Skip to content

29.5: Corporate Contributions to Open Source Security

Every major technology company depends on open source software. Google runs on Linux. Microsoft Azure serves workloads using thousands of open source components. Amazon Web Services builds on countless open source projects. Financial institutions, healthcare systems, and government agencies all depend on the same shared infrastructure. Yet for years, most corporations consumed open source without meaningfully contributing to its security—a tragedy of the commons where everyone benefited but few invested.

This dynamic has shifted dramatically. Leading technology companies now invest substantially in open source security, recognizing that their own security depends on ecosystem security. These investments take multiple forms: dedicated security teams working on open source, financial contributions to foundations and projects, release of internal security tools, and participation in standards development. For organizations considering their own engagement, understanding how leaders contribute—and the business case driving those investments—provides a roadmap for meaningful participation.

Direct Security Contributions

The most impactful corporate contributions often come through direct engineering work: security engineers finding and fixing vulnerabilities, developing security tooling, and improving project security practices.

Google Open Source Security Team:

Google's Open Source Security Team (GOSST) represents perhaps the most significant dedicated investment in open source security. The team:

  • Works directly with critical open source projects to improve security
  • Develops security tools used across the ecosystem (Sigstore, OSV, SLSA)
  • Contributes to security standards and specifications
  • Funds security work through programs like Alpha-Omega

GOSST contributions include founding and maintaining Sigstore (now processing millions of signatures), developing the OSV schema and database, contributing to SLSA specification, and providing direct security engineering support to projects like Python, Node.js, and others.

Google has publicly stated that protecting open source software is essential to its own security posture, recognizing that ecosystem security directly impacts corporate security.

Microsoft Open Source Security:

Microsoft has transformed from an open source skeptic to a major contributor:

  • GitHub Security: Microsoft-owned GitHub provides security features (Dependabot, code scanning, secret scanning) free for open source projects
  • Security Research: Microsoft Security Response Center researchers investigate open source vulnerabilities
  • Direct Contributions: Microsoft engineers contribute security fixes to projects Microsoft depends on
  • OpenSSF Leadership: Microsoft serves on OpenSSF governing board and contributes to multiple working groups

Microsoft's GitHub acquisition multiplied impact—security features built into the world's largest code hosting platform reach millions of projects automatically.

Other corporate security teams:

Additional significant contributors include:

  • Red Hat Security Team: Long-standing investment in Linux kernel security, container security, and enterprise open source
  • Intel Security: Hardware security research benefiting open source operating systems
  • Cisco Security: Network protocol security contributions
  • Trail of Bits: Security firm contributing tools and research
  • Chainguard: Company founded around supply chain security, contributing extensively to Sigstore

Engineering contribution models:

Companies contribute engineering time through several models:

Model Description Example
Dedicated teams Full-time engineers working on open source security Google GOSST
20% time Engineers allocate time to open source work Various companies
Strategic projects Investment in specific critical projects Alpha-Omega engagements
Upstream first Fix security issues in upstream projects rather than maintaining private patches Red Hat policy
Acquisition Acquire security companies and open source their tools Various

Financial Contributions

Direct financial investment supports open source security through multiple channels.

Foundation memberships:

Major foundations fund open source security work through membership dues:

Linux Foundation: - Platinum membership: $500,000 annually - Multiple membership tiers - Funds OpenSSF and other security initiatives - Members include Google, Microsoft, IBM, Intel, and dozens of others

OpenSSF specifically: - Premier members provide substantial annual funding - General members contribute at lower tiers - Funding supports Alpha-Omega, tool development, and operations

Apache Software Foundation: - Sponsorship tiers from $5,000 (Bronze) to $100,000 (Platinum) - Funds security infrastructure and response capabilities - Supports security work across 350+ Apache projects

Project sponsorship:

Beyond foundation membership, companies sponsor specific projects:

