Welcome to the September 2025 edition of the OpenSSF Newsletter! Here’s a roundup of the latest developments, key events, and upcoming opportunities in the Open Source Security community.

TL;DR:

🎉 Big week in Amsterdam: Recap of OpenSSF at OSSummit + OpenSSF Community Day Europe.

🥚 Golden Egg Awards shine on five amazing community leaders.

✨ Fresh resources: AI Code Assistant tips and SBOM whitepaper.

🤝 Trustify + GUAC = stronger supply chain security.

🌍 OpenSSF Community Day India: 230+ open source enthusiasts packed the room.

🎙 New podcasts: AI/ML security + post-quantum race.

🎓 Free courses to level up your security skills.

📅 Mark your calendar and join us for Community Events.

Celebrating the Community: OpenSSF at Open Source Summit and OpenSSF Community Day Europe Recap

From August 25–28, 2025, the Linux Foundation hosted Open Source Summit Europe and OpenSSF Community Day Europe in Amsterdam, bringing together developers, maintainers, researchers, and policymakers to strengthen software supply chain security and align on global regulations like the EU Cyber Resilience Act (CRA). The week included strong engagement at the OpenSSF booth and sessions on compliance, transparency, proactive security, SBOM accuracy, and CRA readiness. 

OpenSSF Community Day Europe celebrated milestones in AI security, public sector engagement, and the launch of Model Signing v1.0, while also honoring five community leaders with the Golden Egg Awards. Attendees explored topics ranging from GUAC+Trustify integration and post-quantum readiness to securing GitHub Actions, with an interactive Tabletop Exercise simulating a real-world incident response. 

These gatherings highlighted the community’s progress and ongoing commitment to strengthening open source security. Read more.

OpenSSF Celebrates Global Momentum, AI/ML Security Initiatives and Golden Egg Award Winners at Community Day Europe

At OpenSSF Community Day Europe, the Open Source Security Foundation honored this year’s Golden Egg Award recipients. Congratulations to Ben Cotton (Kusari), Kairo de Araujo (Eclipse Foundation), Katherine Druckman (Independent), Eddie Knight (Sonatype), and Georg Kunz (Ericsson) for their inspiring contributions.

With exceptional community engagement across continents and strategic efforts to secure the AI/ML pipeline, OpenSSF continues to build trust in open source at every level.

Read the full press release to explore the achievements, inspiring voices, and what’s next for global open source security.

Blogs: What’s New in the OpenSSF Community?

Here you will find a snapshot of what’s new on the OpenSSF blog. For more stories, ideas, and updates, visit the blog section on our website.

Open Source Friday with OpenSSF – Global Cyber Policy Working Group

On August 15, 2025, GitHub’s Open Source Friday series spotlighted the OpenSSF Global Cyber Policy Working Group (WG) and the OSPS Baseline in a live session hosted by Kevin Crosby, GitHub. The panel featured OpenSSF’s Madalin Neag (EU Policy Advisor), Christopher Robinson (CRob) (Chief Security Architect) and David A. Wheeler (Director of Open Source Supply Chain Security) who discussed how the Working Group helps developers, maintainers, and policymakers navigate global cybersecurity regulations like the EU Cyber Resilience Act (CRA). 

The conversation highlighted why the WG was created, how global policies affect open source, and the resources available to the community, including free training courses, the CRA Brief Guide, and the Security Baseline Framework. Panelists emphasized challenges such as awareness gaps, fragmented policies, and closed standards, while underscoring opportunities for collaboration, education, and open tooling. 

As the CRA shapes global standards, the Working Group continues to track regulations, engage policymakers, and provide practical support to ensure the open source community is prepared for evolving cybersecurity requirements. Learn more and watch the recording.

Improving Risk Management Decisions with SBOM Data

SBOMs are becoming part of everyday software practice, but many teams still ask the same question: how do we turn SBOM data into decisions we can trust? 

Our new whitepaper, “Improving Risk Management Decisions with SBOM Data,” answers that by tying SBOM information to concrete risk-management outcomes across engineering, security, legal, and operations. It shows how to align SBOM work with real business motivations like resiliency, release confidence, and compliance. It also describes what “decision-ready” SBOMs look like, and how to judge data quality. To learn more, download the Whitepaper.

Trustify joins GUAC

GUAC and Trustify are combining under the GUAC umbrella to tackle the challenges of consuming, processing, and utilizing supply chain security metadata at scale. With Red Hat’s contribution of Trustify, the unified community will serve as the central hub within OpenSSF for building and using supply chain knowledge graphs, defining standards, developing shared infrastructure, and fostering collaboration. Read more.

Recap: OpenSSF Community Day India 2025

On August 4, 2025, OpenSSF hosted its second Community Day India in Hyderabad, co-located with KubeCon India. With 232 registrants and standing-room-only attendance, the event brought together open source enthusiasts, security experts, engineers, and students for a full day of learning, collaboration, and networking.

The event featured opening remarks from Ram Iyengar (OpenSSF Community Engagement Lead, India), followed by technical talks on container runtimes, AI-driven coding risks, post-quantum cryptography, supply chain security, SBOM compliance, and kernel-level enforcement. Sessions also highlighted tools for policy automation, malicious package detection, and vulnerability triage, as well as emerging approaches like chaos engineering and UEFI secure boot.

