lf-security-white

 

Securing software is a priority for a functioning and thriving digital economy. Achieving sustainable and secure software, in particular open source software, is a shared effort, requiring a multi-faceted, long-term approach that includes tooling and resources, education, collaboration, and leadership! 

At the Linux Foundation, our projects and communities are shoring up software supply chain security in diverse, widespread, and comprehensive ways, and stewarding compliance with regulations such as the EU Cyber Resilience Act and the US Executive Order on Cybersecurity. To encourage project discovery and enhance collaboration, we’ve created LF Security, a central home where you can get the resources you need to improve your organization’s security posture, and to encourage more people to join us in our efforts.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             

LF Security brings together the myriad LF project communities, initiatives, resources, and infrastructure that each advance the security of software, including technical projects, standards and specifications, events and webinars, training and certification programs, research projects, and other tools and initiatives. We’re committed to growing widespread awareness of our security resources, and encourage all stakeholders to contribute time, talent, working capital, and other inputs as a means to sustaining them. 

If you’re new to open source, or a veteran of the community, LF Security is the place to find what you need to help secure open source software. And if you have a project to propose, want to contribute to our communities, or have other ideas to help us, we encourage you to get in touch!

Vector


Report a Security Vulnerability


Find the latest guidance on how to report vulnerabilities to LF projects and foundations, or with respect to Linux Foundation infrastructure (as a whole), or the main LF website.

threat_ico


Avoiding Social Engineering Takeovers


Read the alert for social engineering takeovers of open source projects to better recognize emerging threat patterns.

Discover the Linux Foundation projects and resources that accelerate open source software security

Alpha-Omega Logo horizontal-color

Alpha-Omega’s mission is to catalyze sustainable security improvements to the world’s most critical open source projects and ecosystem by funding highly-leveraged, shovel-ready security work.

cncf-main-site-logo

CNCF provides support for cloud native projects, working with independent third parties to provide security audits, supporting distributed systems safety research, and encouraging projects with high code complexity to integrate fuzzing.
(Cloud Audits +)

confidential_computing_consortium-logo-horizontal-color - Copy

Protecting data in use by performing computation in a hardware-based, attested Trusted Execution Environment, increasing the security assurances for organizations that manage sensitive and regulated data.
(Secure Data in Use)

Tux-flat-version

The Linux Kernel has a policy to fix known bugs as soon as possible and get releases out to users quickly. The project is a CVE Numbering Authority (CNA).

lfeducation_color25

Learners from around the world gain marketable open source skills as well as sought-after, verifiable certifications, including in the important area of security.
(Skills)

LF_Events_Color

LF Events are the meeting place of choice for open source maintainers, developers, architects, and leaders. Discover upcoming events with a security focus, including CloudNativeSecurityCon, and SOSS.
(Community)

lf-research-color

Linux Foundation Research publishes empirical insights into open source trends and readiness across industries and within technology domains, including reports specific to supply chain security.
(Open Content)

LF-Europe-logo-color-2

As an open source steward, LF Europe brings together businesses, developers, and policymakers to strengthen digital sovereignty through open collaboration. We are actively working to reduce ecosystem fragmentation and leading global efforts on regulations like the CRA, defining open source standards for the future of Europe and beyond.

lfx-logo-color-1

LFX provides a clear view into security for project stakeholders through automated scans and fix recommendations, enabling developers to identify and resolve vulnerabilities quickly. 
(Contextual Project Security Data)

OpenChain Project Logo

OpenChain provides security assurance programs, process management standards, reference material, a focused community and international partners to build a trusted software supply chain. It is the home of ISO/IEC 5230 and ISO/IEC 18974.
(Security Assurance Standards)

Open SSF Brand Logo

OpenSSF makes it easier to securely and sustainably develop, maintain, and consume the open source software we all depend on by fostering collaboration, defining best practices, and developing innovative solutions.
(Multi-Stakeholder Security)

PQCA Logo

The Post-Quantum Cryptography Alliance develops and advances the adoption of cryptographic solutions resistant to quantum attacks, ensuring the security and integrity of communications and data in this post-quantum era. 
(Quantum Security)

