Open source is the shared foundation of modern finance — and of modern life. In the AI era, defending it is urgent. How we defend it matters just as much as that we do.
The same open source software runs the world's banks, insurers, hospitals, power grids and governments. It was built, and is largely maintained, in the open — by a global community, for everyone.
AI has not changed which vulnerabilities exist; it has changed how fast known ones are weaponised. A serious, well-funded response is arriving — much of it from individual vendors, each with its own approach. We welcome the investment and the urgency. But we have seen this pattern before: when something essential is fixed behind closed doors, access to the fix can quietly become a toll.
A network is only as safe as its weakest link. Keeping the defence of the commons open is not idealism — it is sound risk management, and a neutral, sovereign alternative to depending on any one provider.
This is the neutral home for open source supply-chain security, formed within FINOS and the Linux Foundation. Incubated in financial services, where the regulatory bar is highest, it is built to serve any regulated enterprise. We work in step with [CONFIDENTIAL LF PROJECT] — the Linux Foundation's cross-industry security response team — and alongside the vendors building important tools. We are not here to compete with them. We are here to make sure their good work stays portable, verifiable, and free of lock-in for the institutions, and the public, that depend on it.
No single organisation should control how open source is patched. We strengthen the commons; we do not enclose it.
Wherever possible, fixes flow back to the original projects — free, public, and available to the whole community.
Anyone can write a patch. The real work is triage, testing and responsible disclosure — and that takes collective action.
A fix should arrive with proof — its origin, contents and testing — so consumers can trust it and show their regulators they did.
AI can do more of the work, but a human still owns the decision to ship. Speed must never outrun responsibility.
Open source crosses every border. So must its defence — for institutions of every size, in every country.
Leading global institutions and technology partners have signed in support of an open, non-lock-in approach to open source supply-chain security. Signing is a statement of principle — distinct from, and broader than, formal membership of the alliance.
The signatory list is open and growing. To add your institution, get involved or email membership@finos.org.
This effort is forming now, within FINOS. If you believe the defence of the open source commons should stay open, add your institution to it.
Get involvedA FINOS initiative, part of the Linux Foundation · complementary to [CONFIDENTIAL LF PROJECT] and the LF's open letter.
Built in the open. Governed by FINOS. For everyone.