  • GitHub Sponsors: Direct sponsorship of maintainers and projects
  • Open Collective: Fiscal sponsorship enabling project funding
  • Tidelift: Commercial model paying maintainers for security and maintenance
  • Direct grants: Companies fund specific security improvements

Financial contribution examples:

Notable financial commitments include:

  • Google and Microsoft's multi-million dollar OpenSSF investment
  • Amazon's funding for Python Software Foundation security initiatives
  • Multiple companies funding Alpha-Omega's security work
  • Corporate sponsorship of security audits through OSTIF

Sovereign Tech Fund and public sector investment:

While corporate funding dominates open source security investment, public sector funding models are emerging as complementary approaches. Germany's Sovereign Tech Fund (STF), operated by the Sovereign Tech Agency, represents a pioneering government investment model for critical open source infrastructure. The fund's budget has grown significantly, from €3.5 million in 2022 to a projected €17 million in 2025, with total investments now exceeding €24 million supporting over 45 critical technologies.

STF funding model: - Focus on critical digital infrastructure benefiting the public good - Multi-year commitments enabling sustainable improvements - Technical experts evaluate proposals and track progress - Emphasis on maintenance, security, and accessibility improvements - Applications open on a rolling basis with minimum €50,000 funding threshold

Notable STF investments in security (2024-2025):

  • FreeBSD Foundation: €686,400 for zero-trust builds, SBOM tooling, and infrastructure modernization
  • Eclipse Foundation: Support for enhanced project infrastructure and supply chain security
  • systemd, PHP, and Servo: Funding earmarked in October 2025 extending into 2026
  • Various critical libraries: curl, OpenSSL implementations, and other foundational components

Beyond grants, STF launched a Maintainer Fellowship program in September 2024, providing stipends to ease open source labor shortages. Additional initiatives include a bug resilience program and Contribute Back Challenges.

The STF model complements corporate funding by:

  • Different incentive structure: Public benefit focus rather than corporate risk reduction
  • Long-term sustainability: Multi-year commitments beyond quarterly corporate priorities
  • Maintenance focus: Funding "unglamorous" security maintenance, not just new features
  • European policy alignment: Supporting EU digital sovereignty and security objectives

The combination of corporate funding (Alpha-Omega, company sponsorships) and public funding (STF, government grants) creates a more resilient funding ecosystem. Projects benefit from both immediate corporate security needs and longer-term public infrastructure investment. This hybrid model may represent the future of sustainable open source security funding, particularly as governments recognize open source as critical public infrastructure requiring public investment.

Return on investment:

Companies calculate ROI from financial contributions through:

  • Risk reduction: Lower probability of supply chain incidents
  • Efficiency: Shared investment provides more security than individual efforts
  • Influence: Voice in project direction and security priorities
  • Reputation: Recognition as responsible ecosystem participants

Sharing Internal Tools and Practices

Many significant open source security tools began as internal projects that companies released publicly, multiplying their impact.

Security tooling releases:

Sigstore (Google): Originally developed at Google, Sigstore provides signing infrastructure for the entire ecosystem. Now a Linux Foundation project, Sigstore processes millions of signatures for packages across npm, PyPI, and other registries.

Trivy (Aqua Security): Trivy began as an internal vulnerability scanner and became one of the most widely-used open source security scanners, supporting container images, filesystems, Git repositories, and Kubernetes.

Syft and Grype (Anchore): Anchore released Syft (SBOM generation) and Grype (vulnerability scanning) as open source tools, creating widely-adopted components of the supply chain security toolkit.

Falco (Sysdig): Sysdig contributed Falco to the CNCF, providing runtime security monitoring used across cloud-native environments.

Dependency-Track (OWASP): Originally developed by Steve Springett starting in 2013, Dependency-Track became a flagship OWASP project for SBOM management and vulnerability tracking, celebrating its 10th anniversary in 2023.

OSS-Fuzz (Google): Google's continuous fuzzing infrastructure, offered free to open source projects, has found over 50,000 bugs and 13,000+ vulnerabilities across 1,000+ critical projects.

