LIVE from GitHub Universe: Inside the GitHub Secure Open Source Fund
In this episode guest host Greg Cochran from the GitHub Secure Open Source Fund brings together four maintainers who are helping secure the open source projects we all depend on: Christian (Log4j/Log4Shell), Carlos (GoReleaser), Michael (EVCC), and Camila (ScanAPI) to unpack what it really looks like to level up security in critical OSS.
They share how the Fund’s three-week security sprint, ongoing check-ins, and tight-knit community helped them move from “we don’t know what we don’t know” to concrete wins: hardened GitHub Actions pipelines, incident response plans, better reporting processes, and SBOMs that actually include dependency licenses. They also talk candidly about asking “dumb” questions in a trusted space and the ripple effect when one project’s security posture improves across its dependents. Finally, the group dives into AI security: using fuzzing, GitHub Copilot, and tools like the Secure Code Game both to find vulnerabilities faster and to keep up with attackers who now have AI on their side too.