ActiveState Joins the Linux Foundation and OpenSSF to Advance Open Source Software Security

News

Press Release

ActiveState Joins the Linux Foundation and OpenSSF to Advance Open Source Software Security

The company formalizes its commitment to community-driven open source governance as AI accelerates software supply chain risk

Vancouver, BC — May 21, 2026 — ActiveState, a global leader in open source software security and software supply chain management, today announced it has joined the Linux Foundation and the Open Source Security Foundation (OpenSSF) as a general member of both organizations. The move formalizes ActiveState’s commitment to the broader open source ecosystem and to the community-driven work that makes trusted software development possible at scale.

Why Open Source Security Requires a Community Commitment

Open source powers 98% of modern software applications. It is also the primary attack surface for software supply chain threats, with malicious open source packages growing 156% year-over-year. The organizations responsible for keeping that ecosystem safe, and the security leaders personally accountable when something goes wrong, need more than scanners. They need infrastructure, standards, and shared governance.

“The Linux Foundation and OpenSSF are where the serious work on open source security gets done,” said Abby Kearns, CEO, ActiveState. “No single organization secures the software supply chain alone. Thirty years of building secure open source infrastructure is what we bring to that work, and that work is better done together.”

Christopher “CRob” Robinson, Chief Technology Officer and Chief Security Architect at OpenSSF, is also looking forward to the collaboration, adding, “ActiveState joining the OpenSSF is an opportunity to strengthen our community and mission with its production-scale build infrastructure. This is the crucial collaboration needed to not only set vital community standards but also embed durable, industrial-grade security into the core of the open source ecosystem.”

What the Linux Foundation and OpenSSF Do

The Linux Foundation hosts some of the most critical open source infrastructure in the world, including the Linux kernel, Kubernetes, and OpenChain. OpenSSF brings together industry, government, and academic partners to improve the security posture of the open source software supply chain.

ActiveState joins both organizations at a moment when the stakes for getting this work right have materially increased:

AI coding assistants are accelerating open source consumption without improving the governance around it
Malicious open source packages grew 73% in 2025 alone, with active compromises hitting tools embedded in more than 100,000 CI/CD pipelines
On April 15, 2026, NIST formally acknowledged it can no longer enrich all CVEs, creating a permanent structural gap in the scanner-based detection model
Regulators in the US and EU are moving from voluntary guidance to enforcement, with EU Cyber Resilience Act vulnerability reporting obligations taking effect September 11, 2026

What ActiveState Brings to the Work

ActiveState’s contribution to open source security is grounded in 30 years of production-scale open source infrastructure. The company’s library of 79 million built-from-source open source components, spanning 12 major language ecosystems, is built within SLSA Level 3 infrastructure and continuously remediated under contractual SLAs.

Key capabilities ActiveState brings to the open source community:

79 million built-from-source components across Python, Java, JavaScript, Go, Rust, .NET, C, C++, R, Perl, and more, including all transitive and OS-level dependencies
SLSA Level 3 build infrastructure that eliminates blind trust in pre-built binaries and provides complete, immutable provenance for every artifact
Contractual remediation SLAs of 5 business days for critical CVEs, compared to a 63-day industry average mean time to remediate
Complete SBOMs and signed attestations shipped with every component, satisfying EO 14028 and EU CRA compliance requirements without a manual audit step
Native integration into existing artifact repositories, CI/CD pipelines, and AI coding assistants, enforcing governance at the point of open source consumption

Frequently Asked Questions

What is the Linux Foundation? The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Its projects are critical to global software infrastructure, including Linux, Kubernetes, Node.js, SPDX, and OpenChain.

What is OpenSSF? The Open Source Security Foundation (OpenSSF) is a cross-industry initiative of the Linux Foundation that brings together industry, government, and academic partners to advance the security of the open source software supply chain. Its working groups develop standards, tooling, and best practices adopted across the industry.

Why did ActiveState join the Linux Foundation and OpenSSF? ActiveState joined as a general member of both organizations to formalize its commitment to community-driven open source security. No single organization secures the software supply chain alone. ActiveState brings 30 years of production-scale build infrastructure and a library of 79 million continuously remediated open source components to that shared work.

What is the software supply chain, and why does it matter? The software supply chain refers to every piece of third-party code, tooling, and infrastructure that goes into building and delivering software, from the open source libraries developers pull from public registries to the container images running in production. 98% of modern applications include open source components.¹ Every component carries its entire dependency tree with it, and at any point along that chain, vulnerabilities can slip in, some accidentally, some deliberately.

How does AI increase open source software security risk? AI coding assistants accelerate open source consumption without improving governance. The natural friction that slowed bad dependency decisions, a developer evaluating a package before pulling it, is gone. AI suggestions are accepted in a single keystroke with no provenance check. Models are trained on public code, which means they reproduce patterns referencing poorly maintained or compromised packages. They can also hallucinate package names that do not exist, which attackers register with malicious payloads. The result is machine-speed dependency intake against a security team operating at human scale.

What is SLSA Level 3, and why does it matter for open source security? Supply chain Levels for Software Artifacts (SLSA) is a framework developed within the OpenSSF community to standardize software build integrity. Level 3 requires that builds are performed by a hardened, tamper-resistant build platform, with full provenance attestation. Every component in the ActiveState Library is built within a SLSA Level 3 environment, producing cryptographic proof of origin and integrity for every artifact.

What are ActiveState’s remediation SLAs? ActiveState commits contractually to remediating critical CVEs within 5 business days of a community-approved fix becoming available upstream, high CVEs within 10 business days, and all others within 30 business days. The industry average mean time to remediate critical CVEs is upwards of 50 days. The SLA clock starts when a community-approved fix is available upstream, not at CVE disclosure.

What is an SBOM, and does ActiveState provide one? A Software Bill of Materials (SBOM) is a complete inventory of the components, dependencies, and licenses in a software artifact. Every component in the ActiveState Library ships with a complete SBOM and signed attestation by default. This satisfies SBOM requirements under EO 14028 and EU Cyber Resilience Act compliance frameworks without requiring manual assembly.

About ActiveState

ActiveState enables DevSecOps teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster. The company provides a trusted catalog of more than 79 million secure open source components and container images that can be consumed via artifact repository, CI/CD, IDE, or directly from ActiveState. ActiveState continuously monitors and updates the open source components to help keep companies vulnerability-free. Companies using ActiveState see a 60-99% reduction in CVEs, improving their security posture, and save as much as 30% of developer time, eliminating the engineering toil typically associated with using open source in commercial applications. Learn more at www.activestate.com.

Media Contact

Brandy Coulsey
Brand and Communications Manager, ActiveState
brandyc@activestate.com

Overview

Service Status

Featured

The 2026 State of Vulnerability Management & Remediation

Read post

Featured

Introducing ActiveState’s Secure, Custom Container Images

Read post

ActiveState Library

Curated Catalog

Managed Distros

Supported Languages

USE CASES

Container Security

Vulnerability Management and Remediation

Software Supply Chain Security

Compliance and SBOM

Beyond End-of-Life Support

RESOURCES

Read

Watch

Attend

Academy

FEATURED

The 2026 State of Vulnerability Management & Remediation​

Read More

FEATURED

Introducing ActiveState’s Secure, Custom Container Images

Read More

Docs

Support Overview

Service Status

Login