惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

U
Unit 42
P
Proofpoint News Feed
The Last Watchdog
The Last Watchdog
S
Secure Thoughts
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
N
News | PayPal Newsroom
Application and Cybersecurity Blog
Application and Cybersecurity Blog
O
OpenAI News
S
Security @ Cisco Blogs
宝玉的分享
宝玉的分享
Hacker News: Ask HN
Hacker News: Ask HN
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
TaoSecurity Blog
TaoSecurity Blog
Help Net Security
Help Net Security
Latest news
Latest news
NISL@THU
NISL@THU
S
Security Affairs
博客园_首页
C
CXSECURITY Database RSS Feed - CXSecurity.com
博客园 - 聂微东
AI
AI
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Recent Announcements
Recent Announcements
P
Privacy & Cybersecurity Law Blog
小众软件
小众软件
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Hugging Face - Blog
Hugging Face - Blog
博客园 - 司徒正美
AWS News Blog
AWS News Blog
W
WeLiveSecurity
Google DeepMind News
Google DeepMind News
I
InfoQ
Schneier on Security
Schneier on Security
Recent Commits to openclaw:main
Recent Commits to openclaw:main
T
The Exploit Database - CXSecurity.com
IT之家
IT之家
T
Threatpost
Scott Helme
Scott Helme
L
LINUX DO - 热门话题
腾讯CDC
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
News and Events Feed by Topic
L
LINUX DO - 最新话题
F
Full Disclosure
大猫的无限游戏
大猫的无限游戏
H
Heimdal Security Blog
S
SegmentFault 最新的问题

Bootstrap Blog

Bootstrap 5.3.8 Bootstrap 5.3.7 Bootstrap Icons v1.12 and v1.13 Bootstrap 5.3.6 Bootstrap 5.3.5 Bootstrap 5.3.4 Bootstrap 5.3.3 Bootstrap 5.3.2 Bootstrap Icons v1.11.0
GitHub Secure Open Source Fund
Julien Déramond · 2025-08-10 · via Bootstrap Blog

Mark and Julien recently represented Bootstrap in the second round of the GitHub Secure Open Source Fund this past June. The program is designed to programmatically and financially improve the security and sustainability of open source projects, and we were honored to be a part of it.

GitHub brought together open source maintainers, security experts, and ecosystem partners for an intensive, hands-on learning experience. Throughout three weeks, we had a few days of mixed expert-led presentations, collaborative workshops, and dedicated office hours with security specialists. Between sessions, we had homework: concrete, project-specific actions to immediately strengthen our codebase, workflows, and processes.

As usual, this was done in our spare time, making the pace intense but manageable. Thanks to the flexibility of remote participation, we balanced the program’s demands around our workdays, with sessions either before or after work depending on our time zones.

What the program covered

The program was organized into three thematic weeks, each combining presentations, workshops, and actionable takeaways. Here’s an overview of the modules we attended:

Week 1

  • Welcome & Program Overview
  • Licensing and Security Compliance
  • What You Need To Know About Security Advisories
  • Security Lab Office Hours
  • Secure Code Game
  • GitHub Sponsors Success
  • Responding to Security Incidents

Week 2

  • Threat Modeling 101
  • Secure Your GitHub Actions
  • Keeping Users Safe from Malware, Abuse, Fraud, and Online Harms
  • Open SSF with David Wheeler
  • CodeQL: From Zero to Hero
  • Secure by Design: End-to-End Secure UX

Week 3

  • AI/LLM & MCP Security
  • Leverage GitHub Copilot to Ship Secure Code
  • Fuzzing
  • Better Together Closing Session

What we found most valuable

While every module provided value, a few stood out for Bootstrap focused either on immediate impact or organizational relevance.

Specifically, since our core team is small and changes over time, we need to ensure that security practices are well understood, easily actionable by maintainers remotely and autonomously, and thoroughly documented. One thing we’ll remember is that an Incident Response Plan must be in place before any incident occurs to avoid panic and confusion.

There were also several great takeaways around Threat Modeling, secure GitHub Actions, some GitHub security features, and other tools that we can use to improve our security posture.

But the most valuable part was the community aspect. Engaging with other maintainers, sharing experiences, questions, and solutions, and learning from each other’s challenges and successes was incredibly enriching. It reminded us that we’re not alone in this journey: the Open Source community is a powerful support network.

For those wondering, there were folks from various projects, including Express.js, JUnit, nvm, Oh My Zsh, and many more (53 projects in total).

How Bootstrap is improving

As a direct result of the program, we implemented immediate security actions:

  • Performed a SBOM analysis of our dependencies to identify vulnerabilities.
  • Enabled Private Vulnerability Reporting to allow users to report security issues privately.
  • Experimented during the session some fuzzing on our codebase to identify potential security issues.

We have started drafting an Incident Response Plan, which we plan to finalize in the coming months, and have initiated discussions around developing a Threat Model for Bootstrap. Since the program, we’ve also reintegrated the OSS Scorecard into our workflow (for the second time, actually!) to track our security posture and compliance with best practices, and also used sha-1 hashes for the versions of the GitHub Actions we use.

There’s still a lot to do, but we feel more confident in our ability to maintain Bootstrap securely and sustainably. In the coming months, we’ll continue refining our build processes, documentation, and testing to make Bootstrap more secure for everyone who uses it.

Thank you

A huge thank you to the Funding & Ecosystem Partners who made this program possible, to the GitHub team and security experts for their guidance, and to all the maintainers of the other projects for their insights and camaraderie.

If you maintain an open source project, we highly recommend applying for a future session: it’s an investment that pays dividends in resilience, trust, and peace of mind.

Support the team

Visit our Open Collective page or our team members’ GitHub profiles to help support the maintainers contributing to Bootstrap.