GitHub, with guest host Greg Cochran, spotlights maintainers from major open source projects and explores how the GitHub Secure Open Source Fund and tools like Copilot are advancing open source security.

Inside the GitHub Secure Open Source Fund: Leveling Up OSS Security

Hosted by GitHub, with guest host Greg Cochran

In this episode of The GitHub Podcast, four open-source maintainers—Christian (Log4j/Log4Shell), Carlos (GoReleaser), Michael (EVCC), and Camila (ScanAPI)—discuss practical experiences in improving security for foundational open source projects, as supported by the GitHub Secure Open Source Fund.

Highlights

Three-week Security Sprints: Maintainers share their experiences with guided security improvement sprints, including practices like:
- Hardening GitHub Actions pipelines
- Developing incident response plans
- Enhancing reporting processes
- Generating SBOMs (Software Bill of Materials) that cover dependency licenses
Community Collaboration: They emphasize the impact of a tight-knit security community, collaborative learning (even asking “dumb” questions in a safe space), and a ripple effect that improves dependencies across OSS projects.
AI-enabled Security:
- Discussing AI’s role in security, the group covers:
  - Using fuzzing and automated tools to discover vulnerabilities
  - Leveraging GitHub Copilot and games like Secure Code Game for staying ahead of attackers using AI

Key Topics

Project improvements driven by the Fund (Log4j remediation, incident planning)
Power of community support for maintainers
Tangible steps for securing open source infrastructure with GitHub-native tools
The growing importance of AI and Copilot for OSS security workflows

Projects & Links Mentioned

Production credits: Hosted by Abigail Cabunoc Mayes, Kedasha Kerr, and Cassidy Williams. Episode produced by Victoria Marin and partner editaudio.