Welcome to the January 2026 edition of the OpenSSF Newsletter. This issue highlights new research, community priorities, and upcoming events across the open source security ecosystem.

TL;DR:

📊 2026 Cyber Resiliency Survey → Measure the awareness of CRA

🧭 OpenSSF 2026 Themes → What’s ahead and how to get involved

🔎 OSS Africa, VEX, AI & OSPS Baseline → Practical blogs and podcast highlights

🌍 Events & Community → GVIP Summit, EU Policy Summit, FOSDEM, Open Source SecurityCon Europe, CFPs, and project updates

OpenSSF and Linux Foundation Research: 2026 Cyber Resiliency Survey

As cybersecurity legislation such as the EU Cyber Resilience Act (CRA) takes effect, open source communities are beginning to feel its impact, from maintainers and contributors to organizations that rely on open source every day. Building on last year’s inaugural study, Linux Foundation Research and OpenSSF are again inviting the community to share perspectives through a new survey focused on awareness and readiness for cybersecurity regulation.

Your perspective matters. By participating, you help strengthen shared understanding, surface real community needs, and support the open source ecosystem as it navigates emerging regulatory challenges. Take the Survey.

OpenSSF at FOSDEM 2026: From Policy to Practical Security

OpenSSF is heading to Brussels for FOSDEM 2026 and Open Source Week, building on last year’s momentum around practical open source security, CRA readiness, and community-driven solutions. Expect strong presence across policy and technical devrooms, a joint booth with Linux Foundation Europe (K2-A-03), and active participation in key events like the GVIP Summit and EU Open Source Policy Summit. The focus this year: turning regulation and security best practices into real, usable tooling and guidance for maintainers and projects. Read the blog.

OpenSSF’s 2026 Themes: A Community Roadmap for Securing the Future of Open Source

Curious about what security topics will shape the open source world in 2026 and how you can be part of it? Read about OpenSSF’s quarterly themes from AI and ML security to vulnerability transparency, global policy alignment, and Baseline adoption. This blog also highlights key events, community activities, and how to get involved. Read more.

Signal in the Noise: An Industry-Wide Perspective on the State of VEX

Key stakeholders, Aubrey Olandt (Red Hat), Brandon Lum (Google), Charl de Nysschen (Google), Christoph Plutte (Ericsson), Georg Kunz (Ericsson), Jonathan Douglas (Microsoft), Jautau “Jay” White (Microsoft), Martin Prpič (Red Hat), and Rao Lakkakula (Microsoft) look at how VEX is developing across the software industry. VEX provides structured, machine-readable statements about whether a vulnerability affects a product. It can reduce false positives and cut down the workload for security teams, but adoption is still uneven. This report reviews the main VEX formats CSAF, OpenVEX, CycloneDX, and SPDX and highlights gaps in tooling, trust, and distribution. Read more.

Catching Malicious Package Releases Using a Transparency Log

In this guest blog from Trail of Bits, learn how transparency logs like Rekor, combined with tools such as rekor-monitor, help package maintainers spot tampering and unauthorized signatures in real time. With support from OpenSSF, new improvements make monitoring easier, more reliable, and ready for production, an important step toward securing the open source software supply chain.

Read the full blog to see how transparency logs work, why they matter, and what’s coming next.

AI, Software Development, Security, Tips, and the Future (Part 1 & 2)

How is AI really changing software development today? In “AI, Software Development, Security, Tips, and the Future (Part 1)”, David A. Wheeler notes that AI use during software development has become the norm because “productivity is king,” even though AI-generated results are frequently wrong, and discusses the security risks around development environments and insecure generated code. In Part 2, he continues by offering practical tips on how developers can better use AI, touches on licensing and “vibe coding,” and looks toward the future, explaining that AI won’t replace developers anytime soon, but will increase both attack and defense capabilities in software security. If you haven’t read both blogs yet, they provide a clear, realistic view of how AI is affecting software today and what developers should be thinking about next.

Your Guide to the OpenSSF OSPS Baseline for More Secure Open Source Projects

What does good security actually look like for open source projects? This new blog walks through the community-developed OSPS Baseline, a catalog of practical security controls that helps projects understand expectations, improve over time, and meet users where they are. With FOSS in up to 96% of modern codebases and relied on across nearly every industry, the blog explains why shared security practices matter and how the Baseline connects to standards like NIST SSDF, the EU Cyber Resilience Act, and ISO 27001. It also links to keynotes, a tech talk, a podcast, a real project case study, and FAQs so you can see how the Baseline works in practice. Read the blog.

Collecting Badges, Building Bridges: Representing OpenSSF and Linux Foundation Across Europe

How does it feel to represent a global open source security community across Europe? In his blog, Madalin Neag reflects on attending key open source, cybersecurity, and standardization meetings on behalf of OpenSSF throughout 2025. He describes how each conference badge represents conversations, collaboration, and the growing understanding that open source security is becoming an essential part of Europe’s cybersecurity future. The blog highlights the connections formed between maintainers, policymakers, standards groups, and community leaders, and shows how work in open source security bridges policy and practice across many different environments. Read more.

