In this episode guest host Greg Cochran from the GitHub Secure Open Source Fund brings together four maintainers who are helping secure the open source projects we all depend on: Christian (Log4j/Log4Shell), Carlos (GoReleaser), Michael (EVCC), and Camila (ScanAPI) to unpack what it really looks like to level up security in critical OSS.

They share how the Fund’s three-week security sprint, ongoing check-ins, and tight-knit community helped them move from “we don’t know what we don’t know” to concrete wins: hardened GitHub Actions pipelines, incident response plans, better reporting processes, and SBOMs that actually include dependency licenses. They also talk candidly about asking “dumb” questions in a trusted space and the ripple effect when one project’s security posture improves across its dependents. Finally, the group dives into AI security: using fuzzing, GitHub Copilot, and tools like the Secure Code Game both to find vulnerabilities faster and to keep up with attackers who now have AI on their side too.

Links mentioned in the episode: 

GitHub Secure Open Source Fund overview

Announcing GitHub Secure Open Source Fund

Inside the breach that broke the internet: The untold story of Log4Shell

Log4j / Log4Shell video (castle interview with Christian)

EVCC – open source EV charging & energy management 

GoReleaser – release engineering automation

ScanAPI – automated API testing & live documentation

GitHub Security Lab

Secure Code Game (GitHub Security Lab)

GitHub Copilot – AI coding assistant

Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.