Security

AI security is at a crossroads, with many of the same supply chain risks seen in traditional software. Unlike past security crises, AI has not yet had its “Heartbleed moment”, making this the time to proactively address risks.

Discussion Highlights

AI presents both new challenges and an urgent need to reinforce existing security efforts led by OpenSSF and The Linux Foundation. If the origins of AI models are unclear, how can we truly trust them? Understanding and measuring the risks associated with AI is critical, especially as AI frameworks and libraries integrate with other tools, potentially introducing new vulnerabilities. Yet, security in this space is often left as an afterthought—an exercise for the user rather than a built-in safeguard. As AI intersects with open source software, traditional cybersecurity risks remain relevant, raising key questions: What are the existing guardrails, and how can we strengthen them to ensure a more secure AI ecosystem?

Key Takeaways

  • AI is software, and software security principles still apply – a fact that many AI practitioners may not yet fully understand.
  • There is a need for new OpenSSF personas: AI Scientist and Data Engineer.
  • There is a need for basic software security education tailored to AI practitioners.

🔗 Link to breakout notes  

Open Source Best Practices

The conversation centered on improving how open source components are updated, ensuring clear maintenance statuses, and reducing dependencies on U.S.centric platforms.

Discussion Highlights

Improving component updates is a critical challenge, especially when backward-incompatible changes prevent seamless upgrades. The industry needs clear guidance on enabling and streamlining updates, ensuring that software remains secure without unnecessary friction. Best practices for downstream consumers should be more widely established—such as evaluating whether a project is actively maintained before adopting it and identifying major backward-incompatible API changes as potential risks.

A structured approach to declaring an open source project’s maintenance or production status is also essential. There should be a formal, machine-ready way to indicate when a project is no longer maintained, making it easy to see and act upon. Additionally, as organizations strive to avoid being U.S.centric, requirements should be designed to be platform-agnostic rather than tied to specific tools.

Transparency is another key consideration. There needs to be a way to self-attest disagreements in security scans—allowing individuals to provide justification with supporting URLs when a requirement is met or missed. While knowing who maintainers are can be useful, it should not be the sole security measure.

Finally, ensuring that executables match their claimed source code is fundamental to software integrity. Protecting the build process through frameworks like SLSA and enabling verified reproducible builds can help mitigate risks, preventing attacks like those seen with xz utils.

Key Takeaways

  • There’s still a lot to do (and opportunities) for identifying & encouraging best practices in OSS to improve security.
  • This list is being shared with the OpenSSF Best Practices Working Group to determine which of these would be a fruitful item to work on this year.

🔗 Link to breakout notes 

Regulatory Harmonization

As open source software faces increasing regulatory scrutiny, the need for cross-compliance agreements and clear policies has become a priority.

Discussion Highlights 

There are many open questions surrounding the EU’s Cyber Resilience Act (CRA)s definition of an open source steward. Clarity on what qualifies as stewardship is essential, as it impacts compliance responsibilities and obligations under the regulation.

A key concern for organizations navigating the CRA is the lack of a Mutual Recognition Agreement (MRA)—a framework that would allow compliance with one regulation to satisfy the requirements of another. Without this reciprocity, manufacturers must meet CRA standards separately to sell in Europe, adding complexity for global companies. Many U.S.based organizations are now grappling with whether and how to align these requirements domestically to avoid maintaining multiple sets of policies.

One proposal to strengthen open source sustainability is requiring government contracts to include provisions mandating that any changes to open source software made as part of the contract be contributed upstream. This would ensure that improvements benefit the broader ecosystem rather than remaining siloed.

Another growing concern is the financial sustainability of open source projects. Large organizations often look to cut costs, and open source funding is frequently among the first areas to be reduced. Regulation could help prevent this by recognizing the critical role open source plays in security and innovation.

Finally, organizations need better ways to quantify the impact of their open source contributions across distributed teams and departments. Some efforts are underway to address this challenge, but it remains difficult to track how contributions tie back to business value. While The Linux Foundation’s LFX provides some insight, similar visibility is lacking across other foundations, leaving a gap in industry-wide solutions.