Practice sharing:

Beyond tools, companies share security practices:

  • Google's Infrastructure Security Design Overview: Detailed documentation of security practices
  • Netflix's security blog: Sharing security approaches and tools
  • Microsoft's Security Development Lifecycle: Guidance on secure development
  • Various BeyondCorp/Zero Trust publications: Sharing architectural approaches

This practice sharing raises security baselines across the industry.

Participation in Standards and Working Groups

Corporate participation in standards development shapes ecosystem security infrastructure.

OpenSSF participation:

Major companies participate across OpenSSF working groups:

Working Group Corporate Participants
Supply Chain Integrity Google, Microsoft, Intel, VMware
Security Tooling GitHub, GitLab, Snyk
Vulnerability Disclosures GitHub, Google, Red Hat
Best Practices Multiple companies

This participation shapes tools like Sigstore, SLSA, and Scorecard that become ecosystem standards.

IETF and W3C:

Security-relevant standards developed with corporate participation:

  • TLS/SSL protocol improvements
  • WebAuthn and passwordless authentication
  • Supply chain transparency specifications
  • Security-related HTTP headers

ISO and NIST:

Corporate experts participate in formal standards bodies:

  • ISO 27001 updates
  • NIST Secure Software Development Framework
  • NIST SBOM guidance
  • Various cybersecurity frameworks

CNA program:

Companies serving as CVE Numbering Authorities contribute to vulnerability infrastructure:

  • GitHub processes advisories and assigns CVEs at scale
  • Microsoft, Google, and others assign CVEs for reported vulnerabilities
  • Corporate CNAs enable faster vulnerability identification

OpenSSF Ecosystem Achievements

Beyond individual corporate contributions, the collective work coordinated through OpenSSF demonstrates the multiplier effect of collaborative investment. The foundation serves as the organizing mechanism through which corporate resources translate into ecosystem-wide security improvements.

2025 organizational growth:

OpenSSF continued expanding in 2025, now reaching members across more than 40 countries. This global growth reflects increasing recognition that open source security requires coordinated investment rather than individual efforts. Members span technology giants (Google, Microsoft, Amazon), security vendors (Snyk, Chainguard), cloud providers, financial institutions, and organizations across diverse industries. The 2025 report highlights major achievements in education, tooling, vulnerability management, research, and global collaboration.

Tool adoption and impact:

Corporate-backed OpenSSF projects achieved substantial adoption through 2025:

OpenSSF Scorecard: The project continues advancing, with a full security audit completed through OSTIF and ADA Logics covering five key repositories. Recent releases added experimental support for Azure DevOps repositories, machine-readable patches for detected script injection vulnerabilities, and fuzzing detection for Elixir, Gleam, and Erlang. Scorecard now regularly scans over 1.2 million repositories and makes results publicly available. A new centralized dashboard from Ortelius consolidates Scorecard metrics at the "logical application" level, addressing the complexities of modern software architectures. Collaboration continues with package managers like npm, PyPI, and Maven Central to showcase Scorecard results directly on their platforms.

Sigstore: Corporate investment in Sigstore—originally developed at Google and now a Linux Foundation project—drove explosive adoption across package ecosystems. Sigstore-powered attestations became generally available on PyPI (November 2024), with rapid adoption following. Ecosystem support now spans Homebrew (May 2024), Maven Central (January 2025), and NVIDIA's NGC for AI model signing (July 2025). In 2025, Rekor v2 reached general availability, making the transparency log infrastructure cheaper to run and simpler to maintain. Trail of Bits, with OpenSSF funding, is improving Sigstore's rekor-monitor to help maintainers detect malicious package releases and monitor signing identities. This represents transformation from corporate internal tooling to ecosystem-wide infrastructure in under three years.

