Pathways to Cybersecurity Best Practices in Open Source: How Three Linux Foundation Projects are Leading the Way in CRA Compliance

The Log4Shell vulnerability in 2022 was a defining moment for cybersecurity. It forced both governments and industry leaders to rethink how software security is managed across supply chains. While the open source community rapidly responded with patches and mitigations, the incident revealed deeper systemic challenges: Who is responsible for securing the foundational software that powers modern infrastructure? And how can maintainers and manufacturers work together to prevent such crises in the future?

Enter the EU Cyber Resilience Act (CRA)—a landmark regulation that seeks to codify security practices for digital products and the open source components they rely on. While it primarily places security obligations on commercial manufacturers, it also introduces the concept of open source software stewards: organizations that support but do not monetize open source projects. These stewards now have new responsibilities for security policies, vulnerability disclosure, and regulatory cooperation.

This report builds upon our previous analysis of CRA’s implications for open source security and takes a deeper look at how three Linux Foundation projects—Civil Infrastructure Platform, Yocto Project, and Zephyr Project—are navigating these changes. By examining their security strategies, compliance challenges, and proactive measures, we aim to provide practical guidance for open source maintainers, manufacturers, and policymakers working toward a more resilient and secure software ecosystem.

Key findings

• The CRA introduces regulatory oversight with implications for OSS development across different stakeholder groups. One of these groups is the OSS steward—defined by the Act as the organizations that support open source technology development—which, under the Act, is responsible for managing cybersecurity policy and the processes to handle vulnerabilities.
• OSS projects must consider a range of activities in order to comply with the CRA. These include establishing a five-year roadmap to invest in teams and develop policies that meet the requirements of the Act; introducing semantic versioning to help manufacturers by mapping substantial modifications to minor bug fixes; and adopting SBOMs with a high level of granularity.
  
• AI introduces new security risks. As manufacturers, governments, and other stakeholders turn at greater and greater speeds toward AI, OSS development must consider how to mitigate the threats that exist in AI-generated code and poisoned datasets. 
  
• Standardized security tooling will accelerate CRA compliance. LF project outputs such as the OpenSSF Scorecard, SPDX 3.0, and OpenChain frameworks are examples of tooling that exist to help projects implement best practices and meet compliance requirements. 
  

How OpenSSF is Tackling CRA Compliance

The Linux Foundation and Open Source Security Foundation (OpenSSF) have been at the forefront of tackling the challenges introduced by the CRA. The Stewards and Manufacturers Workshop in December 2024, hosted in Amsterdam by Linux Foundation Europe and OpenSSF, provided an essential forum for open source stakeholders to collaborate on advancing readiness for CRA compliance. Discussions were structured around three critical workstreams—Awareness, Standards, and Tooling—designed to ensure a practical, community-driven approach to meeting CRA obligations over the next three years.

These workshops and their outcomes have significantly shaped the compliance landscape, especially in the following areas: Awareness Workstream, Standards Workstream, and Tooling Workstream. The Tooling Workstream also underscored the importance of adopting best practices that have been developed through broad collaboration across the open source ecosystem. For instance, applying the OpenSSF Scorecard to projects, maintaining security.txt files, and performing an OpenChain self-certification assessment are crucial steps for ensuring cybersecurity in open source projects. The OpenSSF Scorecard, which evaluates projects based on security practices like dependency management, vulnerability disclosure, and code quality, serves as a key tool for identifying security gaps and improving project security. These actions establish a solid baseline for security and supply-chain management practices, emphasizing the critical role that well-defined supply chain processes play in cybersecurity. Additionally, license transparency remains a priority in the effort to improve software security, mirroring the shift towards security as an essential aspect of software development.

Looking Ahead: Strengthening Open Source Resilience

The Log4Shell crisis made it clear that software security must be proactive, not reactive. The Cyber Resilience Act is the next major test. It’s a challenge to open source communities, manufacturers, and policymakers to build a security-first culture across the software supply chain.

As our report demonstrates, CRA compliance is an opportunity to improve security practices, implement standardized tooling, and create a culture of security leadership.

 Want to take action?

• Explore resources from Civil Infrastructure Platform (CIP), the Yocto Project, and Zephyr Project.
• Use OpenSSF Scorecard, SPDX 3.0, and OpenChain frameworks for compliance.
• Review the findings from this report to better understand the implications of the CRA and compile best practices that you can integrate into your workflow. 

Open source thrives on shared responsibility and collective problem-solving. Together, we can ensure security remains at the heart of that mission.