Open Source Security Foundation

admin Sunday December 13, 2020

A couple of months ago, when writing about the end of EU-FOSSA 2, I criticized its reactionary nature. Just like I had done a few years ago about the Core Infrastructure "Initiative", EU-FOSSA's private counterpart.

That is why we can feel very grateful once again to the Linux Foundation's Jim Zemlin for setting up OpenSSF, replacing the CII this year. Not only does the Open Source Security Foundation lose the "initiative" in its name, but it really is a lot less reactionary, established as a permanent project:

OpenSSF FAQ wrote:
The CII was funded largely by grants, OpenSSF will be supported by Linux Foundation membership dues with targeted organization contributions to support initiatives. The CII’s ongoing work is being transitioned to the OpenSSF, and we expect that the CII will eventually be dissolved as the OpenSSF replaces it.

A lot has changed since Heartbleed. The next challenge would be to see security efforts more integrated into primary software projects, rather than in secondary projects, still somewhat reactionary afterthoughts.

Here's hoping for truly organic security (which doesn't prevent external security assessments)


Wanting to become more universal than the CII, OpenSSF is facing a serious challenge: prioritization. By trying to become neutral, it appears it's so far risking its auditing efforts to be irrelevant, with its current method computing Qt's criticality as way lower than... some Bitcoin software cry And beyond noting that the current metrics are broken, I don't see an easy fix without completely changing the approach. Here's hoping common sense prevails