SLSA: The Supply Chain Levels for Software Artifacts framework released v1.2 in November 2025, representing a major milestone with the introduction of the Source Track. This new track covers threats from source code authoring, reviewing, and management—requirements that earlier versions touched on but now addresses comprehensively. Corporate contributors from Google, Microsoft, Red Hat, and GitHub drive SLSA evolution through the OpenSSF Supply Chain Integrity working group. Development continues with the Build Environment Track and Dependency Track planned for future versions.

Training and education:

Corporate-funded educational initiatives expanded open source security knowledge. In 2025, OpenSSF launched three new free educational courses addressing critical emerging topics: EU Cyber Resilience Act compliance, AI/ML security, and security guidance for software development managers. These complement the foundation's "Developing Secure Software" course (LFD121), which has now exceeded 20,000 total enrollments. This training—developed with contributions from corporate security experts—provides security education at scale that individual companies couldn't deliver alone.

AI/ML security and autonomous vulnerability discovery:

Recognizing emerging risks, OpenSSF's Best Practices and AI/ML Working Groups created a Security-Focused Guide for AI Code Assistant Instructions, with contributors from Microsoft, Google, and Red Hat. The groundbreaking DARPA AI Cyber Challenge in 2025 saw competitors achieve over 90% accuracy in autonomous vulnerability discovery, demonstrating AI's potential for security at scale. OpenSSF also released guidance on AI model signing and the Open Source Project Security (OSPS) Baseline, providing standardized security requirements for open source projects.

Policy and regulatory engagement:

Corporate participation in OpenSSF working groups shaped regulatory approaches to open source security. In 2025, the foundation deepened engagement with governments and standards bodies including work around the EU Cyber Resilience Act (CRA) and expanded collaboration with ETSI, BSI, and CEN/CENELEC. A 2025 policy summit in Washington, D.C. brought together industry and government to coordinate security approaches. Corporate expertise channeled through OpenSSF helps ensure regulations account for open source realities rather than imposing unworkable requirements.

Global reach:

OpenSSF's expansion to members across more than 40 countries with events hosted on multiple continents demonstrates that corporate investment in open source security has become a global priority, not just a North American or European concern.

Eclipse Foundation regulatory leadership:

The Eclipse Foundation has positioned itself as a leader in helping open source navigate the emerging regulatory landscape, particularly regarding the EU Cyber Resilience Act (CRA). In September 2024, Eclipse launched the Open Regulatory Compliance Working Group (ORC WG) to support participants across the global open source community—developers, enterprises, industries, and foundations—in understanding and adhering to evolving regulatory frameworks.

The ORC WG develops practical guidance including:

  • EU CRA FAQs: Comprehensive guidance on compliance for open source participants
  • Collaboration with OpenSSF: Joint initiatives on regulatory compliance and self-assessment
  • CVE Numbering Authority: Eclipse serves as CNA for Eclipse projects, demonstrating effective vulnerability management processes that align with regulatory expectations
  • Cross-foundation coordination: Working with Linux Foundation Europe, OpenSSF, and other foundations to ensure consistent regulatory approaches

Eclipse Temurin supply chain security: The Eclipse Adoptium Working Group's Eclipse Temurin project exemplifies supply chain security best practices in the Java ecosystem, building what they describe as "the world's most secure OpenJDK distribution":

  • Independently verified builds: All platform builds undergo independent verification
  • Comprehensive SBOMs: Complete software bill of materials included with distributions
  • Reproducible builds: Build process enables verification and reconstruction
  • Supply chain transparency: Full traceability from source to distribution

With Sovereign Tech Agency support in 2024-2025, Eclipse enhanced project infrastructure and supply chain security across the ecosystem, demonstrating how established foundations can modernize security practices while maintaining commitment to open source principles.

Eclipse's proactive regulatory engagement helps ensure that frameworks like the EU CRA account for open source realities rather than imposing unworkable requirements designed for commercial software vendors. This bridge-building between regulatory bodies and open source communities benefits the entire ecosystem.

The Business Case for Corporate Engagement

Corporate open source security investment isn't charity—it's enlightened self-interest with measurable returns.