Strengthening Open Source Security Through Community: Introducing OSSAfrica

OSSAfrica is a new community-led initiative working to strengthen open source security across Africa by connecting contributors, maintainers, developers, and security practitioners. Operating as a Special Interest Group under the OpenSSF BEAR Working Group, OSSAfrica focuses on community building, security awareness, locally relevant solutions, and creating clear pathways for African contributors to engage in global open source security efforts. Learn why this work matters, what’s being built, and how you can get involved. Read the blog.

Preserving Open Source Sustainability While Advancing CRA Compliance

This blog looks at how voluntary security attestation models under the EU Cyber Resilience Act could unintentionally shift risk and responsibility onto open source developers. It argues that CRA compliance should stay focused on downstream manufacturers and rely on automation and verifiable security metadata rather than upstream attestations that could undermine open source sustainability.

What’s in the SOSS? An OpenSSF Podcast:

#47 – S2E24 Teaching the Next Generation: Software Supply Chain Security in Academia with Justin Cappos

This episode goes inside academia with NYU’s Justin Cappos, who explains why universities struggle to teach software supply chain security and how his course is producing highly skilled professionals. He and Yesenia Yser talk about curriculum, real-world open source collaboration, and how the Linux Foundation’s Academic Computing Acceleration Program could reshape security education.

#48 – S2E25 2025 Year End Wrap Up: Celebrating 5 Years of Open Source Security Impact!

CRob and Yesenia close out the year with a special wrap-up celebrating OpenSSF’s fifth anniversary and a huge year in open source security. They look back at new free training courses, highlights from the DARPA AI Cyber Challenge, standout interviews, major projects such as, OSPS Baseline and AI model signing, and community conversations across SBOMs and supply chain security. With nearly 12,000 downloads and big plans for Season 3, this episode is a fun look at how far the community has come and what’s ahead in 2026.

#49 – S3E1 Why Marketing Matters in Open Source: Introducing Co-Host Sally Cooper

In this Season 3 premiere, What’s in the SOSS? welcomes Sally Cooper as an official co-host. Sally shares her path from technical training and documentation to marketing leadership at OpenSSF, and explains why marketing matters in open source communities. Joined by CRob and Yesenia Yser, the conversation explores personas, personal branding, trust, and how marketing helps great projects get discovered, supported, and sustained. The episode also offers a preview of OpenSSF’s 2026 marketing themes and practical ways for newcomers to get involved.

News from OpenSSF Community Meetings and Projects:

• The TAC approved the FuzzingBrain Cyber Reasoning System as an OpenSSF sandbox project.
• The Global Cyber Policy WG is collaborating on feedback for several EU Public Consultations with upcoming deadlines.
• The Best Practices WG presented its quarterly update to the TAC.
• The Supply Chain Integrity WG will has an open call for nominations for its Chair election.
• The OpenSSF Model Signing project worked on an updated roadmap.
• The BEAR WG is creating an OSSAfrica Special Interest Group.
• The Open Source Summit North America CFP closes Feb 9 and the CFP for OpenSSF Community Day North America closes Feb. 15.
• Alpha-Omega joins FOSDEM (31 Jan–1 Feb, Brussels) with two sessions led by Michael Winser exploring The terrible economics of package registries and how to fix them and Beyond SBOM: Integrating VEX into Open Source Workflows alongside Munawar Hafiz and Piotr P. Karwasz.
• The 2026 State of the Software Supply Chain Report from Sonatype highlights how AI-driven development is accelerating risk and why package repositories must be treated and supported as critical infrastructure for secure open source software.This message closely aligns with Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship, which underscores the shared responsibility required to fund, maintain, and protect open source.

In the News:

• Cloud Native Now, Mike Vizard: Best of 2025: Docker, Inc. Adds Curated Hardened Container Images to Hub
• Technology Magazine, Maya Derrick: Top 10: Technology Associations
• The New Stack, Steven J. Vaughn-Nichols: Open Source: Inside 2025’s 4 Biggest Trends – The New Stack
• VMblog, David Marshall: Five cybersecurity predictions for 2026
• ZDNET, Steven Vaughan-Nichols: Linux will be unstoppable in 2026 – but one open-source legend may not survive
• ZDNET France, Steven Vaughan-Nichols: Linux will be unstoppable in 2026 – but one open-source legend may not survive

Meet OpenSSF at These Upcoming Events!

Connect with the OpenSSF Community at these key events:

• GVIP Summit #01 – January 28, 2026
• EU Open Source Policy Summit – January 30, 2026
• FOSDEM 2026 – January 31 & February 1, 2026
• The Linux Foundation Member Summit – February 24 & 25, 2026
• FOSS Backstage – March 16 & 17, 2026
• Open Source SecurityCon Europe – March 23, 2026
• KubeCon Europe – March 23 – 26, 2026
• OpenSSF Community Day North America – May 21, 2026

Ways to Participate:

There are a number of ways for individuals and organizations to participate in OpenSSF. Learn more here.

You’re invited to…

• Join a Working Group or Project
• Chat with us on Slack
• Follow us on X, Mastodon, Bluesky, and LinkedIn

See You Next Month! 

We want to get you the information you most want to see in your inbox. Missed our previous newsletters? Read here!

Have ideas or suggestions for next month’s newsletter about the OpenSSF? Let us know at marketing@openssf.org, and see you next month! 

Regards,

The OpenSSF Team