Introducing OSERA · a FINOS alliance · OSFF London, 25 June 2026

Open source supply resiliency at scale. Without the lock-in.

A neutral, openly-governed home where institutions and their technology partners keep critical open source patched, consumable and compliant — produced once, together.

Get involved Read the Guiding Principles Explore Risk Navigator Read the Manifesto
A FINOS initiative, part of the Linux Foundation — the complement to [CONFIDENTIAL LF PROJECT], the LF's cross-industry security response team. Learn more →
The thesis

A network is only as safe as its weakest link

The sector runs strikingly similar software — the same core libraries, in the same versions — so a flaw in one is a flaw in all. Incubated in financial services, where the regulatory bar is highest, the model is built to serve any regulated enterprise. Open collaboration is the neutral, sovereign way to provide the shared answer.

~80%

of open source dependencies sit unmanaged and outdated — resilience is a consumption problem, not just a patching one.

Sonatype · State of the Software Supply Chain
1 in 3

institutions are confident the components they consume are maintained and current. The rest are the weak links.

FINOS · State of OSS in Financial Services 2024
hours

is all automation now needs to weaponise a published CVE. The window to apply a known fix has collapsed.

Industry observation
How it works

Public by default — private only for the member-ready build

We apply fixes for known CVEs to the exact projects and versions the sector still runs. The source stays open; only the built, member-ready release sits behind membership.

Known CVE in a [package, version]
in software the sector still runs — often past upstream end-of-life
Fix produced & tested
under an alliance SLA · green CI on the upstream test suite

Upstream first

Public

Offered back to the original project wherever it is alive — free and public for the whole community.

Public fork

Public

The canonical maintained source, fully transparent and auditable — for the cases upstream can't take the fix.

Member release

Members

Built, signed artifacts members consume through their existing proxy — the coordinates they already use, no CI change.

Source is public by default; only the built, member-ready release artifacts sit behind membership. Releases are time-bound — a managed bridge to a current, supported version, not a licence to stay behind. Cryptographic signing, full SBOMs and VEX are planned (Workstream 1).
Available tooling

Prioritise open source remediation with Risk Navigator

Risk Navigator turns dependency and vulnerability data into a practical remediation view: what is exposed, which projects are affected, and where upgrades or backpatches should be prioritised.

From vulnerable libraries to action

Use the overview to inspect vulnerable packages, CVEs, affected projects, safe versions, and backpatch candidates before bringing work into the OSERA formation process.

  • Rank libraries by CVSS, KEV, EPSS, project footprint, and upgrade path.
  • See which applications are directly or transitively exposed.
  • Identify candidates for upgrade guidance, OpenRewrite recipes, or backpatch work.
Open Risk Navigator See related workstreams
Risk Navigator prioritization interface showing vulnerable libraries, CVEs, affected projects, and remediation details
An open, two-sided platform

End users and tech producers, in one neutral venue

Not a vendor and not a buyers' club — an open ecosystem. Institutions that run open source meet the technology firms with deep upstream expertise that maintain it. No single firm sits in the middle.

End users · demand

Everyone who runs the software

  • Banks, insurers & market infrastructure
  • Fintechs
  • Regulated enterprises beyond finance
  • Technology providers to the sector
Resilient, compliant OSS at a fraction of single-firm cost.

The open, governed platform

FINOS neutral governance · open standards · per-project funding pools

IP & antitrustConfidentialityOpen standardsUpstream-first
Tech producers · supply

Firms with upstream expertise

  • Upstream specialists
  • OSS maintainers
  • Security & remediation firms
  • SIs & consultancies
Reach the whole sector through one neutral channel — no lock-in.

Incubated in financial services — open to any regulated enterprise that runs the same software.

The value

What each actor gets

One effort, three constituencies — each with a clear reason to take part.

FSIs · end users
  • Pay a fraction of single-firm cost
  • A flexible funding model — pooled & per-project; pay for what you depend on
  • A venue you already trust: IP, antitrust, confidentiality
  • DORA / NIS2 / CRA readiness, with evidence built in
  • Remediation stays open & portable — no lock-in
OSS & tech vendors · producers
  • One neutral channel to the whole sector — no per-firm BD
  • Demand aggregated and funded through directed pools
  • Win on upstream expertise, not on lock-in
  • Reputation and contribution across the commons
  • Upstream-first — work that benefits everyone
Regulators
  • Shared, auditable remediation evidence
  • Reduces systemic third-party & open source risk
  • One point of engagement for the sector's OSS posture
  • Transparency — public forks, open standards
  • Aligned to DORA, NIS2 and the CRA
Why now

The fixes already exist — applying them is the hard part

AI hasn't changed which vulnerabilities exist; it has changed how fast known ones are weaponised. And regulation now makes timely remediation a duty, not a choice.