The event highlighted India’s growing role in global open source development and the importance of engaging local communities to address global security challenges. Read more.

New OpenSSF Guidance on AI Code Assistant Instructions

In our recent blog, Avishay Balter, Principal SWE Lead at Microsoft and David A. Wheeler, Director, Open Source Supply Chain Security at OpenSSF introduce the OpenSSF “Security-Focused Guide for AI Code Assistant Instructions.” AI code assistants can speed development but also generate insecure or incorrect results if prompts are poorly written. The guide, created by the OpenSSF Best Practices and AI/ML Working Groups with contributors from Microsoft, Google, and Red Hat, shows how clear and security-focused instructions improve outcomes. It stands as a practical resource for developers today, while OpenSSF also develops a broader course (LFEL1012) on using AI code assistants securely. 

This effort marks a step toward ensuring AI helps improve security instead of undermining it. Read more.

Open Infrastructure Is Not Free: A Joint Statement on Sustainable Stewardship

Public package registries and other shared services power modern software at global scale, but most costs are carried by a few stewards while commercial-scale users often contribute little. Our new open letter calls for practical models that align usage with responsibility — through partnerships, tiered access, and value-add options — so these systems remain strong, secure, and open to all.

Signed by: OpenSSF, Alpha-Omega, Eclipse Foundation (Open VSX), OpenJS Foundation, Packagist (Composer), Python Software Foundation (PyPI), Rust Foundation (crates.io), Sonatype (Maven Central).

Read the open letter.

What’s in the SOSS? An OpenSSF Podcast:

#38 – S2E15 Securing AI: A Conversation with Sarah Evans on OpenSSF’s AI/ML Initiatives

In this episode of What’s in the SOSS, Sarah Evans, Distinguished Engineer at Dell Technologies, discusses extending secure software practices to AI. She highlights the AI Model Signing project, the MLSecOps whitepaper with Ericsson, and efforts to identify new personas in AI/ML operations. Tune in to hear how OpenSSF is shaping the future of AI security.

#39 – S2E16 Racing Against Quantum: The Urgent Migration to Post-Quantum Cryptography with KeyFactor’s Crypto Experts

In this episode of What’s in the SOSS, host Yesenia talks with David Hook and Tomas Gustavsson from Keyfactor about the race to post-quantum cryptography. They explain quantum-safe algorithms, the importance of crypto agility, and why sectors like finance and supply chains are leading the way. Tune in to learn the real costs of migration and why organizations must start preparing now before it’s too late.

Education:

The Open Source Security Foundation (OpenSSF), together with Linux Foundation Education, provides a selection of free e-learning courses to help the open source community build stronger software security expertise. Learners can earn digital badges by completing offerings such as:

• Developing Secure Software (LFD121)
• Security for Software Development Managers (LFD125)
• Understanding the EU Cyber Resilience Act (CRA) (LFEL1001)
• Securing Projects with OpenSSF Scorecard (LFEL1006)
• Securing Your Software Supply Chain with Sigstore (LFS182)

These are just a few of the many courses available for developers, managers, and decision-makers aiming to integrate security throughout the software development lifecycle.

News from OpenSSF Community Meetings and Projects:

• OpenSSF hosted a tech talk “Securing the AI Lifecycle” on Sept. 24 at 1 pm ET.
• Global Cyber Policy WG, Vulnerability Disclosures WG, and Supply Chain Integrity WG presented quarterly updates to the TAC.
• Zarf released version v0.62.0 enhancing network resiliency around artifact delivery.
• SLSA has a list of tasks for v1.2 available for assignment.
• The AI / ML Security WG has a proposal for a new Cyber Reasoning Systems SIG.

In the News:

• Cybersecurity Dive, How AI and politics hampered the secure open-source software movement
• Data Center Insider, Christopher Robinson on MLSecOps and the Cyber ​​Resilience Act
• Diginomica, Building bridges, not burning maintainers – how the CRA is reshaping open source relations
• The New Stack, SBOMs Get a Needed Update for New Threats
• Infosecurity Magazine, In Conversation: Learnings for CISOs Post Black Hat and DEF CON
• ITdaily, Europe’s turn: the opportunities and challenges of open source
• The Register, OpenSSF to freeloaders: Open source infra isn’t free
• It’s FOSS, Open Source Infrastructure is Breaking Down Due to Corporate Freeloading
• Axios, Future of Cybersecurity Newsletter

Meet OpenSSF at These Upcoming Events!

Join us at OpenSSF Community Day in South Korea!

OpenSSF Community Days bring together security and open source experts to drive innovation in software security.

• Seoul, South Korea –  November 4, 2025

Connect with the OpenSSF Community at these key events:

• Open Source in Finance Forum (OSFF): October 21-22, 2025
• PyTorch Conference: Oct 21-23, 2025
• The Linux Foundation Member Summit: Oct 28, 2025
• The Linux Foundation Europe Roadshow: October 29, 2025
• European Open Source Security Forum: October 30, 2025
• OSPOlogyLive Lyon: November 5-6, 2025
• Open Source SecurityCon 2025: November 10, 2025

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

• Join a Working Group or Project
• Chat with us on Slack
• Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team