August 2025 marks five years since the official formation of the Open Source Security Foundation (OpenSSF). Born out of a critical need to secure the software supply chains and open source ecosystems powering global technology infrastructure, OpenSSF quickly emerged as a community-driven leader in open source security.
“OpenSSF was founded to unify and strengthen global efforts around securing open source software. In five years, weâve built a collaborative foundation that reaches across industries, governments, and ecosystems. Together, weâre building a world where open source is not only powerfulâbut trusted.” â Steve Fernandez, General Manager, OpenSSF
đ± Beginnings: Answering the Call
OpenSSF was launched on August 3, 2020, consolidating earlier initiatives into a unified, cross-industry effort to protect open source projects. The urgency was clearâhigh-profile vulnerabilities such as Heartbleed served as stark reminders that collective action was essential to safeguard the digital infrastructure everyone depends on.
âFrom day one, OpenSSF has been about actionâempowering the community to build and adopt real-world security solutions. Five years in, weâve moved from ideas to impact. The work isnât done, but the momentum is real, and the future is wide open.â â Christopher “CRob” Robinson, Chief Architect, OpenSSF
đ Milestones & Major Initiatives
Over the past five years, OpenSSF has spearheaded critical initiatives that shaped the landscape of open source security:
2021 – Secure Software Development Fundamentals:
Launching free educational courses on edX, OpenSSF equipped developers globally with foundational security practices.
“When we launched our first free training course in secure software development, we had one goal: make security knowledge available to every software developer. Today, that same mission powers all of OpenSSFâequipping developers, maintainers, and communities with the tools they need to make open source software more secure for everyone.” â David A. Wheeler, Director, Open Source Supply Chain Security, Linux Foundation
2021 – Sigstore: Open Source Signing for Everyone:
Sigstore was launched to make cryptographic signing accessible to all open source developers, providing a free and automated way to verify the integrity and provenance of software artifacts and metadata.
âBeing part of the OpenSSF has been crucial for the Sigstore project. It has allowed us to not only foster community growth, neutral governance, and engagement with the broader OSS ecosystem, but also given us the ability to coordinate with a myriad of in-house initiatives — like the securing software repos working group — to further our mission of software signing for everybody. As Sigstore continues to grow and become a core technology for software supply chain security, we believe that the OpenSSF is a great place to provide a stable, reliable, and mature service for the public benefit.â
â Santiago Torres-Arias, Assistant Professor at Purdue University and Sigstore TSC Chair MemberÂ
2021-2022 – Security with OpenSSF Scorecard & Criticality Score:
Innovative tools were introduced to automate and simplify assessing open source project security risks.
âThe OpenSSF has been instrumental in transforming how the industry approaches open source security, particularly through initiatives like the Security Scorecard and Sigstore, which have improved software supply chain security for millions of developers. As we look ahead, AWS is committed to supporting OpenSSF’s mission of making open source software more secure by default, and we’re excited to help developers all over the world drive security innovation in their applications.â â Mark Ryland, Director, Amazon Security at AWS
2022 – Launch of Alpha-Omega:
Alpha-Omega (AO), an associated project of the OpenSSF launched in February 2022, is funded by Microsoft, Google, Amazon, and Citi. Its mission is to enhance the security of critical open source software by enabling sustainable improvements and ensuring vulnerabilities are identified and resolved quickly. Since its inception, the Alpha-Omega Fund has invested $14 million in open source security, supporting a range of projects including LLVM, Java, PHP, Jenkins, Airflow, OpenSSL, AI libraries, Homebrew, FreeBSD, Node.js, jQuery, RubyGems, and the Linux Kernel. It has also provided funding to key foundations and ecosystems such as the Apache Software Foundation (ASF), Eclipse Foundation, OpenJS Foundation, Python Foundation, and Rust Foundation.
2023 – SLSA v1.0 (Supply-chain Levels for Software Artifacts):
Setting clear and actionable standards for build integrity and provenance, SLSA was a turning point for software supply chain security and became essential in reducing vulnerabilities.
At the same time, community-driven tools like GUAC (Graph for Understanding Artifact Composition) built on SLSAâs principles, unlocking deep visibility into software metadata, making it more usable, actionable and connecting the dots across provenance, SBOMs and in-toto security attestations.
“Projects like GUAC demonstrate how open source innovation can make software security both scalable and practical. Kusari is proud to have played a role in these milestones, helping to strengthen the resiliency of the open source software ecosystem.”
â Michael Lieberman, CTO and Co-founder at Kusari and Governing Board member
2024 – Principles for Package Repository Security:
Offering a voluntary, community-driven security maturity model to strengthen the resilience of software ecosystems.
âDevelopers around the world rely daily on package repositories for secure distribution of open source software. It’s critical that we listen to the maintainers of these systems and provide support in a way that works for them. We were happy to work with these maintainers to develop the Principles for Package Repository Security, to help them put together security roadmaps and provide a reference in funding requests.â â Zach Steindler, co-chair of Securing Software Repositories Working Group, Principal Engineer, GitHub
2025
OSPS Baseline:
This initiative brought tiered security requirements into the AI space, quickly adopted by groundbreaking projects such as GUAC, OpenTelemetry, and bomctl.