Key Takeaways

  • The group wants to educate policymakers on how their regulations impact open source communities and industry.
  • The group suggested crafting a one-pager which describes, at a policy-maker (high) level, how open source fits into security and its importance. It should also explain how regulations impact open source and how regulation and policy can be designed to help support open source while still accomplishing security goals.
  • There was a lot of positive sentiment around encouraging policy makers to require contribution of changes and ongoing support for open source that is modified as part of software delivered in government contracts.

🔗 Link to breakout notes 

Repository & Package Supply Chain Security 

Discussions focused on improving how package repositories handle security and lifecycle management.

Discussion Highlights

The group explored how to effectively track when open source projects reach end-of-life or end-of-support, recognizing the need for clearer visibility into project status. One proposal discussed was the Global Cyber Policy Working Group’s idea to introduce a steward.md file, which would explicitly indicate whether a project is maintained by an OSS Steward. A key question raised was how package repositories should track and surface Steward information. Ensuring that repositories can reliably display this data would help users make informed decisions about software adoption and maintenance. Security was another focus of discussion, particularly the importance of isolating components of the build pipeline to minimize attack surfaces. One suggestion was to remove pre-install scripts, which can introduce vulnerabilities if not properly managed. Finally, the group considered next steps for the Principles of Package Repository Security document. Identifying priority areas for improvement will be crucial in strengthening repository security and ensuring alignment with broader security best practices.

Key Takeaways

  • How can we better communicate to consumers the lifecycle risk associated with a package?
    • PyPI supports archiving projects for when the whole project is no longer active; should we publish guidance to make this more common across ecosystems?
    • Specifying a per-package-version lifecycle isn’t really supported (e.g. “the last N releases will get security fixes backported”), although the Securing Repos Working Group is working on package yanking guidance.
    • Should package repositories actively stop people from using known-vulnerable, very out-of-date packages? This could be a slippery slope; today repositories stay away from “curation.”
    • Package repositories could serve vulnerability information alongside packages (some already do).

🔗 Link to breakout notes

Looking Ahead

The Policy Summit reinforced OpenSSF’s commitment to improving open source security through collaboration and actionable insights. We encourage the community to stay engaged and contribute to ongoing efforts in these key areas.

OpenSSF Vision Brief | Event Agenda

What’s in the SOSS? Podcast #24 – S2E01 OpenSSF MVVSR Overview

By Podcast

Summary

In this episode,CRob is joined by Arun Gupta, Vice President and General Manager of Developer Programs at Intel and OpenSSF Governing Board Chair, and Zach Steindler, Principal Engineer at Github, a member of the OpenSSF TAC and co-chairs the OpenSSF Security Packages Repository Working Group to discuss the key lessons learned from open source security in 2024, the importance of the MVVSR (Mission, Vision, Values, Strategy, and Roadmap) framework, and the exciting initiatives planned for 2025. They highlight the growing reliance on open source, the challenges of dependency vulnerabilities, and the need for better security practices in the industry.

Conversation Highlights

  • 00:00 Opening
  • 03:29 Key Lessons from Open Source Security in 2024
  • 08:29 MVVSR: Mission, Vision, Values, Strategy, and Roadmap
  • 13:41 Importance of Strategy and Roadmap in OpenSSF
  • 17:48 Roadmap Items for Community Collaboration
  • 20:02 Key Resources and Courses for Developers
  • 22:09 Exciting Opportunities Ahead for 2025

Transcript

CRob (00:50.337)
Hello and welcome to What’s in the SOSS, the Open Source Security Foundation’s podcast where we talk to folks from all around the open source ecosystem—interesting developers, thought leaders, and participants within this amazing movement that we call open source. Today, I have some amazing guests on the podcast with us that you may remember from previous sessions. I have Arun and Zach, who are part of the leadership of the foundation, and we’re here today to talk about some of the amazing things we’re planning on doing in 2025. But before we jump into the cool stuff, let’s just briefly, Arun and then Zach, if you could give us a TLDR of who you are and what you do with the foundation.

