Securing the supply chain at scale: Starting with 71 important open source projects

In response to the critical security vulnerabilities exposed by the Log4j incident and the widespread reliance on under-resourced open-source libraries, GitHub launched the GitHub Secure Open Source Fund in November 2024 to enhance the security of the software supply chain. This initiative provides financial support to maintainers for participating in a three-week program focused on security education, mentorship, tooling, and community building, aiming to improve the security impact and reduce risks. The program has already shown significant results, with 125 maintainers from 71 open-source projects collaborating to remediate over 1,100 vulnerabilities and issue more than 50 new CVEs. The fund's sessions empower maintainers to implement long-term security strategies, increase adoption of best practices, and integrate advanced AI and security tools like GitHub Copilot into their workflows. As the program continues to expand, with the third session scheduled for September 2025, it seeks to engage more maintainers deeper in the dependency tree and those managing critical dependencies, thereby contributing to a more secure open-source ecosystem.