Exploitation has accelerated

Automation weaponises a published CVE in hours — but the same fix is still re-created, forked or bought firm by firm.

§

DORA & NIS2 are in force

Supervisors increasingly treat third-party and open source risk as systemic and auditable.

The EU CRA clock is running

Vulnerability-reporting duties from Sep 2026; full vulnerability-handling obligations from Dec 2027.

Potential workstreams

What the platform could deliver

Indicative only — workstreams and deliverables are to be agreed by participants during formation.

WS1 · potential

Backpatching governance

What to maintain, who produces it, under what SLA — openly governed, upstream-first.

WS2 · potential

Regulated consumption standards & tools

Consuming fixes in time across a regulated estate — and proving it. Risk Navigator is an early reference tool for prioritisation and remediation planning, alongside FINOS CALM and the Open SDLC Controls Framework.

  • Consumption evidence pack
  • Mapped to DORA, NIS2 & CRA
  • Blast-radius modelling via CALM
  • CRA-readiness self-assessment
WS3 · potential

Regulatory-compliant remediation standards

One open standard so a fix from any producer is portable, verifiable and lock-in-free.

Potentially joint with OpenSSF + [CONFIDENTIAL LF PROJECT]
  • Open production standard (SLSA · SBOM · VEX)
  • Disclosure / VEX interop with [CONFIDENTIAL LF PROJECT]
  • "Portable patch" conformance
  • Maps to CRA handling & reporting
Available now

Maintained backpatch lines — already in members' hands

Proof, not slideware. The formation pilot already maintains these critical Java lines, consumed through members' existing proxies with the coordinates they already use.

Apache Camel
2.25.4+backpatch.001
Java · integration
Bouncy Castle
1.47+backpatch.001
Java · cryptography
Netty
3.10.6.Final+backpatch.001
Java · networking
Spring Framework
5.3.39+backpatch.001
Java · app framework
+Propose a projectAdd one we should maintain
Members resolve them through their existing corporate proxy with the coordinates they already use — no code or CI changes. Each line is time-bound. Signing, full SBOM and VEX are on the roadmap (WS1).
Why join now

The window is open — and the clock is regulatory

For end users

Stop paying for the same fix many times over.

  • Shape the first projects and SLAs while founding terms are set
  • Get ahead of the EU CRA (reporting 2026, full handling 2027)
  • Replace a recurring single-firm "fork tax" with one shared programme

For tech producers

One open channel to the whole sector.

  • Reach every institution through a neutral venue — no per-firm BD
  • Win on upstream expertise, not on lock-in
  • Help set the open production standard you'll be measured against
Get involved

Propose a project — or offer to maintain one

Open to institutions of every size and to technology firms with upstream expertise, anywhere in the world.

Propose a project

Nominate a [package, version] for the alliance to consider maintaining.

Thank you — your project nomination has reached the FINOS team. We'll follow up about prioritisation and intake.

Offer to maintain

Put your firm forward as a tech producer for specific projects or ecosystems.

Thank you — your maintainer profile has reached the FINOS team. We'll be in touch about producer selection.

Just want to back it?

Join the funding effort and back the projects you depend on — pooled, per-project, pay for what you use.

Not a FINOS member? — membership@finos.org Already a member? — membersuccess@finos.org

Form submissions route to membership@finos.org. Prefer to talk first? Join the weekly Supply Chain Resiliency formation call.

How it fits

Complementary to [CONFIDENTIAL LF PROJECT], by design

[CONFIDENTIAL LF PROJECT] · Linux Foundation

The cross-industry security response team: one coordinated disclosure process and a maintainer of last resort, so upstream maintainers face one trusted partner instead of a flood of duplicate, AI-generated reports.

OSERA · FINOS

The industry-specific complement: prioritisation, mutualised maintenance, regulated consumption and open standards — routing its coordinated disclosure through [CONFIDENTIAL LF PROJECT]. Independent governance; no duplication.

A short history

How we got here

Early 2026

FINOS member institutions recognise they each pay, independently, to keep the same open source dependencies alive — forking, patching or buying support for identical CVEs.

Q2 2026

Spearheaded by Moderne, the effort is brought to the FINOS community — in the open, not as a product — and a member formation group convenes to design a mutualised, openly-governed model.

May–June 2026

A working pipeline ships: critical Java lines maintained as backpatch releases and validated end-to-end by member institutions.

June 2026

The Linux Foundation announces [CONFIDENTIAL LF PROJECT] — the cross-industry security response team and maintainer of last resort.

25 June 2026

FINOS presents the effort at the Open Source in Finance Forum, London — the complement to [CONFIDENTIAL LF PROJECT].

Stand with us.

Keep the defence of the open source commons open, verifiable and portable. Propose a project, offer to maintain, or add your institution to the effort.

Get involvedOpen Risk NavigatorRead the Manifesto