Like many of you I use, this very sentence is being written using open source software. In fact, everyone uses open source software, one way or another, because the reality is that open source software is the backbone of the digital world. It’s not just the GNU/Linux operating systems, it is the cloud platforms, the mobile apps and enterprise tools, open source software quietly powers almost everything we use. But regardless of its critical role, open source infrastructure is dangerously underfunded and insecure. And to try and fix this issue, the Open Source Security Foundation (OpenSSF) has launched a wide effort to secure critical open source projects. The same projects that underpin most of the internet and a lot of enterprise software.
Source:
https://www.theregister.com/2025/09/23/openssf_open_source_infrastructure/?td=rt-3a
The Corporate Free Ride
Naming open source software as projects has a lot more meaning than it would seem at face value. From Linux to OpenSSL and countless libraries that form the foundation of modern computing, these tools are freely available, widely adopted, and frequently maintained by small teams of volunteers. They are like school projects that keep evolving. The success and adoption of these tools is a testament to the power of collaboration, but with that success and adoption comes the risks of neglect, as we’ve found out a few years ago with the Heartbleed vulnerability in OpenSSL.
But don’t get me wrong. This is not a critique of the maintainers of that project. In fact, and as previously stated, the whole internet was working on the back of very few volunteers.
Many, if not most commercial corporations make use of open source software, and sometimes make it the core of their own software products while contributing little or nothing in return. Their products generate revenue and their operations scale on the shoulders of community-driven code. But when it comes to funding maintainers, patching vulnerabilities, or any sort of long-term support and sustainability, their involvement is often minimal or non-existent.
This situation is not just unfair, it is unsustainable. Without meaningful investment, the entire open source ecosystem is nothing but a house of cards, vulnerable to exploitation and failure.
OpenSSF’s Call to Action
The initiative led by the Open Source Security Foundation (OpenSSF) is a renewed effort to secure open source infrastructure. Backed by large tech companies, the initiative aims to improve code auditing, vulnerability detection, and sustainable funding. As the article from the Register says in the title, open source infrastructure doesn’t run on thoughts and prayers. But it is not enough for industry giants to act. We, as the broader community must also be a part of this.
What You Can Do to Help
There s often the misconception that one must be an “expert” to contribute to open source. In fact, you don’t need to be a cybersecurity expert or grey beard programmer to make a difference. Here’s a few ways we can all help:
Report bugs and security issues
Improve documentation and usability
Donate to maintainers or sponsor projects
Advocate for upstream contributions in your workplace
Share knowledge through blogs, tutorials, or forums
Open source is a shared responsibility. If you benefit from it, and we all do, consider giving back. You can spend some time helping someone on a forum or even work on the localisation of a piece f software by translating to your own language or typing some lines of documentation, you can donate some money to project you enjoy, or you can be an advocate for open source, any support helps ensure that the tools we all rely on remain secure, resilient, and free.
So here’s my challenge, to you, dear reader and of course to me. Will you find a way to help?