Software runs the world and open source components form the essential building blocks for all software projects. Today, 99% of codebases contain open source components, and on average, each of those repositories has over 200 dependencies. However, while open source software fuels agility and innovation, it also means that projects inherit technical debt and risk from these components.
At GitHub, we believe that the security of open source is critical to the future of software, and we take this responsibility seriously. In 2019, GitHub acquired Dependabot and Semmle and made these security tools freely available for public repositories. GitHub has also supported open source developers and maintainers in their security efforts with the creation of GitHub Security Lab and the Open Source Security Coalition — these initiatives have resulted in discovery of over 120 CVEs in open source software.
As a community, we all contribute to and build on open source software (OSS). We also share a collective responsibility for its security, and there is so much more we can do together.
GitHub started the Open Source Security Coalition with a mission to bring together companies and organizations committed to help secure open source software globally. Within less than a year since the coalition’s inception, GitHub was joined by 21 founding members including Google, HackerOne, IOActive, Mozilla, Microsoft, NCC Group, and Trail of Bits. The coalition boasted active working groups focused on vulnerability disclosures, identifying threats to open source projects, best practices for OS developers, and security tooling. Building on the initial success, lessons learned, and its invaluable founding members, the Open Source Security Coalition is ready for its next chapter.
We are happy to announce that GitHub is joining the Open Source Security Foundation (OpenSSF) as a founding member, alongside Google, IBM, JPMorgan Chase, Microsoft, NCC Group, OWASP Foundation, Red Hat, and others. With this announcement, the Open Source Security Coalition also joins forces with other open source security initiatives such as the Linux Foundation’s Core Infrastructure Initiative to form the new OpenSSF. Our goal in founding the OpenSSF is to help the community improve the security of open source software. With this next step, we are integrating previous efforts from GitHub’s Open Source Security Coalition with OpenSSF to work better across the industry and offer a single home for open source security.
But our efforts don’t stop there. Beyond the OpenSSF, the GitHub Security Lab will continue to contribute and drive research, bringing security researchers to the open source community. GitHub will also keep investing in security and serving the open source community by building new and improved security features, free for public repositories. As the home to more than 50 million developers, GitHub is proud to partner with the open source community to secure the world’s software, together.