Arun Gupta (01:38.222)
Absolutely, I can start. Very happy to be here, CRob. Yeah, I’ve been with the OpenSSF Foundation for over two years now, been on the governing board all along. I was the governing board chair for 2024, and I was fortunate enough to be elected again for 2025. So, I guess the work I was doing was liked by somebody at least, so I’m happy to be here. OpenSSF is doing something really, really cool, which we’ll talk about today. And I’m really happy to help with my share.

Zach Steindler (02:18.392)
Yeah, thanks, Arun. I’m Zach Steindler. I work at GitHub on supply chain security for open source users, but also for our enterprise customers. I’m just about to start my third year serving on the OpenSSF TAC. I took over as 2024 tech chair, CRob, when you made the jump into the OpenSSF Chief Architect role. I also co-chair the Securing Software Repositories Working Group, where we get together folks from PyPI, Homebrew, and RubyGems to talk about best practices for securing those ecosystems.

CRob (03:00.161)
Excellent. And I want to thank you both for your ongoing leadership and community involvement. I think 2025 is going to have some amazing stuff in store for us all. Reflecting back, last year, 2024 was a very busy year for the foundation. I would encourage everyone to review our annual report, which came out in December, to see some of the amazing things our community members are working on. But looking at all of that, 2025 looks even busier. From your perspective, Arun, what were some of the key lessons we learned about open source security in 2024?

Arun Gupta (03:41.058)
Yeah, if you look at 2024, a few themes easily emerged. The reliance on open source is only going to grow. If you look at a typical application, roughly 80%, sometimes 90%, of the stack is open source. So it is definitely a critical part of our infrastructure. Pick any industry, vertical, or domain, and open source is prevalent. With a bigger scope comes a bigger attack area as well. The kinds of things we saw include dependency vulnerabilities continuing to be big. It started with Log4Shell during the pandemic back in 2021, and it has only grown. Many organizations still face outdated or insecure dependencies and need help tracking and fixing them. We have projects like GUAC, the AI cybersecurity challenge, and other OpenSSF efforts driving this part of the industry.

Another issue we saw was social engineering attacks. Open source is built on a human engineering fabric, so threats like the XZ Utils backdoor are a real concern. OpenSSF and OpenJS worked together to issue an alert on what needs to be done. Should we have trusted maintainers whom we’ve met in real life? These are important questions.

Supply chain attacks also continue to rise due to reliance on open source, particularly with government mandates requiring SBOMs to improve transparency and manage supply chains. OpenSSF is working on projects like Protobomb and BombCTL to simplify SBOM creation and portability.

Finally, regulatory pressures increased. The Cyber Resilience Act and the U.S. executive order on stricter open source compliance created unintended consequences for small businesses and open source communities. OpenSSF is working with the EU to ensure a balanced implementation that supports open source while keeping it secure.

Zach, what else would you add?

Zach Steindler (07:15.736)
That was a fantastic overview. I’ve spent much of my career on the defensive side of things in OpenSSF with supply chain security. It has been interesting to see how some of the capabilities we’ve developed have helped in incident response, such as build provenance in the Python package Ultraylitics compromise. That helped us understand what the attacker was doing and how to respond.

Going back to XZ Utils, I think a lot about how we can make the lives of open source maintainers easier in 2025. We ask a lot from them, and while we’re building new security capabilities, they shouldn’t add extra burdens. We must ensure security improvements come with usability improvements to make maintainers’ lives easier.

CRob (08:29.697)
Excellent points. Let’s talk about some things the foundation wants to collaborate on this year. We adopted a practice called MVVSR last year. Zach, maybe you could give an overview of what MVVSR is.

Zach Steindler (08:51.074)
OpenSSF is exiting an exciting early phase where we tried a lot of things to see what worked. Now, we’re borrowing practices from nonprofits and the business world to be more thoughtful about engagement. MVVSR stands for Mission, Vision, Values, Strategy, and Roadmap. It helps us define where we want the organization to go. The mission is high-level, perhaps on a 10-year timeline. The roadmap outlines immediate actions, spanning months or a year.

