IBM and Red Hat Join Industry Leaders to Help Secure Software Supply Chains

The Linux Foundation has raised $10 million in new investments to expand and support the Open Source Security Foundation (OpenSSF), a cross-industry collaboration that brings together multiple open source software initiatives under one umbrella to identify and fix cybersecurity vulnerabilities in open source software and develop improved tooling, training, research, best practices and vulnerability disclosure practices.

Financial commitments have been made by Premier members IBM, Red Hat, Amazon, Cisco, Dell Technologies, Ericsson, Facebook, Fidelity, GitHub, Google, Intel, JPMorgan Chase, Microsoft, Morgan Stanley, Oracle, Snyk, and VMware, with additional commitments coming from General members.

Brian Behlendorf will serve the OpenSSF community as general manager.

The OpenSSF says that, according to industry reports, software supply chain attacks have increased 650% and are having a severe impact on business operations. In the wake of increasing security breaches, ransomware attacks and other cyber-crimes tied to open source software, government leaders around the world are calling for private and public collaboration. Because open source software makes up at least 70% of all software, the OpenSSF says it offers the natural, neutral and pan-industry forum to accelerate the security of the software supply chain.

"IBM is deeply focused on developing and building highly secure hybrid cloud, AI and quantum-safe technologies that are designed to protect our clients' most sensitive workloads both today and into the future," said Jamie Thomas, general manager, strategy and development and IBM enterprise security executive. "As a long-time open source leader, IBM looks forward to working with the OSSF, our industry partners and open source communities towards addressing the ever increasing challenge of hardware and software open source supply chain security.”

"Open source is pervasive in software solutions of all kinds, and cybersecurity attack rates are on the rise,” said Chris Wright, senior vice president and CTO, Red Hat. “Our customers look to Red Hat to provide trust and enhanced security in our open source-based portfolio. Open source and community collaboration is the best way to solve big, industry wide challenges, such as open source supply chain security. And that's why we're excited to join together with the Linux Foundation and other industry leaders so we can continue to improve the technologies and practices to build a more secure future from open source software.”

The OpenSSF is home for a variety of open source software, open standards and other open content work for improving security. Examples include:

  • Security Scorecard—a fully automated tool that assesses a number of important heuristics ("checks") associated with software security
  • Best Practices Badge—a set of Core Infrastructure Initiative best practices for producing higher-quality secure software providing a way for OSS projects to demonstrate through badges that they are following them
  • Security Policies—Allstar provides a set and enforce security policies on repositories or organizations
  • Framework—supply-chain levels for software artifacts (SLSA)delivers a security framework for increasing levels of software supply chain integrity
  • Training—free secure software development fundamentals courses educating community members on how to develop secure software
  • Vulnerability Disclosures—a guide to coordinated vulnerability disclosure for OSS projects
  • Package Analysis—look for malicious software in OSS packages
  • Security Reviews—public collection of security reviews of OSS
  • Research—studies on open source software and critical security vulnerabilities conducted in association with the Laboratory for Innovation Science at Harvard (LISH) (e.g., a preliminary census and FOSS Contributor Survey)

More information is available about the OpenSSF at and about the Linux Foundation at