SPDX logo color


A freely available international open standard for Software Bill of Materials (SBOMs), communicating release information such as name, version, components, licenses, copyrights, superset profiles, and security references.
(Software Bill of Materials)

Explore industry-focused projects requiring specialized security standards and practices for regulatory compliance

FINOS_Icon_Wordmark_Name_RGB_horizontal
FINOS accelerate innovation in financial services through open source, standards, and data. To enable open collaboration in this highly regulated industry, FINOS provides an Open Source Readiness training/certification and ongoing security scanning for its projects.

lf-energy-logo

The security of the global power grid is of the utmost importance. LF Energy provides resources to ensure open source tools for interoperability and reliability of power grids and energy systems generally are built securely.

LFN-Logo-Color

LF Networking projects provide the building blocks for modern communications networks. Securely developing these projects to prevent serious security breaches is an important measure for hardening the critical infrastructure globally.

As CNCF projects permeate every industry across the world, it's of utmost importance to ensure high quality security practices for CNCF open source projects. CNCF has funded dozens of high impact security and fuzzing audits that have yielded multitudes of security improvements across some of the most widely used cloud native open source projects.

– Chris Aniszczyk, CTO, CNCF

Open source security is a critical issue for trusted supply chains. The OpenChain Project has contributed to this by creating ISO 18974:2023 as the standard for open source security assurance, a supporting ecosystem, and reference documentation. In collaboration with our peers in the Linux Foundation, we are working towards better open source business process management for everyone.

– Shane Coughlan, General Manager, OpenChain

Operating in a systemically critical industry means cybersecurity is integral to all we do at FINOS. Not only do we offer our projects ongoing security but initiatives like FINOS Common Cloud Controls offer a blueprint for how financial institutions realize the full value of their investment in open source, by collaborating on building a security rosetta stone of sorts which can then in turn be adopted by regulators worldwide.

 

– Gabriele Columbro, Executive Director, FINOS

LF events play an essential role in advancing open source security by connecting a diverse range of participants who share a passion for the enhancement of, and addressing the evolving challenges around, open source security.

 

– Angela Brown, SVP and GM of Events, Linux Foundation

New research enables a data-driven approach to security best practices. LF Research reports identify gaps and challenges that ultimately assist in enhancing the overall security posture of open source.

 

– Hilary Carter, SVP Research and Communications, Linux Foundation

Open source is a public good. The mission of the Open Source Security Foundation (OpenSSF) is to collaborate with the public sector, the private sector, and the community to ensure that open source software is secure for everyone.

 

– Omkhar Arasaratnam, General Manager, OpenSSF

With cyber threats increasing exponentially, we must provide individuals with the skills and knowledge needed to defend our IT infrastructure. Leaders need to recognize that cybersecurity is everyone's business and commit to equipping everyone with the necessary tools to navigate this ever-evolving landscape.

 

– Clyde Seepersad, SVP, General Manager, Training & Certification, Linux Foundation.

Open Source Software (OSS) security is vital for digital infrastructure that drives the economy. OpenSSF fosters collaboration among industry, academia, and the public sector, enhancing OSS security. Providing a vendor-neutral platform for developers, it strengthens digital trust, ensuring global system resilience.

 

– Arun Gupta, Vice President and General Manager, Open Ecosystem, open.intel.com

Innovation through open source software (OSS) and OSS security tools develops capabilities that become part of our software supply chain at Dell Technologies. When OSS is built leveraging security fundamentals, the supply chain becomes more resilient and facilitates better integration, automation, auditing, and sustainment within the supply chain.

– Sarah Evans, Senior Engineering Technologist, Dell Technologies

With organizations and consumers under constant threat, the collaboration between the world’s largest open source software foundation and the world’s largest cyber security professional association will prove to be a powerful force in securing a safe future for all. Secure open source code is critical, as it is the bedrock of so much innovation around the globe. Together with the Linux Foundation, ISC2 is dedicated to ensuring developers have access to the education and training they need to deliver more secure and resilient solutions.

– Clar Rosso CC, CEO, ISC2