In late 2024, the OpenSSF TAC, Governance Committee, and Governing Board revised the MVVSR, focusing on strategy. We defined three key categories:

  1. Catalyst for Change – Building tools for open source developers to meet security goals.
  2. Educate & Empower the Modern Developer – Providing guides, courses, and best practices.
  3. Ecosystem Leader – Developing standards and frameworks like Salsa for supply chain security.

CRob (13:13.505)
Awesome. Arun, you’re involved in various foundations. How important is having a roadmap for OpenSSF’s strategy?

Arun Gupta (13:41.486)
It’s critical. Success depends not just on creating guidelines but on their adoption by other foundations. OpenSSF’s mission is to improve open source security, but much of the work happens in other foundations like CNCF, Apache, and Eclipse. Our success is defined by how widely our recommendations are adopted.

For example, Kubernetes adopting OpenSSF recommendations is a big win. At Intel, we ran the OpenSSF Scorecard across all public GitHub repos, tracking incremental security improvements. These efforts align back to OpenSSF’s mission.

CRob (26:18.849)
We’ve accomplished a lot in 2024 and have exciting plans for 2025. Thank you both for your leadership, and thanks to our community of contributors for driving these projects forward. It’s amazing to see initiatives like Salsa and sigstore, which started over four years ago, continue to grow. Gentlemen, I appreciate your time today, and I look forward to working together in 2025. Thank you.

Arun Gupta (27:05.486)
Thank you so much.

Zach Steindler (27:05.72)
Thanks, CRob, pleasure to be here.

OpenSSF Hosts 2025 Policy Summit in Washington, D.C. to Tackle Open Source Security Challenges

By Blog, Global Cyber Policy, Press Release

WASHINGTON, D.C. – March 11, 2025 – The Open Source Security Foundation (OpenSSF) successfully hosted its 2025 Policy Summit in Washington, D.C., on Tuesday, March 4. The summit brought together industry leaders and open source security experts to address key challenges in securing the software supply chain, with a focus on fostering harmonization for open source software (OSS) development and consumption in critical infrastructure sectors.

The event featured keynotes from OpenSSF leadership and industry experts, along with panel discussions and breakout sessions covering the latest policy developments, security frameworks, and industry best practices for open source software security. 

“The OpenSSF is committed to tackling the most pressing security challenges facing the consumption of open source software in critical infrastructure and beyond,” said Steve Fernandez, General Manager, OpenSSF. “Our recent Policy Summit highlighted the shared responsibility, common goals, and interest in strengthening the resilience of the open source ecosystem by bringing together the open source community, government, and industry leaders.” 

Key Themes and Discussions from the Summit

  1. AI, Open Source, and Security
  • AI security remains an emerging challenge: Unlike traditional software, AI has yet to experience a major security crisis akin to Heartbleed, leading to slower regulatory responses.
  • Avoid premature regulation: Experts advised policymakers to allow industry-led security improvements before introducing regulation.
  • Security guidance for AI developers: There is an increasing need for dedicated security frameworks for AI systems, akin to SLSA (Supply Chain Levels for Software Artifacts) in traditional software.
  1. Software Supply Chain Security and OSS Consumption
  • Balancing software repository governance: The summit explored whether package repositories should actively limit the use of outdated or vulnerable software, recognizing both the risks and ethical concerns of software curation.
  • Improving package security transparency: Participants discussed ways to provide better lifecycle risk information to software consumers and whether a standardized framework for package deprecation and security backports should be introduced.
  • Policy recommendations for secure OSS consumption: OpenSSF emphasized the need for cross-sector collaboration to align software security policies with global regulatory frameworks, such as the EU Cyber Resilience Act (CRA) and U.S. federal cybersecurity initiatives.

“The OpenSSF Policy Summit reaffirmed the importance of industry-led security initiatives,” said Jim Zemlin, Executive Director of the Linux Foundation. “By bringing together experts from across industries and open source communities, we are ensuring that open source security remains a collaborative effort, shaping development practices that drive both innovation and security.”

