OpenSSF17h ago

The AI Cyber Challenge (AIxCC) results are in and the work continues through new #OpenSSF projects like OSS-CRS and FuzzingBrain.

Read the blog by Helen Woeste (OSTIF):

https://openssf.org/blog/2026/05/12/hack-to-the-future-the-impact-and-legacy-of-the-darpa-aixcc-challenge/

OSTIF18h ago

In 2023, DARPA announced a two-year long competition called the Artificial Intelligence Cyber Challenge (AIxCC), a massive undertaking by dozens of organizations with the goal to safeguard open source software used in critical infrastructure throughout America.

Read about the work on our blog: https://ostif.org/hack-to-the-future/

#OSTIF #DARPA #OpenSSF #OpenSource #AI

kotari3d ago

OSSGuard — one CLI to scan your project and tell you exactly which OpenSSF security practices are missing: Scorecard, SLSA, SBOM, Sigstore, and more.

Works with Python, Go, JS, Rust, Java, C/C++.

pip install ossguard
brew install kirankotari/tap/ossguard
npx ossguard

https://github.com/kirankotari/ossguard

#OpenSSF #SupplyChainSecurity #DevSecOps #OpenSource #DevOps #Python #Node #Golang #Community

GitHub - kirankotari/ossguard: One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor.

One CLI to guard any OSS project with OpenSSF security best practices — bootstrap, scan, and monitor. - kirankotari/ossguard

GitHub
Show threadNicolas MØUART3d ago

En relation avec le toot précédent:

"En mars 2024, XZ Utils — un utilitaire de compression présent sur quasiment tous les serveurs Linux — a été compromis par une backdoor planquée pendant deux ans. L'attaquant avait gagné la confiance du mainteneur, obtenu les droits de commit, puis injecté du code malveillant permettant une exécution de code à distance via SSH. [..] OpenSSF Scorecard apporte une réponse objective à cette question de confiance. "

#openssf

https://blog.stephane-robert.info/docs/securiser/supply-chain/scorecard/

OpenSSF Scorecard

Évaluez la posture de sécurité de vos projets open source et dépendances avec OpenSSF Scorecard. Guide complet avec CLI et CI/CD.

Stéphane ROBERT - DevSecOps Website
OpenSSF5d ago

The CPS project has just officially secured the #OpenSSF Gold Badge.

CPS is the first project within the LFN community to hit this milestone. This badge proves that security and quality are baked into the DNA of the project.

Read the full story: https://openssf.org/blog/2026/05/07/the-road-to-gold-how-cps-set-a-new-standard-for-security-and-quality-in-open-source/

OSTIFMay 5

Voila- the results of OSTIF's security audit of Paramiko! Thanks to the contributions of @quarkslab and Alpha-Omega, this project received custom security work reviewing Paramiko’s testing, building and CI systems, and cryptography.

Read about our work on the Python implementation of the SSHv2 protocol at our blog: https://ostif.org/paramiko-audit-complete/

#OSTIF #quarkslab #OpenSSF #paramiko

OpenSSFMay 5

In the latest What's in the SOSS?, Sally Cooper sits down with Brandt Keller from Defense Unicorns to talk about Zarf, @CloudNativeFdn-ecosystem #OpenSSF Sandbox Project built to package, transfer, and deploy software in air-gapped environments.

https://openssf.org/podcast/2026/05/05/whats-in-the-soss-podcast-60-s3e12-packaging-transferring-and-deploying-software-in-air-gapped-environments-with-zarf/

Show threadGraham PerrinMay 4

@BrideOfLinux I enjoyed your article – thanks. Discovered three months after publication via <https://vermaden.wordpress.com/2026/05/04/valuable-news-2026-05-04/>.

Just one thing:

"… Isn’t this exactly what the Open Source Security Foundation was established to handle in the wake of OpenSSL’s difficulties?"

I 'm not certain. The roadmap at <https://openssf.org/about/> begins:

"The OpenSSF strategy is outlined across three key areas:

We will be a Catalyst for Change, we will Educate and Empower the Modern Developer, and we will be an Ecosystem Leader. …"

There's much more than a roadmap – and I didn't attempt to digest the charter (it's difficult to read, with the watermark) – it's difficult to tell why the OSSF was established, and so on. I don't doubt that the Foundation does great work, there's just a lot to take in. @openssf

In the case of sudo: I imagine that the media was a catalyst for change. Some time between mid-February and 3rd March, the plea for sponsorship disappeared:

― <https://web.archive.org/web/20260215044031/https://www.millert.dev/>

― <https://web.archive.org/web/20260305141311/https://www.millert.dev/>.

(I recall reading the article in The Register, which was discussed in Reddit <https://old.reddit.com/r/programming/duplicates/1qwsvh9/sudos_maintainer_needs_resources_to_keep_utility/>, and so on.)

Cc @millert @governa

#sudo #OpenSSF

Valuable News – 2026/05/04

The Valuable News weekly series is dedicated to provide summary about news, articles and other interesting stuff mostly but not always related to the UNIX/BSD/Linux systems. Whenever I stumble upon…

𝚟𝚎𝚛𝚖𝚊𝚍𝚎𝚗
CloudNativePGApr 17
We're still beaming with pride since at #KubeCon + CloudNativeCon Europe in April we were celebrated by the #OpenSSF because we earned all five available badges in the #SecuritySlam: Cleaner, Chronicler, Inspector, Mechanizer, and Defender: https://openssf.org/blog/2026/04/10/security-slam-2026-celebrating-our-security-champions-and-project-milestones/
Hackread.comApr 13

#OpenSSF warns of hackers impersonating Linux Foundation leaders on Slack, tricking developers into installing malware that can compromise entire systems.

Read: https://hackread.com/openssf-malware-slack-linux-foundation-figures/

#CyberSecurity #Malware #LinuxFoundation #Scam

OpenSSF Flags Malware Campaign on Slack Posing as Linux Foundation Figures

OpenSSF warns hackers impersonate Linux Foundation leaders on Slack, tricking developers into installing malware that can compromise entire systems.

Hackread - Cybersecurity News, Data Breaches, AI and More