A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.
That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:
A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.
Here's hoping for truly organic security (which doesn't prevent external security assessments)