Securing the Supply Chain for OSS

Project Description

Software supply chain security has become a critical concern for open source ecosystems, particularly in light of new regulatory requirements and increasing security threats. The EU Cyber Resilience Act, which enters into force in December 2024, mandates that manufacturers, software developers, importers, distributors, and resellers ensure their products with digital components remain secure throughout their lifecycle. This is just one example of the growing regulatory landscape that open source projects must navigate.

Current challenges include ensuring continuous access to security updates, maintaining separate security and feature update channels, implementing vulnerability disclosure programs, and providing transparency through Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA). Many open source projects, especially in the CMS ecosystem, lack the tools and workflows to meet these requirements effectively.

This project aims to develop solutions that address these challenges through modular, reusable components. Using WordPress plugin development as our initial implementation use case, we’ll create tools and workflows that can benefit the broader open source community. The goal is to enable projects of all sizes to implement robust supply chain security measures without reinventing the wheel.

Target Audience

• Open source software vendors and maintainers
• CMS platform developers and contributors
• Security professionals and researchers
• Organizations deploying CMS solutions at scale

Hackathon Goals

The project scope is flexible and will be refined based on team composition and expertise. Potential deliverables may include:

• Security update channel implementations
• Cryptographic code signing solutions
• SBOM generation and verification tools
• Vulnerability disclosure program tooling
• Documentation and implementation guides
• Cross-CMS security standards

Teams can focus on one or more of these areas, or propose additional solutions that address supply chain security challenges in open source ecosystems.