Following the summit, OpenSSF will continue to refine security guidance, best practices, and policy recommendations to enhance the security of open source software globally. The discussions from this event will inform ongoing initiatives, including the OSS Security Baseline, software repository security principles, and AI security frameworks.

For more information on OpenSSF’s policy initiatives and how to get involved, visit openssf.org.

Supporting Quotes

“The 2025 Policy Summit was an amazing day of mind share and collaboration across different teams, from security, to DevOps, and policy makers. By uniting these critical voices, the day resulted in meaningful progress toward a more secure and resilient software supply chain that supports innovation across IT Teams.” – Tracy Ragan, CEO and Co-Founder DeployHub

“I was pleased to join the Linux Foundation OpenSSF Policy Summit “Secure by Design” panel and share insights on improving the open source ecosystem via IBM’s history of creating secure technology solutions for our clients,” said Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive. “Open source has become an essential driver of innovation for artificial intelligence, hybrid cloud and quantum computing technologies, and we are pleased to see more regulators recognizing that the global open source community has become an essential digital public good.” – Jamie Thomas, General Manager, Technology Lifecycle Services & IBM Enterprise Security Executive

“I was delighted to join this year’s OpenSSF Summit on behalf of JFrog as I believe strongly in the critical role public/private partnerships and collaboration plays in securing the future of open source innovation. Building trust in open source software requires a dedicated focus on security and software maturity. Teams must be equipped with tools to understand and vet open source packages, ensuring we address potential vulnerabilities while recognizing the need for ongoing updates. As the value of open source grows, securing proper funding for these efforts becomes essential to mitigate risks effectively.” – Paul Davis, U.S. Field CISO, JFrog

“Great event. I really enjoyed the discussions and the idea exchange between speakers, panelists and the audience.  I especially liked the afternoon breakout discussion on AI, open source, and security.” Bob Martin, Senior Software and Supply Chain Assurance Principal Engineer at the MITRE Corporation

“The Internet is plagued by chronic security risks, with a majority of companies relying on outdated and unsupported open source software, putting consumer privacy and national security at risk. As explored at the OpenSSF Policy Summit, we are at an inflection point for open source security and sustainability, and it’s time to prioritize and invest in the open source projects that underpin our digital public infrastructure.” – Robin Bender Ginn, Executive Director, OpenJS Foundation

“It is always a privilege to speak at the OpenSSF Policy Summit in D.C. and converse with some of the brightest minds in security, government, and open source. The discussions we had about the evolving threat landscape, software supply chain security, and the policies needed to protect critical infrastructure were timely and essential. As the open source ecosystem expands with skyrocketing open source AI adoption, it’s vital that we work collaboratively across sectors to ensure the tools and frameworks developers rely on are secure and resilient. I look forward to continuing these important conversations and furthering our collective mission of keeping open source safe and secure.” – Brian Fox, CTO and Co-Founder, Sonatype

“The OpenSSF Policy Summit highlighted the critical intersection of policy, technical innovation, and collaborative security efforts needed to protect our software supply chains and address emerging AI security challenges. By bringing together policy makers and technical practitioners, we’re collectively building a more resilient open source ecosystem that benefits everyone, we look forward to future events and opportunities to collaborate with the OpenSSF to help strengthen this ecosystem.” – Jim Miller, Engineering Director of Blockchain and Cryptography, Trail of Bits

***

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

OpenSSF Announces Initial Release of the Open Source Project Security Baseline

By Blog, Press Release

New Initiative Aims to Enhance Open Source Software Security Through Tiered Best Practices

SAN FRANCISCO – February 25, 2025 – The Open Source Security Foundation (OpenSSF) is pleased to announce the initial release of the Open Source Project Security Baseline (OSPS Baseline). The Baseline initiative provides a structured set of security requirements aligned with international cybersecurity frameworks, standards, and regulations, aiming to bolster the security posture of open source software projects.

“The OSPS Baseline release is a significant milestone in advancing security initiatives within the open source ecosystem,” said Christopher Robinson, Chief Security Architect at OpenSSF. “We’re excited to roll out OSPS Baseline following community testing and validation — we are confident that these security best practices are both practical and impactful across open source projects.”

