Strengthening Security with the GitHub Secure Open Source Fund
Late summer last year, GitHub approached us about participating in the Secure Open Source Fund. We applied, were selected by the committee, and joined 98 maintainers from 67 open source projects for an intensive security program.
The Programme
The in-depth phase ran across September 2025: roughly 20 sessions, all synchronous over Zoom, with evening time slots that were quite comfortable for European participants, though attendees joined from all time zones. The sessions were led by experts from the GitHub Security Lab and covered a wide range of topics. We had concrete tasks to complete between sessions. Homework, but the effective kind. The real value, though, was hearing these topics explained by people who deal with them daily and discussing them with the group.
Security Is a Workout, Not a Checkbox
One concept that stuck with me was Improving Our Security Posture. Security isn't a checkbox you tick once. It's more like fitness. There's no finish line. You build habits, you keep training, you slowly get stronger. The program gave us a structured training plan.
The topics ranged widely. We worked on licence clarity and compatibility, adding licence checks for our Go and NPM dependencies and publishing SBOMs. We wrote a SECURITY.md and an incident response plan. We learned about the CVE process. Not something I've had to deal with so far, but good to be prepared. We covered threat modelling, secure-by-design principles, and UX considerations for building secure software. On the tooling side, there were sessions on static analysis with CodeQL and fuzzing.
GitHub Actions security was one I didn't expect to be such a deep topic. There are many subtle ways workflows can be exploited, and we ended up doing a lot of hardening on our own actions with tools like actions-permissions.
One session that surprised me was about AI security. GitHub introduced us to the Secure Code Game, a hands-on challenge where you find vulnerabilities in a codebase. The early levels cover classic OWASP problems like SQL injection and XSS. Familiar territory. But the latest season is about tricking software with built-in LLM functionality into doing things it shouldn't. It was eye-opening to see that this is the new frontier people are actively training for.
Different Projects, Different Perspectives
What made the program special was the mix of projects in the room. There were applications like evcc, Thunderbird for Android, Mattermost, and Mastodon. Libraries like GoReleaser (which we use for our releases), Mermaid (which we use in our docs), and Node.js. And fundamental tools like curl and ImageMagick.
Security means something quite different depending on what you build. An application that runs in people's homes faces different threats than a library embedded in thousands of projects. Hearing how curl thinks about security compared to how Mastodon does was genuinely valuable. Beyond the content, the network you build with other maintainers is something that lasts.
GitHub Universe
In October 2025, I was invited to the GitHub Universe conference in San Francisco (read more). I was part of a panel about the Secure Open Source Fund at Community Day. It was great to connect with other maintainers in person after weeks of Zoom sessions.
Together with Gregg Cochran (GitHub), Christian Grobmeier (Log4j), Camila Maia (ScanAPI), and Carlos Alexandro Becker (GoReleaser) I recorded a podcast episode on open source security. You can watch it on YouTube or listen to the audio.
Get Involved
If you maintain an open source project: consider applying for the program. The overview you get across security topics is broad, and the network of maintainers you build is just as valuable.
If your company relies on open source (and it almost certainly does): consider sponsoring your critical dependencies directly. Or support the Secure Open Source Fund to help the broader ecosystem. More secure open source means more secure software for everyone.