GitHub announces security improvements across 67 critical open source projects in Session 3 of the Secure Open Source Fund, with $670,000 in funding and measurable outcomes including 191 new CVEs, 250+ secrets prevented, and billions of monthly downloads secured.
Modern software runs on open source infrastructure. From curl moving data for billions of systems to Python powering AI research and model evaluation, these projects form the invisible foundation that developers rarely question. When this infrastructure is secure, teams can adopt automation and faster release cycles without adding risk. When it isn't, the blast radius crosses project boundaries, affecting everything from package managers to production AI systems.
That's why GitHub launched the Secure Open Source Fund, directly linking funding to verified security outcomes while providing maintainers with resources, hands-on training, and a security community for raising high-risk concerns.
Session 3 Results: 67 Projects, 98 Maintainers, $670,000 in Funding
In the latest session, 67 open source projects delivered concrete security improvements across the software supply chain. The program provided $670,000 in non-dilutive funding powered by GitHub Sponsors, with 99% of projects completing the program with core GitHub security features enabled.
Across all three sessions, the impact has been substantial:
- 138 projects completed the program
- 219 maintainers received support
- 38 countries represented
- $1.38M in total funding
- 191 new CVEs issued
- 250+ secrets prevented from being leaked
- 600+ leaked secrets detected and resolved
- Billions of monthly downloads protected
- 500+ CodeQL alerts fixed in just the last 6 months
- 66 secrets blocked
Security Work Across Critical Infrastructure
Session 3 focused on improving security across systems developers rely on daily, organized by their role in the software ecosystem.
Core Programming Languages and Runtimes
Projects like CPython, Himmelblau, LLVM, Node.js, Rustls, and Vapor define how software is written and executed. Improvements here flow downstream to entire ecosystems. For example, enhancements to CPython directly benefit millions of developers who rely on Python for application development, automation, and AI workloads.
LLVM maintainers identified security improvements that complement existing investments and reduce risk across toolchains used throughout the industry. When language runtimes improve their security posture, everything built on top of them inherits that resilience.
Web, Networking, and Core Infrastructure Libraries
Projects including Apache APISIX, curl, evcc, kgateway, Netty, quic-go, and urllib3 form the connective tissue of the internet. They handle HTTP, TLS, APIs, and network communication that nearly every application depends on.
This group includes curl, urllib3, Netty, Apache APISIX, quic-go, and related libraries that sit on the hot path of modern software.
Build Systems, CI/CD, and Release Tooling
Compromising build tooling compromises the entire supply chain. Projects like Apache Airflow, Foundry, Gitoxide, GoReleaser, Jenkins, node-lru-cache, PyPI/Warehouse, rimraf, and webpack influence how software is built, tested, packaged, and shipped.
Maintainers in this category focused on securing workflows that often run with elevated privileges and broad access. Improvements here help prevent tampering before software ever reaches users.
Data Science, Scientific Computing, and AI Foundations
Projects such as ACI.dev, ArviZ, CocoIndex, OpenBB Platform, OpenSearch, pandas, PyMC, SciPy, and TraceRoot sit at the core of modern data analysis, research, and AI development. They are increasingly embedded in production systems as well as research pipelines.
Projects like pandas, SciPy, PyMC, ArviZ, and OpenSearch participated in Session 3. Maintainers expanded security coverage across large and complex codebases, often moving from limited scanning to continuous checks on every commit and release.
Many of these projects also engaged deeply with AI-related security topics, reflecting their growing role in AI workflows.
Developer Tools and Productivity Utilities
Tools like Bevy, calibre, DIGIT, fabric.js, ImageMagick, jQuery, jsoup, Mastodon, Mermaid, Mockoon, p5.js, python-benedict, React Starter Kit, Selenium, Sphinx, Spyder, ssh_config, Thunderbird for Android, Two.js, and the Yii framework shape the day-to-day experience of writing, testing, and maintaining software.
Improving security here reduces the risk that developer tooling becomes an unexpected attack vector, especially in automated or shared environments.
Identity, Secrets, and Security Frameworks
Projects including external-secrets, Helmet.js, Keycloak, Keyshade, Oauth2 (Ruby), varlock, and WebAuthn (Go) form the backbone of authentication, authorization, secrets management, and secure configuration.
Maintainers in this group often reported shifting from reactive fixes to systematic threat modeling and long-term security planning, improving trust for every system that depends on them.
A Mindset Shift: From Reactive to Proactive
One of the most durable outcomes was a fundamental shift in how maintainers approach security. They moved security from a stretch goal to a core requirement, shifting from reactive patching to proactive design, and from isolated work to shared practice.
Many are now publishing playbooks, sharing incident response exercises, and passing lessons on to their contributor communities. That is how security scales: one-to-many.
What's Next: Session 4 and Beyond
Securing open source is basic maintenance for the internet. By giving 67 heavily used projects real funding, three focused weeks, and direct help, maintainers shipped fixes that now protect millions of builds a day.
This training, taught by the GitHub Security Lab and top cybersecurity experts, enables one-to-many impact. Many maintainers are working to make their playbooks public. The incident-response plans they rehearsed are forkable. The signed releases they now ship flow downstream to every package manager and CI pipeline that depends on them.
Session 4 begins April 2026. Projects and maintainers can apply now to the GitHub Secure Open Source Fund to help make open source safer for everyone.
Funding and Ecosystem Partners are also invited to join this mission to secure the software supply chain at scale.
Join the Mission
If you write code, rely on open source, or want the systems you depend on to remain trustworthy, we encourage you to apply. Together, we can secure the software supply chain that powers modern development, including the AI systems that increasingly shape our world.
For more information about the GitHub Secure Open Source Fund and how to participate, visit the official program page.
The GitHub Secure Open Source Fund represents a crucial investment in the infrastructure that powers modern software development. By directly linking funding to measurable security outcomes and providing maintainers with the resources they need, the program is creating lasting improvements that benefit the entire software ecosystem. As AI systems become increasingly dependent on open source foundations, securing this infrastructure becomes not just important, but essential for the future of trustworthy software development.
Comments
Please log in or register to join the discussion