OpenSSF CTO on Building Trust in Open Source with AI

As Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation (OpenSSF) under the Linux Foundation – recognised among Technology Magazine’s Top 10 Technology Associations – Christopher “CRob” Robinson is at the forefront of securing the global open source ecosystem.

OpenSSF acts as a neutral hub promoting trust and security across every stage of open source software development.

With modern applications increasingly built on open components, CRob’s work ensures critical systems – from the Linux kernel to AI-powered platforms – remain resilient against vulnerabilities.

In this Q&A, CRob discusses how AI tools are being leveraged to detect threats, strengthen collaboration and create sustainable practices that safeguard open source software for years to come.

What is the OpenSSF and how does its mission fit within The Linux Foundation’s broader goals? 

Our mission is to improve the security of open source software for everyone – from upstream maintainers to downstream consumers to government entities that need insight into how the software was built. 

Ultimately, we’re focused on raising the bar for security practices across the open source ecosystem so users around the world can benefit. 

With 70% to 90% of modern software built with open source components, the OpenSSF is bettering security for nearly everyone. 

The OpenSSF serves as the security subject matter experts for a wide range of Linux Foundation projects, including everything from the Linux kernel to automotive and even space-grade Linux. 

Our work spans everything from environmental efforts to public policy to education. 

What recent milestones or accomplishments are you most proud of at the OpenSSF? 

I’ve started working closely with Open Source & Security Africa (OSSAfrica), a community-led initiative bringing together folks on the African continent who care about open source and security. 

The group is early in their development journey under the Belonging, Empowerment, Allyship and Representation (BEAR) Working Group, but have had great engagement with the community so far. 

Seeing how the group is reaching developers in Africa and building a strong foundation for long-term community engagement has been wonderful and I look forward to collaborating with OSSAfrica more soon. 

Are there any upcoming initiatives or areas of focus that the OpenSSF is preparing to lead or support in the near future? 

For 2026, the Foundation has four key initiatives that we’ll be collaborating with our members and the broader community on. 

These initiatives are deeply rooted in our values and organizational strategy to better serve the community: 

• The design, development and execution of an open source vulnerability database to provide highly accurate machine- and human-readable data for the ecosystem. This assists upstream developers with articulating vulnerabilities within their software and downstream developers in reacting to them.
• The deployment of our Open Source Project Security Baseline (or Security Baseline, for short), with an emphasis on how downstream manufacturers can engage with the upstream creators that generate so much of the code we all rely upon everyday. 
• Continued work within the AI security space through actionable guidance, security tools for development and the evangelism of Cyber Reasoning Systems to use AI to help find and fix vulnerabilities in software. 
• Even more global engagement with the public sector to bridge with the private sector and upstream maintainers around the changing landscape of cybersecurity regulations. 

If you could give one message to software companies and their security teams, what would it be? 

If someone uses and gets benefit from open source software they must find ways to give back to those groups – whether that’s through their community, better tools or financial support. 

Free software and platforms like source code repositories are not free to maintain and run.

The plight of the upstream developer has long-been talked about, and is still unsolved, but recent events have brought to the forefront the desperate state of many community groups.

Package registries are currently unsustainable with the year-over-year increase in usage without sponsorship. 

Responsible consumption is a must if we want to continue benefitting from this software and these platforms. 

What are your top concerns for 2026? 

First and foremost, I expect we’ll see some form of AI-related breach in 2026. 

This will likely either involve large language models (LLMs) or be driven by a form of AI-assisted attack orchestration. 

The security industry has already seen examples in 2025 of bad actors deploying AI in cyberattacks – I’m concerned that 2026 could bring a Heartbleed- or Log4Shell-style incident involving AI. 

The pace at which these tools operate may outstrip the ability of defenders to keep up in real time. 

Another focus for the year ahead: how the Cyber Resilience Act (CRA) will begin to reshape global compliance expectations. 

Starting in September 2026, manufacturers and open source maintainers must report exploited vulnerabilities and breaches to the EU. 

This is another step closer to CRA enforcement and other countries like Japan, India and Korea are exploring similar legislation.

CRA is setting the tone for a broader global shift so organisations will need to show they’re taking due diligence seriously. 

Reports often highlight the human element in many security incidents. With AI amplifying the amount of data people can access and share, how do we address the human side of security as innovation accelerates?

Year after year, analyses of public breach data – like the Verizon Data Breach Investigations Report – demonstrate that the root cause in most major industry incidents isn’t an exotic zero‑day exploit or an automated attack, it’s people. 

The human side of security should really be addressed just as urgently as the technical side. 

The way forward involves education, tooling and cultural change. Resilient human defences start with education. 

Courses from the Linux Foundation like Developing Secure Software and Secure AI/ML‑Driven Software Development equip users with the mindset and skills to make better decisions in an AI‑enhanced world. 

Beyond formal training, reinforcing awareness creating a vigilant community is critical. 

The goal is to embed security into culture and processes so that it’s not easily overlooked when new technology or tools roll around. 

Security protocols and practical guidance, like secure development lifecycles, SBOMs or scoring for AI models, reduce human-introduced risks. 

How are you and your peers working to raise awareness about the role and importance of open source in creating sustainable software ecosystems? 

Maintainers and the community projects they lead are struggling without support from those that use their software. The OpenSSF recently signed a joint statement for sustainable stewardship for open source software, along with Alpha-Omega, Continuous Delivery Foundation, Eclipse Foundation (Open VSX), OpenJS Foundation, Packagist (Composer), Perl and Raku Foundation, Python Software Foundation (PyPI), Ruby Central, Rust Foundation (crates.io), and Sonatype (Maven Central). 

Our endorsement, alongside industry peers, calls for immediate action from those that benefit from open source software to better support maintainers. 

This joint statement made waves in the software industry and technology media, increasing awareness about the strain large-scale users of open source software put on projects funded by volunteer time and goodwill. 

I’m proud of the cohort that has supported this statement and our goal is to push forward more sustainable practices for the open source software ecosystem.