Risk reduction:

Organizations consuming open source face supply chain security risks. Contributing to ecosystem security directly reduces those risks:

  • Vulnerabilities found through funded security research are fixed before exploitation
  • Improved tooling enables better internal security practices
  • Stronger ecosystem security means fewer incidents to respond to

Quantifying this risk reduction: The global average data breach cost was $4.44 million in 2025 (IBM Cost of a Data Breach Report 2025)—a 9% decline from 2024, marking the first drop in five years. However, U.S. costs bucked the trend, jumping 9% to an all-time high of $10.22 million. Notably, supply chain compromises were the second-most prevalent attack vector at nearly 15%. Preventing even one supply chain incident justifies substantial ecosystem investment.

Efficiency through shared investment:

Security improvements benefit everyone, making shared investment more efficient than individual efforts:

  • A vulnerability fixed upstream is fixed for all consumers
  • Security tools developed collaboratively benefit the entire ecosystem
  • Standards enable interoperability and avoid duplicated effort

Influence over direction:

Participating organizations gain voice in project and ecosystem direction:

  • Foundation membership provides governance participation
  • Working group participation shapes tool development
  • Direct contribution builds relationships with maintainers

This influence helps ensure ecosystem evolution aligns with organizational needs.

Talent attraction and retention:

Open source contribution supports talent strategy:

  • Engineers want to work on impactful, visible projects
  • Contribution opportunities attract security talent
  • Open source work builds skills applicable internally

Regulatory positioning:

Emerging regulations (EU CRA, CISA guidance) increasingly reference open source security:

  • Demonstrating ecosystem contribution supports regulatory compliance narratives
  • Participation in standards shapes regulatory requirements
  • Proactive investment positions organizations favorably

Reputation and trust:

Visible contribution builds reputation:

  • Customers recognize security investment
  • Community recognition as responsible participants
  • Differentiation from competitors who only consume

Impact Examples

Concrete examples demonstrate corporate contribution impact:

Sigstore adoption:

Google's investment in developing and maintaining Sigstore—now an OpenSSF project with broad corporate backing—has resulted in rapid ecosystem transformation:

  • PyPI: Over 20,000 attestations uploaded within months of November 2024 general availability launch, with 5% of top 360 projects already publishing attestations
  • npm: Over 3,800 projects adopted build provenance during public beta (April-September 2023), including 134 high-impact projects generating 500+ million downloads of provenance-enabled package versions
  • Broader adoption: Homebrew (May 2024), Maven Central (January 2025), NVIDIA NGC for AI model signing (July 2025)
  • Infrastructure scale: Processing millions of signatures across multiple package ecosystems
  • Industry standard: Keyless signing adopted as the preferred approach for software supply chain security

This represents transformation from internal Google tooling to critical internet infrastructure in under three years—demonstrating how corporate investment in open source tools can rapidly reshape ecosystem security practices.

OSS-Fuzz results:

Google's OSS-Fuzz continuous fuzzing service has achieved remarkable vulnerability discovery at scale:

  • Over 50,000 bugs found across 1,000+ critical open source projects
  • 13,000+ security vulnerabilities identified and fixed before exploitation
  • Free fuzzing infrastructure provided to projects that couldn't otherwise afford continuous security testing
  • Critical pre-exploitation vulnerability discovery preventing widespread incidents
  • Continuous operation finding new vulnerabilities as codebases evolve

The program exemplifies how corporate infrastructure investment—Google provides the computing resources, fuzzing expertise, and integration support—delivers security benefits far exceeding what any individual project could achieve alone.

GitHub security features:

GitHub's security investments provide:

  • Dependabot alerts for all public repositories (free)
  • Code scanning with CodeQL (free for open source)
  • Secret scanning preventing credential exposure
  • Security advisories enabling coordinated disclosure

These features reach millions of repositories automatically.