The OSPS Baseline offers a tiered framework of security practices that evolve with project maturity. It compiles existing guidance from OpenSSF and other expert groups, outlining tasks, processes, artifacts, and configurations that enhance software development and consumption security. By adhering to the Baseline, developers can lay a foundation that supports compliance with global cybersecurity regulations, such as the EU Cyber Resilience Act (CRA) and U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).

“We’ve gotten helpful feedback from projects involved in the pilot rollout, including adoption commitments from GUAC, OpenVEX, bomctl, and Open Telemetry,” said Stacey Potter, Independent Open Source Community Manager, after helping lead the OSPS Baseline pilot efforts. “We know it can be tough to navigate all the security standards out there, so we built a framework that grows with your project. Our goal is to take the guesswork out of it and help maintainers feel confident about where they stand, without adding extra stress. It’s all about empowering the community and making open source more secure for everyone!”

“I’m excited to see the release of OSPS Baseline,” said Ben Cotton, Open Source Community Lead at Kusari & OSPS Baseline co-maintainer. “This effort provides actionable, practical guidance to help developers achieve appropriate security levels for their projects. Too often, security advice is vague or impractical, but Baseline aims to change that. Every improvement to open source security strengthens the modern software ecosystem, making it safer for everyone.”

OpenSSF invites open source developers, maintainers, and organizations to make use of the OSPS Baseline. Through engaging with this initiative, stakeholders can also contribute to refining the framework and promoting widespread adoption of security best practices in the open source community.

For more information and to get involved, please visit the OSPS Baseline website or GitHub.

Supporting Quotes:

“The OSPS Baseline release is an important step toward efficiently addressing the security and resilience of open source projects. Open source stewards, manufacturers who rely on open source, and end users will all benefit long-term as this community-defined criteria shines light on project security best practices.”

– Eddie Knight, Open Source Program Office Lead at Sonatype and OSPS Baseline Project Lead

“We applaud the launch of the OSPS Baseline as a crucial initiative in bolstering the security landscape of open source projects. At TestifySec, we recognize the importance of robust security frameworks like the OSPS Baseline in safeguarding software integrity and enhancing resilience against evolving cyber threats. We look forward to leveraging these guidelines to further fortify our commitment to delivering secure solutions for our clients and the broader open source community.” 

– Cole Kennedy, Co-Founder and CEO of TestifySec

“Security is a fundamental priority for the cloud native ecosystem, and the OSPS Baseline represents a major step forward in providing clear, actionable guidance for projects of all sizes. By establishing a tiered framework that evolves with project maturity, OSPS Baseline empowers maintainers and contributors to adopt security best practices that are scalable and sustainable. The CNCF is proud to support efforts like this that strengthen open source software at every level of development and we look forward to collaborating with the OpenSSF on adoption.”

– Chris Aniszczyk, Chief Technology Officer, Cloud Native Computing Foundation

“As open source has become integral in most of our technology stacks, it has become increasingly critical to streamline and standardize the security expectations between open source maintainers and consumers.  By synthesizing the requirements and controls from a variety of laws, regulations, and standards, the OpenSSF Baseline provides a clear roadmap for open source consumers to understand their security foundations.”

– Evan Anderson, Principal Software Engineer at Stacklok and Open Source Maintainer

“The Open Source Project Security Baseline is a vital tool for enhancing the security of open source projects. By offering a comprehensive set of actionable measures, the Security Baseline provides effective guidance for all stakeholders in the open source ecosystem – manufacturers, stewards, and projects alike – to collaboratively assume responsibility and take meaningful steps to secure the open source supply chain on which we all rely.”

– Per Beming, Chief Standardization Officer at Ericsson

***

About the OpenSSF

The Open Source Security Foundation (OpenSSF) is a cross-industry initiative by the Linux Foundation that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all. For more information, please visit us at openssf.org.

Media Contact
Noah Lehman
The Linux Foundation
nlehman@linuxfoundation.org