OSS-CRS: Next Generation Bug-Finding and Remediation for the LLM Era - Andrew Chin
The presentation introduced OSS‑CRS, an open‑source framework that extracts and modularizes the bug‑finding and patching techniques developed during DARPA’s AI Cyber Challenge. The competition required cyber‑reasoning systems (CRSs) to locate vulnerabilities, generate proof‑of‑vulnerability inputs, and automatically produce patches, with a scoring system that favored end‑to‑end remediation. While several teams released their CRSs, most remain unmaintained, suffer from cloud‑lock‑in, monolithic designs, and duplicated infrastructure, limiting broader adoption. Key insights include the asymmetry in today’s vulnerability lifecycle: automated tools flood maintainers with reports, yet triage and patching remain bottlenecks. OSS‑CRS addresses this by centralizing infrastructure, providing resource‑management hooks, and exposing helper libraries (libCRS) that abstract Docker orchestration, artifact transfer, and LLM budgeting. The framework aligns with OSS‑Fuzz’s ecosystem, supporting over a thousand projects, and introduces flexible deployment configurations—local laptops, Kubernetes, or custom LLM proxies—so users can run multiple CRSs in parallel without Azure dependencies. The speaker highlighted concrete components: a three‑stage pipeline (prepare, build target, run), delta‑scan mode for diff‑driven analysis, and a composable YAML/compose file that defines compute limits, model aliases, and API keys. Demonstrations showed how a CRS can be registered, built, and executed against a fuzz harness, producing proof‑of‑vulnerability inputs and patches. The modular design also enables security researchers to contribute new CRSs via a simple registry PR, while security engineers can tailor resource caps to corporate policies. Implications are significant: by lowering the engineering barrier, OSS‑CRS can accelerate autonomous remediation across the open‑source supply chain, reduce the triage backlog, and democratize access to advanced AI‑driven security tooling. The framework’s extensibility promises faster iteration on bug‑finding techniques and broader community participation, potentially reshaping how vulnerabilities are addressed in the LLM era.
AI as Security Orchestrator: An Introduction To Darnit - Michael Lieberman, Kusari
The video introduces Darnit, a framework and CLI tool that acts as a security orchestrator for software projects. It automates audit, data collection, and conformance checks, aiming to relieve developers and open‑source maintainers from the growing burden of keeping up...
Petra: SBOMs Without Oversharing for Confidential Supply Chain... Eman Abu Ishgair & Marcela Melara
The presentation introduced Petra, a system designed to enable trustworthy and confidential exchange of Software Bill of Materials (SBOMs). The speakers highlighted the "SBOM paradox": while SBOMs are essential for compliance, auditing, and supply‑chain security, only about 21% of organizations...
From SBOMs To Decisions: Prioritizing Supply Chain Risk in Time-Bound M&A... Prashanth Chandrasekar
The presentation by Prashanth Chandrasekar of Bitsight focuses on how software bill of materials (SBOMs) can be transformed from a static inventory into a decision‑making tool for mergers and acquisitions (M&A). He stresses that M&A due diligence operates under a...
Anatomy of a Phishing Campaign - Mike Fiedler, Python Software Foundation
Mike Fiedler of the Python Software Foundation walked the audience through a recent phishing campaign that targeted PyPI maintainers, illustrating how attackers spoofed official PyPI communications with a single‑character URL alteration and a man‑in‑the‑middle proxy to harvest credentials. The talk highlighted...
Securing the Agentic Future: How OpenSSF Is Leading AI Security
The Open Source Security Foundation (OpenSSF) announced a strategic push into AI security, reaffirming its core mission to protect open‑source software. The foundation operates around four pillars—programs and projects, community building, targeted education, and policy advocacy—and is now extending each...
05-06-2026 WG-BEAR Regular Meeting
The WG‑BEAR regular meeting focused on upcoming OpenSSF activities, scheduling adjustments, and the status of its mentorship program. Participants confirmed OpenSSF’s booth and a new community‑day track at the Open Source Summit in Prague, while also noting the release of...
Advancing Open Source Security in Africa: OpenSSF and OSSAfrica
The virtual panel titled “Advancing Open Source Security in Africa” brought together leaders from the Open Source Security Foundation (OpenSSF), OSSAfrica, and industry experts to discuss how open‑source software underpins modern technology and why its security is critical for the...
04-07-2026 WG-BEAR Regular Meeting
The WG‑BEAR regular meeting centered on updates for the OSS Africa initiative and its upcoming Africa Cyber Fest, while also discussing broader collaboration opportunities with African security groups. Participants reviewed the status of promotional materials—stickers, banners, and flyers—and debated whether to...
Big Thoughts, Open Sources: Beyond the Hype: Brian Fox on Securing the Agentic Future of Open Source
The OpenSSF’s inaugural “Big Thoughts, Open Sources” podcast opens with Brian Fox, co‑founder of Sonatype and longtime Maven Central steward, to explore how artificial intelligence is reshaping open‑source software supply‑chain security. Fox recounts two decades of visibility work—tracking vulnerable crypto libraries...
Handing Over The Keys to Your Kingdom: AI-Driven Security Woes
The video warns that AI agents and DevSecOps tools, despite holding extensive permissions, suffer from weak oversight, creating a "credential‑drift" crisis. Recent supply‑chain attacks have compromised popular utilities such as Trivy, Axios, LiteLLM, OpenAI Codex, and Claude Code. The speaker...
Open Source SecurityCon | Closing Remarks - Brandt Keller & Constanze Roedig
The closing remarks of Open Source SecurityCon were delivered by co‑chairs Brandt Keller and Constanze Roedig, who thanked attendees, speakers, and the CNCF/OpenSF partnership that hosted the event. They emphasized the importance of the post‑event survey as a tool for...
Tarmageddon: One Bug, Four Forks, and a Disclosure Scavenger Hunt - Marina Moore & Alex Zenla, Edera
The video recounts how Ada’s research team uncovered a severe parsing flaw in the Rust‑based asynchronous tar library Tokyo‑tar. The vulnerability, triggered by a malformed PAX header, caused the extractor to treat embedded data as a separate tar archive, allowing...
Lightning Talk: A Case Study in Cross-Ecosystem Security Response - Lori Lorusso, Rust Foundation
The Rust Foundation used a Lightning Talk to illustrate how cross‑ecosystem collaboration can harden open‑source supply‑chain security. Identified as a critical project by OpenSSF in 2022, Rust launched its Security Initiative, securing crates through threat modeling, ecosystem scanning, and trusted...
The Invisible Threat: Secure & Sovereign Digital Backbone
The video examines the hidden, supply‑chain‑driven threats that jeopardize a nation’s digital backbone, especially as critical infrastructure becomes increasingly software‑centric. It argues that traditional security models focused on human error are insufficient when state‑backed actors infiltrate telecom, finance, transportation and...