Seth Michael Larson: Open Source Security work isn't “Special”

The keynote speech was given at OpenSSF Community Day NA 2025 in Denver, Colorado, and a YouTube video recording will be available later. The talk was given as the Security-Developer-in-Residence at the Python Software Foundation, a role sponsored by Alpha-Omega. Open source is an amazing thing, allowing users to contribute meaningfully to projects, but security is special and often handled by a select few. Maintainers of open source projects, especially smaller ones, are not necessarily experts in security and feel isolated and compelled to handle security work to keep their project and users safe. This isolation breeds a culture of fear, and maintainers often don't see how other projects are handling security issues. Smaller projects are shaped by their tools, and security tools often introduce an asymmetry by creating work without resolving issues. The speaker proposes a new model for open source security contributions, where security work is completed by trusted individuals who aren't necessarily maintainers. This model aims to break the assumption that maintainers are the only ones who can do security work, especially for smaller projects. To make this model successful, we need to build trust amongst contributors and projects, and security work can't all fall on maintainers. We can all use our voices and experiences to build a more positive and healthy security culture and overcome the isolation inherent to security work.