Alpha-Omega impact:

Corporate-funded Alpha-Omega has made transformative impact through its dual-track approach to open source security. The Alpha-Omega Project, launched by OpenSSF in February 2022 with initial $5 million backing from Microsoft and Google (later joined by Amazon Web Services), became a directed fund with formal governance in 2023, establishing an oversight board and defined leadership team. This governance evolution reflects Alpha-Omega's operational leadership role: it doesn't just distribute grants—it shapes how major ecosystems implement security through sustained engagement, transparency requirements, and knowledge sharing.

Alpha-Omega employs a two-pronged methodology with built-in transparency:

  • Alpha track: Works directly with maintainers of the most critical open source projects (selected using OpenSSF Criticality Score and Harvard's Census data) through threat modeling, automated security testing, source code audits, and vulnerability remediation support. All engagements follow public charters with defined scope, timeline, named contacts, and monthly progress updates via GitHub.
  • Omega track: Applies the Omega Analyzer toolchain with 20+ integrated security tools to systematically analyze at least 10,000 widely deployed projects, combining automated analysis, security analysts, and confidential vulnerability reporting processes

In 2024 alone, Alpha-Omega issued nearly $6 million in grants to critical open source projects, helping staff security teams at 10 major organizations including the Python Software Foundation, OpenJS Foundation, and Ruby Central. This funding enabled security improvements otherwise impossible for volunteer-driven projects:

Python Software Foundation: Alpha-Omega funding supports two critical security positions—Seth Michael Larson as Security Developer-in-Residence and Mike Fiedler as PyPI Safety & Security Engineer. In 2024, these roles delivered concrete improvements including a "Report project as malware" button (used over 2,000 times), reduced remediation times for security incidents, and advancement of PEP 770 for SBOM standardization.

OpenJS Foundation: Alpha-Omega awarded $580,000 in funding to expand the Security Collaboration Space beyond Node.js to the broader JavaScript ecosystem. Continuous funding over two years has driven measurable security improvements:

  • Node.js Permission Model: Matured to stable status (v2.0) in 2025, graduating from Active Development to production-ready security control
  • Automated release process: Fully automated release pipeline launched October-November 2024, reducing human error and improving security response time
  • Security report reduction: 2024 saw an all-time low of 10 security reports, demonstrating the effectiveness of improved security policies and proactive measures
  • OpenPathfinder initiative: Launched in 2025 to streamline security assessments across JavaScript projects, building on the Compliance Dashboard proof-of-concept
  • GitHub CodeQL integration: Static analysis now enabled across OpenJS projects, providing early vulnerability detection
  • Ecosystem expansion: Security improvements extending from Node.js core to broader JavaScript tooling and frameworks

Ruby Central: Alpha-Omega grants funded a comprehensive security audit by Trail of Bits that identified 33 security issues (including one high-severity vulnerability), plus implementation of trusted publishing mechanisms and remediation of critical vulnerabilities throughout the RubyGems.org infrastructure.

Beyond staffing, Alpha-Omega supported infrastructure hardening for the Linux kernel and Homebrew, funded security audits of foundational technologies, and invested in emerging secure implementations including Rust-based TLS libraries and the AV1 codec. The program hosted four roundtable discussions with grant recipients in 2024 to facilitate knowledge sharing and coordinate 2025 strategies, building sustainable security cultures within funded communities.

FreeBSD Foundation modernization:

The FreeBSD Foundation demonstrates how traditional open source operating systems are modernizing security practices for the supply chain era, supported by both Alpha-Omega and Germany's Sovereign Tech Agency. In 2024-2025, FreeBSD undertook comprehensive security infrastructure improvements:

Sovereign Tech Agency infrastructure program: €686,400 funding from August 2024 to December 2025 enabled acceleration of zero-trust builds, SBOM tooling, and developer experience improvements. Key deliverables include:

  • Zero-trust build infrastructure: Reproducible builds with verification, reducing build system compromise risks
  • SBOM generation and tooling: Native SBOM support integrated into FreeBSD package infrastructure
  • CI/CD automation: Modernized continuous integration reducing manual processes and security gaps
  • Technical debt reduction: Addressing long-standing security-relevant infrastructure issues

OSV format migration: FreeBSD migrated from the legacy VuXML vulnerability database to the industry-standard OSV format, creating an OSV database for FreeBSD, adding OSV parsing to the pkg package manager, developing conversion tools for legacy data, and enabling pkg audit to consume OSV data. This migration allows FreeBSD vulnerabilities to integrate seamlessly with cross-ecosystem security tools.

