The Log4Shell vulnerability in 2022 was a defining moment for cybersecurity. It forced both governments and industry leaders to rethink how software security is managed across supply chains. While the open source community rapidly responded with patches and mitigations, the incident revealed deeper systemic challenges: Who is responsible for securing the foundational software that powers modern infrastructure? And how can maintainers and manufacturers work together to prevent such crises in the future?
Enter the EU Cyber Resilience Act (CRA)—a landmark regulation that seeks to codify security practices for digital products and the open source components they rely on. While it primarily places security obligations on commercial manufacturers, it also introduces the concept of open source software stewards: organizations that support but do not monetize open source projects. These stewards now have new responsibilities for security policies, vulnerability disclosure, and regulatory cooperation.
This report builds upon our previous analysis of CRA’s implications for open source security and takes a deeper look at how three Linux Foundation projects—Civil Infrastructure Platform, Yocto Project, and Zephyr Project—are navigating these changes. By examining their security strategies, compliance challenges, and proactive measures, we aim to provide practical guidance for open source maintainers, manufacturers, and policymakers working toward a more resilient and secure software ecosystem.
The Linux Foundation and Open Source Security Foundation (OpenSSF) have been at the forefront of tackling the challenges introduced by the CRA. The Stewards and Manufacturers Workshop in December 2024, hosted in Amsterdam by Linux Foundation Europe and OpenSSF, provided an essential forum for open source stakeholders to collaborate on advancing readiness for CRA compliance. Discussions were structured around three critical workstreams—Awareness, Standards, and Tooling—designed to ensure a practical, community-driven approach to meeting CRA obligations over the next three years.
These workshops and their outcomes have significantly shaped the compliance landscape, especially in the following areas: Awareness Workstream, Standards Workstream, and Tooling Workstream. The Tooling Workstream also underscored the importance of adopting best practices that have been developed through broad collaboration across the open source ecosystem. For instance, applying the OpenSSF Scorecard to projects, maintaining security.txt files, and performing an OpenChain self-certification assessment are crucial steps for ensuring cybersecurity in open source projects. The OpenSSF Scorecard, which evaluates projects based on security practices like dependency management, vulnerability disclosure, and code quality, serves as a key tool for identifying security gaps and improving project security. These actions establish a solid baseline for security and supply-chain management practices, emphasizing the critical role that well-defined supply chain processes play in cybersecurity. Additionally, license transparency remains a priority in the effort to improve software security, mirroring the shift towards security as an essential aspect of software development.
The Log4Shell crisis made it clear that software security must be proactive, not reactive. The Cyber Resilience Act is the next major test. It’s a challenge to open source communities, manufacturers, and policymakers to build a security-first culture across the software supply chain.
As our report demonstrates, CRA compliance is an opportunity to improve security practices, implement standardized tooling, and create a culture of security leadership.
Open source thrives on shared responsibility and collective problem-solving. Together, we can ensure security remains at the heart of that mission.