“The Open Source Project Security Baseline was born from real use cases, with projects needing robust standardized guidance around how to best secure their development processes. OpenSSF has not only been the best topical location for contributors from around the world to gather â the foundation has gone above and beyond by providing project support to extend the content, promote the concept, and elevate Baseline from a simple control catalog into a robust community and ecosystem.” â Eddie Knight, OSPO Lead, Sonatype
AI/ML Security Working Group:Â
The MLSecOps White Paper from the AI/ML Security Working Group marks a major step in securing machine learning pipelines and guiding the future of trustworthy AI.
âThe AI/ML working group tackles problems at the confluence of security and AI. While the AI world is moving at a breakneck pace, the security problems that we are tackling in the traditional software world are also relevant. Given that AI can increase the impact of a security vulnerability, we need to handle them with determination. The working group has worked on securing LLM generating code, model signing and a new white paper for MLSecOps, among many other interesting things.â â Mihai Maruseac, co-chair of AI/ML Security Working Group, Staff Software Engineer, Google
đ Growing Community & Policy Impact
OpenSSFâs role rapidly expanded beyond tooling, becoming influential in global policy dialogues, including advising the White House on software security and contributing to critical policy conversations such as the EUâs Cyber Resilience Act (CRA).
OpenSSF also continues to invest in community-building and education initiatives. This year, the Foundation launched its inaugural Summer Mentorship Program, welcoming its first cohort of mentees working directly with technical project leads to gain hands-on experience in open source security.
The Foundation also supported the publication of the Compiler Options Hardening Guide for C and C++, originally contributed by Ericsson, to help developers and toolchains apply secure-by-default compilation practicesâespecially critical in memory-unsafe languages.
In addition, OpenSSF has contributed to improving vulnerability disclosure practices across the ecosystem, offering guidance and tools that support maintainers in navigating CVEs, responsible disclosure, and downstream communication.
âThe OpenSSF is uniquely positioned to advise on considerations, technical elements, and community impact public policy decisions have not only on open source, but also on the complex reality of implementing cybersecurity to a diverse and global technical sector. In the past 5 years, OpenSSF has been building a community of well-informed open source security experts that can advise regulations but also challenge and adapt security frameworks, law, and regulation to support open source projects in raising their security posture through transparency and open collaboration; hallmarks of open source culture.â â Emily Fox, Portfolio Security Architect, Red Hat
âš Voices from Our Community: Reflections & Hopes
Key community members, from long-standing contributors to new voices, have shaped OpenSSFâs journey:
OG Voices:
âMicrosoft joined OpenSSF as a founding member, committed to advancing secure open source development. Over the past five years, OpenSSF has driven industry collaboration on security through initiatives like Alpha-Omega, SLSA, Scorecard, Secure Software Development training, and global policy efforts such as the Cyber Resilience Act. Together, we’ve improved memory safety, supply chain integrity, and secure-by-design practices, demonstrating that collaboration is key to security. We look forward to many more security advancements as we continue our partnership.â â Mark Russinovich, CTO, Deputy CISO, and Technical Fellow, Microsoft Azure
OpenSSF Leadership Perspective:Â
“OpenSSFâs strength comes from the people behind itâbuilders, advocates, and champions from around the world working toward a safer open source future. This milestone isnât just a celebration of what weâve accomplished, but of the community weâve built together.” â Adrianne Marcum, Chief of Staff, OpenSSF
Community Perspectives:
“After 5 years of hard work, the OpenSSF stands as a global force for securing the critical open-source that we all use. Here’s to five years of uniting communities, hardening the software supply chain, and driving a safer digital future.” Tracy Ragan, CEO, DeployHub
“I found OpenSSF through my own curiosity, not by invitation, and I stayed because of the warmth, support, and shared mission I discovered. From contributing to the BEAR Working Group to receiving real backing for opportunities, the community consistently shows up for its members. Itâs more than a project; itâs a space where people are supported, valued, and empowered to grow.” Ijeoma Onwuka, Independent Contributor
đź Looking Forward
As we celebrate our fifth anniversary, OpenSSF is preparing for a future increasingly influenced by AI-driven tools and global collaboration. Community members across the globe envision greater adoption of secure AI practices, expanded policy influence, and deeper, inclusive international partnerships.
âAs we celebrate OpenSSFâs 5th Anniversary, Iâm energized by how our vision has grown into a thriving global movement of developers, maintainers, security researchers, and organizations all united by our shared mission. Looking ahead weâre hoping to cultivate our communityâs knowledge and empower growth through stronger collaboration and more inclusive pathways for contributors.â â Stacey Potter, Community Manager, OpenSSF
đŁ Join the Celebration
We invite you to share your memories, contribute your voice, and become part of the next chapter in securing open source software.
Hereâs to many more years ahead! đ
