What we learned from building an industry coalition

Securing the open source supply chain has become crucial due to the increased adoption of open source components, which has heightened susceptibility to security threats. In response, GitHub launched the Open Source Security Coalition (OSSC) in November 2019, aiming to unite organizations globally to strengthen open source security. The coalition focuses on four main areas: identifying threats to open source projects, establishing best practices for developers, enhancing security tooling, and managing vulnerability disclosures. With its initial 14 partners growing to 21, the coalition serves as a collaborative forum to pool resources, build infrastructure, and reduce duplicated efforts. GitHub's bottom-up approach, emphasizing operational and communication foundations, has proven effective, fostering a partner-led, results-driven culture. The coalition has already produced a report detailing threats, risks, and mitigations in the open source ecosystem, demonstrating its commitment to the mission. As the coalition evolves, formalizing its structure while maintaining its founding values is key to its continued success.