Alpha-Omega security audit: A $137,500 Alpha-Omega grant funded comprehensive security audits (Q2 2024) focusing on key subsystems including bhyve (hypervisor) and Capsicum (capability-based security), plus development process security review.

Ports and Packages Security Project: Running April-December 2025, this initiative modernizes security controls in the FreeBSD Ports Collection, improves CI tooling, and develops a package audit backend to fetch vulnerability data from global agency databases.

EU CRA engagement: FreeBSD Foundation participates in the OpenSSF Open Regulatory Compliance Working Group, contributing to EU Cyber Resilience Act compliance guidance for open source operating systems.

The FreeBSD modernization demonstrates how established projects with decades of history can adopt contemporary supply chain security practices—zero-trust builds, SBOM integration, vulnerability format standardization—when provided targeted funding and expert support. The combination of public funding (Sovereign Tech Agency) and corporate-backed programs (Alpha-Omega) provides a sustainable model for critical infrastructure modernization.

Linux kernel security:

Collective corporate investment in Linux kernel security:

  • Red Hat, Google, Intel, and others employ kernel security engineers
  • Continuous security improvements benefit every Linux user
  • Hardware vulnerability mitigations (Spectre, Meltdown) developed rapidly

Recommendations for Corporate Engagement

Organizations seeking to contribute effectively should consider a phased approach:

Starting level:

  1. Join OpenSSF as a general member, supporting ecosystem infrastructure
  2. Enable contribution time allowing engineers to work on open source security
  3. Sponsor maintainers of critical dependencies through GitHub Sponsors or similar
  4. Publish security advisories through GitHub to contribute to vulnerability databases

Growing engagement:

  1. Participate in working groups relevant to organizational interests
  2. Fund security audits for critical dependencies through OSTIF or directly
  3. Release internal security tools that could benefit the ecosystem
  4. Share security practices through blog posts, talks, and documentation

Leadership level:

  1. Establish dedicated teams for open source security work
  2. Fund Alpha-Omega or similar programs supporting critical projects
  3. Lead working groups on topics aligned with organizational expertise
  4. Serve on foundation boards to shape strategic direction

For Open Source Program Offices (OSPOs):

  1. Inventory dependencies to understand which projects need support
  2. Establish contribution policies enabling security work
  3. Track contribution metrics demonstrating organizational impact
  4. Build relationships with maintainers of critical projects
  5. Coordinate internal security and open source teams to align efforts

Making the internal case:

When advocating for open source security investment:

  1. Quantify dependency exposure: How many projects does your organization depend on?
  2. Assess vulnerability history: How many security incidents traced to open source?
  3. Calculate incident costs: What would a major supply chain incident cost?
  4. Benchmark competitors: What are peer organizations investing?
  5. Identify regulatory trends: What requirements are emerging?
  6. Propose metrics: How will you measure contribution impact?

Conclusion

Corporate contribution to open source security has grown from minimal to substantial, driven by recognition that ecosystem security and organizational security are inseparable. Leading companies invest millions of dollars and thousands of engineering hours in tools, standards, audits, and direct security work that benefits everyone.

Organizations not yet contributing face a choice: continue consuming without investing, hoping others maintain the commons, or recognize their stake in ecosystem security and contribute proportionately. As supply chain attacks increase and regulations tighten, the business case for contribution grows stronger. Organizations that invest now build capability, influence, and relationships that position them well for an increasingly security-conscious future.